Privacy Statement

1. About Us

Scotland has one of the best health services in the world and the NHS is the largest employer in our country. We actively encourage applicants from a range of backgrounds, regardless of gender, age, religion, race, sexual orientation, religion or belief.

Increasingly, our workforce is based outside traditional hospital settings. They also work in GP surgeries, clinics and health centres in the community and with partner organisations, local authorities and the Scottish Government.

NHS Scotland is made up of 14 regional Health Boards. Each one is responsible for protecting and improving the health of the population in its area.

There are also eight national Health Boards. They support the regional Boards by providing a range of important, specialist and national services.

When applying to work with one of these Health Boards, the recruitment process and all relevant personal information involved will be managed by that board. Contact details for each of the Health Boards can be found at https://www.nhsinform.scot/care-support-and-rights/health-rights/confidentiality-and-data-protection/how-the-nhs-handles-your-personal-health-information#data/

You can find more information about our health workforce on the Scottish Government website.

2. The information you may be asked for, and why?

The personal information you provide will allow the appropriate recruiting NHS Scotland organisation to effectively manage and progress your application through their recruitment processes, and for them to meet their obligations to you as a prospective employer.

The following personal information may be required:

  • Name
  • Address
  • Telephone number
  • Email address
  • NI number
  • Previous and current employment history
  • Educational background
  • Contact details for referees
  • Equality and diversity data
  • Additional information to support any criminal reference checking and any other details as deemed relevant to the recruitment and onboarding process.
  • Successful candidates personal banking details are required in order to process all payments due to you in respect of your employment.
  • Information relating to your health may be collected via a pre-employment health check by the Occupational Health Service. This information is captured to ensure compliance with statutory responsibilities, and will be held within an Occupational Health file. The information will be used to make recommendations to line managers.
  • You may be asked to disclose personal characteristic information as defined in the Equality Act 2010 and other equalities related information. This information is used for the purposes of statistical monitoring, and will not be shared with line managers.

3. What is done with your personal information

Your contact details may be used to contact you regarding your application. The recruiting NHS Scotland organisation will communicate with you predominantly via email, by providing your email address; you are consenting to receive correspondence relating to the recruitment process by email.

The data will be stored, processed, used and disclosed in the following ways:

  • To provide recruitment services to you and to facilitate the recruitment process
  • To enable you to submit your CV and/or application form, apply online for jobs
  • To answer your questions and enquiries
  • To share with third parties where they have been retained to provide services that have been requested including health assessments, assessment centres, qualifications and criminal reference checking services, verification of the details you have provided from third party source, psychometric evaluation or skill test
  • To use your information on an anonymised basis to monitor compliance with equal opportunities policy
  • To carry out obligations arising from any contracts entered into between you and the employing board
  • To undertake statistical analysis of anonymised data (equality and diversity) and internal reporting through a candidate’s recruitment journey.

4. Legal basis for processing your personal information

The legal basis relied upon for processing your personal information is article 6(1)(b) of the UK-GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.

The legal basis relied upon to process any information you provide as part of your application which is special category data, such as health, religious or ethnicity information is article 9(2)(b) of the UK- GDPR, which relates to our obligations in employment and the safeguarding of your fundamental rights. We also rely upon Schedule 1 part 1(1) of the DPA2018 which again relates to processing for employment purposes. We may also rely on 9(2)(a) of the UK-GDPR, which relates to your explicit consent. It is important to note that special category data used for the purposes of equal opportunities is non-mandatory and you can select prefer not to say.

As part of the recruitment process, information about applicant criminal convictions and offences will be processed. The legal basis relied upon to process this data is Article 6(1)(b) to perform a contract or to take steps at your request, before entering a contract.

5. Who we share your personal information with

The recruiting Health Board is under a duty to protect the public funds it administers, and to this end the information you have provided on your application form will be used for the prevention and detection of fraud. The information may also be shared with other bodies responsible for auditing or administering public funds for these purposes. More detail and further information is available on the Audit Scotland website: www.audit-scotland.gov.uk/

The recruiting board reserves the right to transfer your information to a third party involved in the recruitment process provided that the third party agrees to adhere to the terms of this Privacy Notice and provided that the third party only uses your Personal Data for the purposes that you provided for. Information will also be shared with other public bodies where the law requires this. Examples of such public bodies are Her Majesty’s Revenue and Customs (HMRC), the Department for Work and Pensions and the Scottish Freedom of Information Office. The recruiting board will also generally comply with requests for specific information from other regulatory and law enforcement bodies where this is necessary and proportionate.

6. How long we keep your information for

NHS Scotland maintains a records retention and disposal schedule which sets out how long different types of information are held for. This schedule can be found here: The Scottish Government Records Management Code of Practice for Health and Social Care (Scotland) 2020

In line with this schedule, unsuccessful candidates’ data will be securely destroyed 12 months after the decision is made that your application has been unsuccessful adhering to the statutory requirement to retain information for a select period to allow candidates to challenge recruitment decisions.

Successful candidates’ information required for employment purposes will be retained throughout your employment and will be held in the appropriate employing boards HR system, all other documentation not relevant will be securely destroyed 12 months after your start date has been confirmed, this includes any supporting documentation which you provide for criminal reference checking, proof of address etc.

7. Your Rights

Under Data Protection law you have rights which are available to you. These rights are detailed below. Please be aware that should you wish to exercise these rights, your request should be made to the appropriate employing Health Board at https://www.nhsinform.scot/care-support-and-rights/health-rights/confidentiality-and-data-protection/how-the-nhs-handles-your-personal-health-information#data

Right to be informed - Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly.

Right to access your information - You have the right to request a copy of the personal information about you that is held.

Right to correct your information (rectification) – It is important to ensure that your personal information is accurate, complete and up to date and therefore you can ask for a correction of any personal information about you that you believe does not meet these standards.

Right to the erasure of your information – You have the right to object to the processing of your information and can withdraw your application and delete your candidate profile at any point in the process. However, in order to proceed with an application for a position with the recruiting board, your personal information requires to be processed, as per 6(1)(b) in the UK-GDPR – processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.

Right to object - At any time, you have the right to object to your personal information being processed for direct marketing purposes.

Right to restrict processing - In some cases, you may ask for a restriction on how we use your personal information.

Rights relating to data portability - This right is only available where the legal basis for processing under the UK GDPR is consent, or for the purposes of a contract between you and the recruiting organisation. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.

Rights relating to automated processing, including profiling - You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our Privacy Notice, and ensure that you have an opportunity to request that the decision involves personal consideration. Please note that we currently do not carry out any automated processing or profiling in relation to our recruitment processes.

8. Complaints

If you have a complaint about how your personal information is handled, you can contact the relevant Health Board’s Data Protection Officer, which can be found at https://www.nhsinform.scot/care-support-and-rights/health-rights/confidentiality-and-data-protection/how-the-nhs-handles-your-personal-health-information#data

You also have the right to make a complaint about data protection matters to the Information Commissioner's Office. They can be contacted via their website at https://ico.org.uk/make-a-complaint/ or by telephone on 0303 123 1113.