CLO Data Protection Notice
What we do with your information
The Central Legal Office (CLO) is a business unit within The Common Services Agency, more commonly referred to as NHS National Services Scotland or NSS (NHS NSS). CLO forms part of the Finance, Corporate Governance and Legal Services Directorate within NHS NSS. CLO provides legal services to the various Health Boards and other entities that make up NHSScotland, as well as to other public sector organisations.
CLO is committed to protecting and respecting the privacy of individuals whose personal information is held and used by CLO and to complying with its obligations under the Data Protection Act 2018 (DPA 2018) and the UK GPDR.
This privacy statement explains:
- the types of personal information that CLO collects and processes in relation to its function (being the provision of legal advice)
- how CLO obtains and uses such personal information
- when CLO may disclose such personal information to third parties. It also provides further information on your rights.
Our legal basis for using personal information
General information about the legal basis relied on by NHS NSS for using personal information is explained on the Data Protection page on the NHS NSS website, however, the legal basis most relevant to the activities of CLO is that the information is needed for performing a task that we are carrying out in the public interest, or exercising official authority vested in us. Where CLO needs to use more sensitive types of personal information, including health information, our legal basis will usually be for establishing, exercising or defending legal claims.
Types of Data
Physical and mental health information comprised in an individual's medical record
Collection of data
- Such information may be provided to CLO by a client (for example, a Health Board) in connection with a particular matter on which CLO is advising
- Such information may also be provided by the legal advisors appointed by the individual to whom the information relates, in order that the individual's claim, complaint or question can be adequately and appropriately investigated and responded to
- Such information may also be provided by witnesses of an event or of a course of behaviour and so on, in connection with a particular matter on which CLO is advising.
Use of Data
- Such information is used, to the extent necessary, to provide the legal advice and assistance that has been sought by the client
- Such information will also be used to the extent necessary to comply with CLO's statutory and regulatory obligations.
Our disclosure
CLO may disclose personal information that it holds to the following parties, in each case where CLO is required to do so in connection with a particular matter in respect of which CLO is advising:
- its client, where additional personal information, unknown to the client, has been provided to CLO by the legal advisors appointed by the individual to whom the information relates
- counsel (that is a member of the Faculty of Advocates who is engaged to provide independent, expert legal advice), where counsel has been engaged by CLO
- the court or tribunal, whichever is relevant
- the procurator fiscal
- the Scottish Legal Aid Board
- the Compensation Recovery Unit
- the legal advisers appointed by the individual to whom the information relates
- the legal advisers of any co-defenders to any action in respect of which CLO is advising
- expert witnesses, where expert witnesses have been engaged by CLO, to allow the expert witnesses to provide their statement and, or testimony
- factual witnesses, where such witnesses have witnessed an event or a course of behaviour and so on, but such disclosure will be limited to that required to allow the factual witnesses to provide their statement and, or testimony
- law accountants in order to allow them to carry out an assessment of costs
- Auditor of the Court of Session in order to allow him to carry out an assessment of costs.
CLO may also disclose personal information that it holds to the following parties, for the following specified purposes:
- the Scottish Government or other relevant body, where this is required in connection with any fatal accident inquiry, public inquiry or other statutory inquiry
- the Scottish Government for reporting and/or authorisation purposes
- relevant professional regulatory bodies, such as the General Medical Council, the General Dental Council, the Nursing and Midwifery Council and so on, where this is required in required in order to comply with any statutory or regulatory obligation
- the police, upon receipt of a valid request and where permitted under the UK GDPR and the DPA 2018
- external auditors where required in connection with any audit of CLO activities
- service providers to CLO (for example, IT providers), but such disclosure will be limited to that required for providing the relevant service and will only be effected with service providers who have entered into a contract with NSS in which robust data protection obligations and protections are contained.
Information relating to an employee (former or current) or to a claimant, comprised in an employee's or claimant's employment or HR record
Collection of data
- Such information may be provided to CLO by a client (for example, a Health Board) in connection with a particular employment or civil litigation matter on which CLO is advising
- such information may also be provided by the legal advisors or union representatives appointed by the individual to whom the information relates, in order that the individual's claim, employment claim, disciplinary action, complaint or question can be adequately and appropriately investigated and responded to
- such information may also be provided by witnesses of an event or of a course of behaviour and so on, in connection with a particular matter on which CLO is advising.
Use of data
- Such information is used, to the extent necessary, to provide the legal advice and assistance that has been sought by the client
- Such information will also be used to the extent necessary to comply with CLO's statutory and regulatory obligations.
Our Disclosure
CLO may disclose personal information that it holds to the following parties, in each case where CLO is required to do so in connection with a particular matter in respect of which CLO is advising:
- its client, where additional personal information, unknown to the client, has been provided to CLO by the legal advisors or union representatives appointed by the individual to whom the information relates
- counsel (that is a member of the Faculty of Advocates who is engaged to provide independent, expert legal advice), where counsel has been engaged by CLO
- the court or tribunal, whichever is relevant
- the procurator fiscal
- the Scottish Legal Aid Board
- the Compensation Recovery Unit
- the legal advisers appointed by the individual to whom the information relates
- the legal advisers of any co-defenders to any action in respect of which CLO is advising
- expert witnesses, where expert witnesses have been engaged by CLO to allow the expert witnesses to provide their statement and, or testimony
- factual witnesses, where such witnesses have witnessed an event or a course of behaviour and so on, but such disclosure will be limited to that required to allow the factual witnesses to provide their statement and, or testimony
- professional mediators and, or the Advisory, Conciliation and Arbitration Service (ACAS)
- Law Accountants in order to allow them to carry out an assessment of costs
- Auditor of the Court of Session in order to allow him to carry out an assessment of costs.
CLO may also disclose personal information that it holds to the following parties, for the following specified purposes:
- the Scottish Government or other relevant body, where this is required in connection with any fatal accident inquiry, public inquiry or other statutory inquiry
- the Scottish Government for reporting and/or authorisation purposes
- relevant professional regulatory bodies, such as the General Medical Council, the General Dental Council, the Nursing and Midwifery Council and so on, where this is required in required in order to comply with any statutory or regulatory obligation
- the police, upon receipt of a valid request and where permitted under the UK GDPR and the DPA 2018
- external auditors where required in connection with any audit of CLO activities
- service providers to CLO (for example, IT providers), but such disclosure will be limited to that required for providing the relevant service and will only be effected with service providers who have entered into a contract with NHS NSS in which robust data protection obligations and protections are contained.
Address and relevant financial information relating to property or property-related transactions in respect of which an individual is a party
Collection of data
- Such information may be provided to CLO by a client (for example, a Health Board), or by other professional advisors or service providers appointed by a client, in connection with a particular property or property-related transaction on which CLO is advising.
- Such information may also be provided by the legal, or other professional advisors appointed by the individual to whom the information relates, in order that the property or property-related transaction with which the individual is connected can be actioned.
Use of data
- Such information is used, to the extent necessary, to provide the legal advice and assistance that has been sought by the client
- Such information will also be used to the extent necessary to comply with CLO's statutory and regulatory obligations.
Our disclosure
CLO may disclose personal information that it holds to the following parties, in each case where CLO is required to do so in connection with a particular matter in respect of which CLO is advising:
- its client or its clients other professional advisors and service providers, where additional personal information, unknown to the client, has been provided to CLO by the legal appointed by the individual to whom the information relates
- the legal advisers and, or other professional advisers appointed by the individual to whom the information relates
- public registers, such as the Land Register, Sasine Register or Books of Council and Session, where registration of deeds in connection with the relevant property transaction is required or appropriate
- public authorities, where change of property ownership information requires to be provided
- law accountants in order to allow them to carry out an assessment of costs
- Auditor of the Court of Session in order to allow him to carry out an assessment of costs.
CLO may also disclose personal information that it holds to the following parties, for the following specified purposes:
- the Scottish Government or other relevant body, where this is required in connection with any fatal accident inquiry, public inquiry or other statutory inquiry
- the Scottish Government for reporting and/or authorisation purposes
- external auditors where required in connection with any audit of CLO activities
- service providers to CLO (for example, IT providers), but such disclosure will be limited to that required for providing the relevant service and will only be effected with service providers who have entered into a contract with NHS NSS in which robust data protection obligations and protections are contained.
Information relating to potentially fraudulent or criminal activity in which an individual has been engaged or of which an individual has had knowledge
Collection of data
- Such information may be provided to CLO by a client (for example, a Health Board or the Scottish National Blood Transfusion Service, a Directorate within NHS NSS) in connection with a particular matter on which CLO is advising.
Use of data
- Such information is used, to the extent necessary, to provide the legal advice and assistance that has been sought by the client
- Such information will also be used to the extent necessary to comply with CLO's statutory and regulatory obligations.
Our disclosure
CLO may disclose personal information that it holds to the following parties, in each case where CLO is required to do so in connection with a particular matter in respect of which CLO is advising:
- its client, where additional personal information, unknown to the client, has been provided to CLO by the legal advisors appointed by the individual to whom the information relates
- counsel (that is a member of the Faculty of Advocates who is engaged to provide independent, expert legal advice), where counsel has been engaged by CLO
- the court or tribunal, whichever is relevant
- the legal advisers appointed by the individual to whom the information relates
- the procurator fiscal
- factual witnesses, where such witnesses have witnessed an event or a course of behaviour and so on, but such disclosure will be limited to that required to allow the factual witnesses to provide their statement and, or testimony.
CLO may also disclose personal information that it holds to the following parties, for the following specified purposes:
- the Scottish Government or other relevant body, where this is required in connection with any fatal accident inquiry, public inquiry or other statutory inquiry
- the Scottish Government for reporting and/or authorisation purposes
- the police, for the purposes of reporting potentially fraudulent or criminal activity;
- relevant professional regulatory bodies, such as the General Medical Council, the General Dental Council, the Nursing and Midwifery Council and so on, where this is required in order to comply with client instructions
- external auditors where required in connection with any audit of CLO activities
- service providers to CLO (for example, IT providers), but such disclosure will be limited to that required for providing the relevant service and will only be effected with service providers who have entered into a contract with NHS NSS in which robust data protection obligations and protections are contained.
How long we retain the information for
We keep personal information for such periods as are explained on the Data Protection page on the NHS NSS website.
Your rights
Your rights in relation to the information about you processed by NHS NSS (including CLO) are explained on the Data Protection page on the NSS website.
If you would like to access information about you which is held by CLO, or make any objection or other request in relation to CLO's use of your information, you can do this by contacting:
NSS Data Protection Officer
Gyle Square
1 South Gyle Crescent
Edinburgh
EH12 9EB
Tel: 0131 275 6000
E-mail: nss.dataprotection@nhs.scot
By way of further information, we would however simply highlight that as explained at the Data Protection page on the NSS website, we may not have to comply with your request fully or at all in a number of situations including where we are using your information for establishing, exercising or defending legal claims.
Document Control Information
Version: 1.2
Date: November 2023
Revision History
August 2021: Initial publish on the NSS web platform www.nss.nhs.scot
March 2022: First revision
November 2023: Second revision - updates to Directorate and business unit nomenclature, additional references to disclosure to Scottish Government and others in connection with inquiries, additional references to disclosure to Scottish Government in connection with reporting/authorisation, additional reference to disclosure to CLO external auditors, insertion of full control sheet, correction of grammatical errors