Primary Care Contractor Organisation

Data Protection Notice regarding Independent Contractors

Introduction

During the course of NHS Lothian activities we will collect, store and process personal information about our prospective, current and former staff. For the purposes of this privacy notice, ‘staff’ includes applicants, employees, workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

We recognise the need to treat staff personal data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. This privacy notice provides a summary of how we will ensure that we do that, by describing:

the categories of personal data we may handle
the purpose(s) for which it is being processed, and
the person(s) it may be shared with.

This notice also explains your rights regarding your personal information.

What laws are relevant to the handling of personal information?

The law determines how organisations can use personal information. The key legislation governing the use of information is listed below:

Data Protection Act 2018
General Data Protection Regulation (GDPR (EU) 2016/679)
The Human Rights Act 1998
Freedom of Information (Scotland) Act 2002
Computer Misuse Act 1998
Regulation of Investigatory Powers Act 2000, and
Access to Health Records Act 1990.

NHS Lothian is the ‘Data Controller’ (the holder, user and processor) of staff information.

The Health Board has an express statutory function under the National Health Service (Scotland) Act 1978 to maintain the lists of independent contractors.

The PCCO operates within the Regulations issued for the primary care environment as follows:

The National Health Service (Performers List)(Scotland) Regulations 2004 as amended
The National Health Service (General Medical Services Contracts)(Scotland) Regulations 2018
The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018
The National Health Service (General Dental Services)(Scotland) Regulations 2010 as amended
The National Health Service (General Ophthalmic Services)(Scotland) 2006 as amended
The National Health Service (General Pharmaceutical Services)(Scotland) 2009 as amended

What types of personal information do we handle?

In order to carry out our activities and statutory obligations to maintain a Performer’s List, Dental List, Ophthalmic List and Pharmaceutical List we handle data in relation to:

Primary care contractors (dentists, GPs, pharmacists, optometrists) or their staff providing services to patients in NHS Lothian

The types of personal data may include but is not limited to:

Primary care contractor information

name, home address, telephone, personal email address, date of birth, employee identification number and marital status, and any other information necessary for our business purposes, which is voluntarily disclosed in the course of an employee’s application for inclusion on the relevant health board list
national insurance number
professional registration number
bank details
email address
telephone number
sensitive personal data: for example, data about race, ethnic origin, religious or philosophical beliefs, trade union membership, health, and sexual orientation (collected only where required by law and used and disclosed only to fulfill legal requirements)
absence information, e.g. claims for sickness absence, study leave, adoption leave, maternity leave, paternity leave
occupational health clearance information
qualification and training information; and
statutory and voluntary registration data

Dental treatment applied for or provided under General Dental Services
Eye examinations applied for or provided under General Ophthalmic Services
Prescription data, records of drugs prescribed by Community Pharmacies
GP records relating to treatment provided under the GMS contract

When you are no longer included on the relevant contractor list, we may continue to share your information as described in this notice, ie so long as this is fair and lawful.

What is the purpose of processing data?

Your personal data is collected by NHS Lothian and shared with NHS National Services Scotland for the purposes of maintaining the lists of independent contractors as required by statute. It will be captured and stored on electronic systems and will be used and shared by PCCO staff in NHS Lothian and other health board where you are working in any capacity.

Occupational health clearance information – referred to as the Occupational Health Passport “fit slip” – is shared with the PCCO by NHS Lothian and NHS Borders Occupational Health Departments. PCCO will not share this information with any other person or organisation.

We use information about you in order to:

evaluate applications for admission to the various lists of independent contractors
manage all aspects of your independent contractor status with us, including but not limited to, payments, appraisal, disciplinary procedures, pensions administration, and other general administrative and human resource related processes
comply with applicable laws (e.g. health and safety),
share “employers” information as appropriate with the professional bodies or in the monitoring of conditions imposed by those bodies.

Sharing your information

There are a number of reasons why we share information. This can be due to:

our obligations to comply with current legislation, and
our duty to comply with any Court Order which may be imposed.

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know,” or where you have consented to the disclosure of your personal data to such persons.

In order to comply with our obligations we will need to share your information as follows:

Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following:

Our patients and their chosen representatives or carers
Staff
Current, past and potential employers
Healthcare social and welfare organisations
Suppliers, service providers, legal representatives
Auditors and audit bodies
Educators and examining bodies
Research organisations
People making an enquiry or complaint
Financial organisations
Professional bodies
Trade Unions
Business associates
Police forces
Security organisations
Central and local government
Voluntary and charitable organisations

Reasons why we share your personal information	Who we share your information with *(the list below is not exhaustive)*
For the purposes outlined above	PCCO staff, occupational health and NHS National Services Scotland
Professional registration purposes	Regulatory bodies such as the General Medical Council, General Dental Council, General Optical Council, General Pharmaceutical Council
Contractual terms and conditions of service	NHS National Service Scotland – Practitioner Services

Background on sharing and our responsibilities

Privacy laws do not generally require us to obtain your consent for the collection, use or disclosure of personal information for the purpose of establishing, managing or terminating your employment. In addition, we may collect, use or disclose your personal information without your knowledge or consent where we are permitted or required by law or regulatory requirements to do so.

Data Protection Legislation requires personal data to be processed fairly and lawfully. In practice, this means that NHS Lothian must:

have a legal basis for collecting and using personal data;
not use the data in ways that have unjustified adverse effects on the individuals concerned;
be transparent about how it intends to use the data – and give individuals appropriate privacy notices when collecting their personal data;
handle people’s personal data only in ways they would reasonably expect; and
make sure it does not do anything unlawful with the data.

NHS Lothian’s legal basis for collecting and using staff personal data and/or special category data such as health information, is because it is necessary to do so when contractors are on the relevant Health Board List or wish to be included on the relevant Health Board List.

Information about the rights of individuals under the Data Protection Legislation can be found within the NHS Lothian Data Protection Policy.

Security of your Information

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

At director level, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality. We also have a Data Protection Officer who advises the Board on data protection compliance and who liaises with the SIRO and Caldicott Guardian.

All staff are required to undertake regular information governance training and to be familiar with information governance policies and procedures. All NHS staff are also subject to the common law duty of confidentiality.

How do we collect your information?

Some of the information you provide on your application for admission to the Performers List, Dental List, Ophthalmic List or Pharmaceutical List will be included on the national general practitioner database (for GPs and optometrists) and local PCCO database for general dental practitioners. These databases are maintained in order to fulfil the statutory requirements for a Health Board to maintain a general medical practitioner performers list, dental list and pharmaceutical list.

We also collect information in a number of other ways, for example correspondence, forms, interview records, references, surveys.

Retaining information

We only keep your information for as long as it is necessary to fulfil the purposes for which the personal information was collected. As directed by the Scottish Government in the Records Management Code of Practice, we maintain a retention schedule as part of our Records Management Policy detailing the minimum retention period for the information and procedures for the safe disposal of personal information.

We may, instead of destroying or erasing your personal information, make it anonymous so that it cannot be associated with or tracked back to you.

How can you get access your personal data?

You have the right to access the information which NHS Lothian holds about you, and why, subject to any exemptions. Requests can be made in a number of ways, including in writing or verbally. You will need to provide:

adequate information [for example full name, address, date of birth, staff number, etc.] so that your identity can be verified and your personal data located.
an indication of what information you are requesting to enable us to locate this in an efficient manner.
We may ask you to complete an application form to collect the data we need, although you are not obliged to do so.

You should direct your request to the Data Protection Officer – details can be found below.

Once we have received your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However If your request is complex we may take longer, by up to two months, to respond. If this is the case we will tell you and explain the reason for the delay.

What if the data you hold about me is incorrect?

It is important that the information which we hold about you is up to date. Changes can be notified to the PCCO in order that the relevant database or list might be updated.

Complaints about how we process your personal information

In the first instance, you should contact the Data Protection Officer – contact details can be found below. Information about the rights of individuals under the Data Protection Act can be found online at www.ico.org.uk

Data Protection Registration

NHS Lothian is registered with the Information Commissioner’s Office as a data controller. Registration number Z5757124

The details are publicly available from the:-

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF
www.ico.org.uk

Data Protection Officer

If you wish to contact the Data Protection Officer you can contact them at:

Data Protection Officer
IT Governance
Woodlands House
74 Canaan Lane
Edinburgh
EH9 2TB
Phone – 0131 465 5444

Primary Care Contractor Organisation

If you wish to contact the PCCO you can contact them at:

Primary Care Contractor Organisation
NHS Lothian
Waverley Gate
2-4 Waterloo Place
Edinburgh
EH1 3EG

With acknowledgments to NHS Scotland and NHS England

Data Protection & Privacy
- Primary Care Contractor Organisation
- Requests for Personal Information including Medical Records: (Subject Access Requests)
- Children’s Data Protection Notice
- Data Protection Notice