Privacy and data protection

About NHS Education for Scotland

NHS Education for Scotland (NES) is a public-sector body as set out in 2002 No. 103 National Health Service – the NHS Education for Scotland Order 2002. It is one of the organisations which form part of NHSScotland.

NES is an education and training body and a national health board within NHSScotland, with responsibility for developing and delivering education and training for the healthcare workforce in Scotland.

NES manages and maintains the NHSScotland Careers website.

What types of personal information is collected?

NES holds and manages personal data for the administration, management and marketing of the NHSScotland Careers website.

For the NHSScotland Careers website we process the following categories of personal data:

  • Contact details: First name, last name and email address of mailing list subscribers.

What is the purpose of processing data?

The purpose of processing the data is to broadcast information about careers, education pathways, resources, training programmes, newsletters, and partner organisations.

What is the legal basis for using personal information?

NES as a data controller and a data processor, is required to have a legal basis when using personal information. NES considers that performance of our tasks and functions are in the public interest. When using personal information, our legal basis usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.

For the NHSScotland Careers website, NES considers our legal basis for processing is:

  • "6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes";
  • “6(1)(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”;
  • “6(1)(c) processing is necessary for compliance with a legal obligation”;
  • “6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

Sharing the information

We will only share personal data where required to do so by law.

Retention periods of the information we hold

We only keep your information for as long as it is necessary to fulfil the purposes for which the personal information was collected. This includes for the purpose of meeting any legal, accounting or other reporting requirements or obligations. The NHSScotland retention policy sets out the minimum retention timescales.

For the NHSScotland Careers website mailing list we will retain your personal data indefinitely, while you continue to be subscribed to our mailing list. You can choose to unsubscribe from our mailing list at any time.

Security of your Information

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking reasonable measures to ensure the confidentiality and security of personal data for which we are responsible for.

All NES staff are required to undertake annual information governance training and to be familiar with information governance policies and procedures.

Your rights regarding your personal data

You have the following rights in regard to your personal data:

  • The right to be informed of why we are collecting and holding data about you and how that data will be used;
  • The right to access the data we hold about you;
  • The right to have the data we hold about you rectified if it is inaccurate or incomplete;
  • The right to have your personal data erased and to prevent processing in specific conditions;
  • The right to restrict the processing of your data;
  • The right to obtain and reuse your personal data for your own purpose across different services;
  • The right to object to the processing of your data based on legitimate interests of NES, direct marketing or for the purposes of scientific/historical research and statistics;
  • The right not to be subject to a decision based on automated processing.

How to access your personal data?

You have the right to access the information which NES holds about you, and why, subject to any exemptions using a Subject Access Request. Requests must be made in writing and you will need to provide:

  • Adequate information [for example full name, address, date of birth, staff number etc] so that your identity can be verified and your personal data located.
  • An indication of what information you are requesting to enable us to locate this in an efficient manner.
    You should send your request to the Information Governance Team. Contact details can be found below.

We will aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within 30 days of receipt unless there is a reason for delay that is justifiable.

Complaints about how we process your personal data

In the first instance, you should contact the Information Governance Team – contact details can be found below.

Data Protection Notification

NES is a ‘data controller’ under the Data Protection Act. We have notified the Information Commissioner that we process personal data and our registration number is: Z7921413

The details are publicly available from the:
Information Commissioner’s Officer
Wycliffe House
Water Lane
Wilmslow SK9 5AF

How to contact us


Data Protection Officer
Westport 102
West Port
Edinburgh EH3 9DN

Use of cookies on this website

A cookie is a small data file that certain websites write to your hard drive when you visit them. This site uses different types of cookie.

If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies. You can access them through some types of browser. Search in your cookie folders for to find our cookie and the Google Analytics cookie if you wish to delete them.

More information about cookies, including how to block them or delete them, can be found at

The information below describes the use of cookies on the NHSScotland Careers website:

Where other NHSScotland websites and portals use different cookies, information will be provided on those websites.

Cookies used by this website

Visitors can use this website with no loss of functionality if cookies are disabled from the web browser.

The NHSScotland Careers website uses Google Analytics, a popular web analytics service provided by Google, Inc. Google Analytics uses cookies to help us to analyse how users use the site.

The information generated by the cookie about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google undertakes not to associate your IP address with any other data held by Google.

This list shows all cookies used by the NHSScotland careers website, and what each is used for.

Cookie Name Purpose Expiry
__utmb Google Analytics cookie. This stores the domain name (hash code) of site, pages viewed this session, current time. 30 minutes
__utmc Google Analytics cookie. This stores the domain name (hash code) of site. At end of session
__utma Google Analytics cookie. This stores the domain name (hash code) of site, a unique visitor id (randomly generated number), time of first visit, time of previous visit, current time, number of sessions since first visit. 2 years
__utmz Google Analytics cookie. This stores the domain name (hash code) of site, time when cookie last set, total number of visitor sessions, number of different channels or sources through which this site was reached, source of the last cookie update, search hit tag identifier (or just 'organic' if reached via normal search hit), search medium, keyword phrase used to find site. 6 months