NHS Dumfries & Galloway

Data Protection Privacy Statement Relating to Staff

During the course of NHS Dumfries and Galloway’s activities we will collect, store and process personal information about our prospective, current and former staff. For the purposes of this Data Protection Notice, ‘staff’ includes applicants, employees, workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

We recognise the need to treat staff personal information in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. This Data Protection Notice provides a summary of how we will ensure that we do that, by describing:

  • the categories of personal information we may handle
  • the purpose(s) for which it is being processed, and
  • the person(s) it may be shared with.

This notice also explains what rights you have to control how we use your information. Please read it carefully to understand what we do.

Laws relevant to the handling of personal information

The law determines how organisations can use personal information. The key legislation governing the use of information is listed below:

  • Data Protection Legislations
  • The Human Rights Act 1998
  • Freedom of Information (Scotland) Act 2002
  • Computer Misuse Act 1998
  • Regulation of Investigatory Powers Act 2000, and
  • Access to Health Records Act 1990.

NHS Dumfries and Galloway is the ‘Data Controller’ (the holder, user and processor) of staff information.

Types of personal information we handle

In order to carry our activities and obligations as an employer we handle information in relation to:

  • name, home address, telephone, personal email address, date of birth, employee identification number and marital status, and any other information necessary for our business purposes, which is voluntarily disclosed in the course of an employee’s application for and employment with us
  • national insurance number
  • special category information: for example, data about race, ethnic origin, religious or philosophical beliefs, trade union membership, health, and sexual orientation (collected only where required by law and used and disclosed only to fulfill legal requirements)
  • absence information, e.g. annual leave, sickness absence, study leave, maternity leave, paternity leave
  • occupational health clearance information
  • qualification and training information; and
  • statutory and voluntary registration data.
  • CCTV data.
  • Swipe access cards.

When you are no longer our employee, we may continue to share your information as described in this notice, i.e. so long as this is fair and lawful.

The purpose of processing data

Your personal information is collected by NHS Dumfries and Galloway and shared with NHS Scotland for the purposes of employee management. It will be captured and stored on an electronic system and will be used and shared by human resources (HR) professionals in NHS Dumfries and Galloway and board(s) where you are working in any capacity or with special boards such as NHS National Services Scotland and NHS Education Scotland, where it used for purposes of workforce planning or to generate published national statistics relating to the NHS Scotland workforce.

Occupational health clearance information – referred to as the Occupational Health Passport – will be shared by NHS Dumfries and Galloway with occupational health professionals in the Board, and Boards where you have been offered employment.

We use information about you in order to:

  • evaluate applications for employment
  • manage all aspects of your employment with us, including but not limited to, payroll, benefits, corporate travel and other reimbursable expenses, development and training, absence monitoring, performance appraisal, disciplinary and grievance processes, pensions administration, and other general administrative and human resource related processes 
  • develop workforce and succession plans
  • maintain sickness records, and occupational health programme
  • administer termination of employment and provide and maintain references
  • maintain emergency contact and beneficiary details, which involves us holding information on those nominated by you
  • comply with applicable laws (e.g. health and safety), including judicial or administrative orders regarding individual employees (e.g., child support payments); and
  • share and match personal information for the national fraud initiative.

Sharing your information

There are a number of reasons why we share information. This can be due to:

  • our obligations to comply with current legislation, and
  • our duty to comply with any Court Order which may be imposed.

Any disclosures of personal information are always made on case-by-case basis, using the minimum personal information necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know,” or where you have consented to the disclosure of your personal information to such persons.

In order to comply with our obligations as an employer we will need to share your information as follows:

Reasons why we share your personal information

Who we share your information with
(the list below is not exhaustive)

For the purposes outlined above

Human resources, occupational health and line managers

Professional registration purposes

Regulatory bodies such as the General Medical Council

Contractual terms and conditions of service

Scottish Training Database
The Scottish Advisory Committee on Distinction Awards (SACDA)

Training and Development

NHS Scotland training administrators HR administrators

National reporting

Scottish Workforce Information Standard System (SWISS). For more information see: www.swiss.scot.nhs.uk

Pay, time and attendance

Payroll NHS Dumfries and Galloway and the Scottish Standard Time System (SSTS)

National and internal Employee Directory

General public and internally to NHS Scotland employees

National Fraud Initiative. Every year, the NHS is required to participate in the National Fraud initiative. As part of this, we provide payroll information for data matching. Data matching involves comparing sets of data, such as payroll or benefits records of an organisation, against other records held by the same or another organisation.

Audit Scotland. Further information about the National Fraud Initiative is available from Audit Scotland: www.audit-scotland.gov.uk

Background on sharing and our responsibilities

Privacy laws do not generally require us to obtain your consent for the collection, use or disclosure of personal information for the purpose of establishing, managing or terminating your employment. In addition, we may collect, use or disclose your personal information without your knowledge or consent where we are permitted or required by law or regulatory requirements to do so.

The GDPR and Data Protection Legislation require personal information to be processed fairly and lawfully. In practice, this means that NHS Dumfries and Galloway must:

  • have a legal basis for collecting and using personal information;
  • not use the data in ways that have unjustified adverse effects on the individuals concerned;
  • be transparent about how it intends to use the data – and give individuals appropriate Data Protection Notices when collecting their personal information;
  • handle people’s personal data only in ways they would reasonably expect; and
  • make sure it does not do anything unlawful with the data.

NHS Dumfries and Galloway’s legal basis for collecting and using staff personal information and/or special category such as health information, is because it is necessary to do so when staff have an employment contract with the Board or potentially entering into an employment contract.

Information about the rights of individuals under the Data Protection Legislation can be found within the NHS Dumfries and Galloway Data Protection Notice.

Security of your Information

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal information for which we are responsible, whether computerised or on paper.

At director level, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality. We also have a Data Protection Officer who is responsible for the Boards data protection compliance and who liaises with the SIRO and Caldicott Guardian.

All staff are required to undertake regular information governance training and to be familiar with information governance policies and procedures.

Everyone working for the NHS is subject to the law of confidence. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless required or permitted by the law.

How we collect your information

Your information will be collected on a national workforce information system; this system is not held locally within your Board. The national system manager is authorised for full access nationally, providing access and accounts for NHS Boards system administrators. NHS Dumfries and Galloway has staff in this role – all within HR.

We also collect information in a number of other ways, for example correspondence, forms, interview records, references, surveys.

Retaining information

We only keep your information for as long as it is necessary to fulfill the purposes for which the personal information was collected. This includes for the purpose of meeting any legal, accounting or other reporting requirements or obligations. The NHS Scotland retention policy sets out the minimum retention timescales.

We may, instead of destroying or erasing your personal information, make it anonymous so that it cannot be associated with or tracked back to you.

How you can get access your personal information

You have the right to access the information which NHS Dumfries and Galloway holds about you, and why, subject to any exemptions. Requests can be made in a number of ways, including in writing or verbally. You will need to provide:

  • adequate information [for example full name, address, date of birth, staff number, etc.] so that your identity can be verified and your personal information located.
  • an indication of what information you are requesting to enable us to locate this in an efficient manner.

We may ask you to complete an application form to collect the data we need, although you are not obliged to do so.

You should direct your request to the Data Protection Officer.

We aim to comply with requests for access to personal information as quickly as possible. We will ensure that we deal with requests within 30 days of receipt unless there is a reason for delay that is justifiable.

What if the data held about me is incorrect

It is important that the information which we hold about you is up to date. Staff can amend some elements of personal information as required via the national workforce information system. If any other changes not accessible via this route are required then it is important that you let us know by contacting your manager and the HR team.

Freedom of Information

The Freedom of information (Scotland) Act 2002 (FOISA) provides any person with the right to obtain information held by NHS Dumfries and Galloway, subject to a number of exemptions. Personal information is often exempt, however. If you would like to request some information from us, please send your request to either your Board’s FOISA Officer or the Data Protection Officer– contact details can be found on page 

It is possible, in certain circumstances, for staff data to be released under FOISA. If this was to occur, the relevant Data Protection requirements and guidance from the Information Commissioner’s Office (ICO) would be followed.

Any request to access personal information we hold about you will be handled under the Data Protection Legislations and GDPR.

Complaints about how we process your personal information

In the first instance, you should contact the Data Protection Officer – contact details can be found on page  Information about the rights of individuals under the Data Protection Act can be found online here

How to contact the Information Commissioner’s Office (ICO)

You can contact the ICO at the following address and email:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow SK9 5AF


Please contact us if you have any questions about our Data Protection Notice or information we hold about you.


Data Protection
Mountainhall Treatment Centre
Bankend Road

Tel: 01387 246246 
email: dumf-uhb.DPA-Office@nhs.net