Privacy and confidentiality


The Public Health Scotland (PHS) privacy notice describes the full range of our uses of personal data and the ways in which we ensure that it is kept safe.  We adhere to a 'five safes' framework

Safe people – all our staff undertake compulsory training in data protection and information security. They also have the technical skills to analyse the data, make sense of the outputs, find evidence, and report on the findings. Time-limited access to personal data in PHS is role-based, with restrictions and authorisations in place, as well as monitoring of what is used.

Safe projects – our staff require time-limited authorisation to access personal data and they have to justify the use of the data. Depending on the type of project, the request for access may be scrutinised by an external independent Public Benefit and Privacy Panel which includes patient representatives. This panel checks that we protect personal data and meet our legal obligations of data protection and confidentiality.

Safe data – when our staff work with data we make sure we only use the minimum information required for us to undertake our role. What this means in practice is that, in some circumstances, for example, where some of our specialist staff are involved in understanding where there are clusters of certain types of cancers, they may be authorised to use personal data for their statistical analysis within our encrypted and secure computer servers.

Safe settings – personal and special categories of personal data which are available in PHS are stored securely on secure servers which have certified security controls. We comply with the NHS Scotland Information Security Policy set out by Scottish Government. In some cases, data can only be accessed within the national safe haven which is a secure analytic environment with access to secure analytic software.

Safe outputs – our outputs which have been created by using personal data undergo statistical checking and disclosure assessment to ensure that no individuals can be identified and that the outputs meet the highest confidentiality standards.

A Scottish Government privacy statement has been developed in response to COVID-19 and is intended to both inform and reassure you that your information is being shared appropriately within the NHS in Scotland and with our partner organisations.