We collate and analyse information in order to deliver effective and specialist national services which co-ordinate, strengthen and support activities aimed at protecting all the people of Scotland from infectious and environmental hazards.

Confidentiality and data protection

Our Data Protection Notice tells you about the way we collect, store and use personal information, your rights under data protection law, how you can request to see your information, and what to do if you have any concerns about our management of personal information.

We work very hard to ensure the safe and secure storage, use and management of information. We review our confidentiality and security policies and practices regularly to make sure they're kept up to date. You've a right to complain to our Data Protection Officer to check we handle personal information in a way that meets data protection law, by using the contact details on the Public Health Scotland website.

Governance training

All of our staff undertake mandatory information governance training which includes confidentiality and information security. This training helps staff to follow the rules that govern the care and release of confidential data.

All our staff must read, understand and sign up to our confidentiality rules. Staff contracts also highlight the need to respect and maintain confidentiality.

Caldicott guardian

The Caldicott Guardian is a senior person within our organisation who makes sure that confidentiality is maintained and that the personal information we hold is used:

  • legally
  • ethically
  • appropriately

The Caldicott Guardian provides leadership and informed guidance on complex matters involving confidentiality and information sharing. Our Caldicott Guardian works as part of a team of Information Governance experts, who specialise in confidentiality and data protection and can be contacted at

Policies and procedures

There are a number of policies and procedures that help us to ensure that personal data is kept secure. Most of the analysis that we do uses anonymised information. This means that information that could identify an individual is removed, for example:

  • name
  • date of birth
  • address

Only a limited number of specially trained staff can access confidential information that could identify a person and this access can is only permitted for a certain period of time.

Statistical disclosure control

This is a way to reduce the risk of disclosing personally identifiable information. We control disclosure by not showing, combining or modifying data before its release.

Our Statistical Disclosure Protocol complies with the Information Commissioner's Anonymisation Code of Practice.

Public benefit and privacy panel for health and social care

The Public Benefit and Privacy Panel for Health and Social Care decides when nationally held information about people who use health and care services can be used for research, audit and service improvement whilst upholding legal obligations of data protection and confidentiality. The panel is made up of:

  • doctors
  • patients
  • researchers
  • specialist advisers on confidentiality and data protection

The panel considers if requests for information strike the right balance between protecting personal data and making data available for research and audit. It ensures that any information releases are carefully controlled and in the public interest.

Any researcher wishing to use the data that we hold must follow current legal and ethical guidelines and comply with the specific instructions set out in the permissions given.

Use of identifiable information

There are times when we have to use information that could identify an individual. For example:

  • reviewing samples of health records to make sure the information held is accurate
  • linking information together so that the outcomes of a particular illness or disease can be monitored
  • providing information to an NHS Board about their patients or residents who have had treatment in other locations
  • monitoring health hazards by gathering surveillance information provided by laboratories, hospitals, GPs, NHS Boards and Local Authorities
  • managing exposure to health hazards and large outbreaks of infectious illness that may affect many people across Scotland, such as large flu outbreaks

Where there's a requirement for this type of information, only a limited number of trained staff are allowed to access the information and only with special permission for a certain period of time.

Further information

See our privacy policy on the main Public Health Scotland website.