Legal Responsibilities

There are different rules for the organisations that play different roles in collecting and handling identifiable information. 

• Data controller (Article 4(7))- this is any organisation responsible for providing access to, or using, identifiable information. The data controller       must keep it safe at all stages, explain to people what it's being used for     and are legally accountable.
• Data processor (Article 4(8))- this is any organisation involved in collecting or processing information. The data processor must follow the data controller's instructions and meet high IG standards.
• Data controllers are sometimes also data processors.

NES have to follow legislation for the processing of information and               uses the General Data Protection Regulation (GDPR) for personal             information that is held, with the following points from the legislation:

“6(1)(c) processing is necessary for compliance with a legal                                  obligation”;

“6(1)(e) processing is necessary for the performance of a task         carried out in the public interest or in the exercise of official          authority vested in the controller.”

"9(2)(b) – Processing is necessary for carrying out obligations           under employment, social security or social protection law, or a   collective agreement" (for special categories of data)

Further details available on how personal data is managed via                  Privacy and Data Protection in NHS Education for Scotland.

NES data controller and/or processor details:

Data Protection Officer, NHS Education for Scotland, Westport 102,             West Port, Edinburgh, EH3 9DN  

foidp@nes.scot.nhs.uk

The Information Commissioner has NES registered as data controller - registration number Z7921413.