What is data protection legislation?
Data protection legislation is made up of the UK General Data Protection Regulation and the Data Protection Act 2018. Those laws provide the rules under which organisations like NHS Grampian can use your personal data and the safeguards we must put in place. You also have certain rights in respect of your data, however please note that not all rights apply in all circumstances. The Information Commissioner's Office (the data protection regulator) provides lots of helpful information about data protection and your rights online at: https://ico.org.uk/for-the-public/.
Data protection legislation has seven key principles:
- Lawfulness, fairness and transparency - Tell people what we use their information for, and that we take special care with sensitive information
- Purpose Limitation - Make sure that information is only used and shown to others for the reason it was collected
- Data minimisation - Only keep the information that is required. Do not keep extra information that is not needed
- Accuracy - Update information to make sure it is always correct
- Storage Limitation - Only keep the information for as long as it is needed
- Integrity and confidentiality (security) - Make sure that the information is kept safely so that it cannot be lost, changed or looked at by people who do not have a right to view it
- Accountability - Good record keeping to demonstrate compliance with the legislation and the 6 preceding principles
The Access to Health Records Act 1990 allows access, in certain circumstances, to information that we hold on deceased patients.
More information
Read NHS Grampian's Data Protection Policy. Following Brexit, please read all references to the EU General Data Protection Regulation (GDPR) in our policy as the 'United Kingdom General Data Protection Regulation (UKGDPR)'. For more information please see: The UK GDPR | ICO.
Read NHS Grampian's main Privacy Notice for members of the public. This explains how and why we use your information in the provision of care, the management of our system, to address important reasons of public health and in approved medical research. If you are interested in the functions and activities of Scottish Health Boards, you may also find this document interesting. It provides information about the range of things Scottish Health Boards do, whether that requires personal data and, if yes, why that would usually be considered lawful.
We have a special version of our privacy notice for children.
NHS Grampian also provides privacy notices for specific activities, projects or programmes where we would like to provide people with a little more information about what happens to their data. You can view examples of those at: Privacy Notices
Read NHS Grampian's Staff Privacy Notice.
If you would like to request your personal information from NHS Grampian, we provide information on how to do so here, including some standard forms to help you at: Confidentiality, Health Records and Data Protection.
We have a dedicated e-mail address for requests for your medical information or the medical information of a deceased person following the report of the Infected Blood Inquiry. Please send your questions to gram.ibidatarequests@nhs.scot.
Please note, if you would like to request other information from NHS Grampian (ie information that is not about you), you may find our information on making freedom of information requests helpful at: Freedom of Information. If you wish to request the records of a deceased person, further to the provisions of the Access to Health Records Act 1990, please contact the Information Governance team for assistance, using the details below.
When sending requests for information to NHS Grampian, please do not send original identity or other documentation. We will contact you and let you know what information we need from you.
You can find more information about how health information is used nationally on the NHS Inform website, the Public Health Scotland website, the NHS National Services Scotland website, and the website of NHS Education for Scotland.
During the emergency response to the COVID-19 pandemic, data was used throughout the health and social care system for the purposes of providing health and social care and the management of the system. NHS Grampian published local information on how data was being used on its COVID-19 public webpages. That information is available here (pdf). This was provided in addition to the national information published by Scottish Government, which can be found at: www.informationgovernance.scot.nhs.uk/covid-19-privacy-statement/.
There is lots of information about data protection on the UK Information Commissioner's website. They also have a specific section about data protection rights.
Our Data Protection Officer can be contacted at:
Data Protection Officer
Information Governance
Medical Directorate
NHS Grampian
Rosehill House
Cornhill Road
Aberdeen
AB25 2ZG
Tel: 0345 456 6000
Tel: 01224 551549
Email: gram.dpo@nhs.scot
Our Caldicott Guardian can be contacted at:
The Caldicott Guardian
Medical Director
NHS Grampian
Summerfield House
2 Eday Road
Aberdeen
AB15 6RE
Published: 25/10/2024 11:15