Forensic Medical Services Data Protection Notice
Data Protection Notice
This data protection notice relates to the Forensic Medical Service (FMS). It applies to the personal information of individuals aged 16 or over who are referred by Police Scotland or who self-refer for a forensic medical examination (FME) following a rape or sexual assault.
Specifically, this notice applies to personal information processed as part of an FME to support your health and wellbeing and identify your healthcare needs. It also applies to your personal information being used to support any criminal investigations and/or future prosecutions for Police Scotland referrals or self-referrals (should you wish to report the incident to Police Scotland at a later date).
Data Controllers
Under data protection law, organisations have responsibilities as ‘data controllers’. A data controller decides why and how personal information is used.
For personal information that is processed to support your health and wellbeing and identify, treat and manage your healthcare needs, NHS Shetland is the data controller:
NHS Shetland Board Headquarters
Upper Floor Montfield
Burgh Road
Lerwick
Shetland
ZE1 0LA
For personal information that is collected to support any criminal investigation and future prosecution (should you wish to later report the incident to Police Scotland, if you have not already done so) NHS Shetland is the data controller.
Where the incident has been reported to Police Scotland, the personal information will be passed to Police Scotland. At that point NHS Shetland will no longer be the data controller – it will then be Police Scotland:
The Chief Constable of the Police Service of Scotland
Tulliallan Castle
Kincardine
Fife
FK19 4BE
What types of personal information do we process?
NHS Shetland will process your personal information, including sensitive information as part of the FME, for example: name, address, date of birth, postcode and information about your health such as risk of pregnancy and details of onward healthcare referrals made.
Only forensic information collected as part of the FME will be used to support any criminal investigation and future prosecution (for self-referral should you wish to report the incident to Police Scotland at a later date). Forensic information includes details of any injuries or health complications you suffer as a result of the assault, which is gathered as part the FME. We will not otherwise share your health information unless legally required to do so. This information will be kept separately from your master health record.
Our purposes for processing your personal information
NHS Shetland will process your personal information for the following purposes:
- to support your health and wellbeing and identify, treat and manage your healthcare needs
- to collect evidence that would support any criminal investigation and future prosecution (for self-referral should you wish to report the incident to Police Scotland at a later date)
Our lawful basis for processing personal information
NHS Shetland will only process your personal information where data protection law allows us to. This means that we need to have a legal basis when using personal information.
- to support your health and wellbeing and identify, treat and manage your healthcare needs, we process your personal information under the following legal bases:
- Personal Information: Article 6 (UK-GDPR) 1(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
NHS Shetland is a public organisation created in Scotland under section 1 of the National Health Service (Scotland) Act 1978.
NHS Shetland considers that performance of our tasks and functions, such as providing healthcare, is in the public interest. - Special Category Information: Article 9 (UK-GDPR) 2(h) – processing is necessary for the purposes of medical diagnosis and the provision of health or social care.
'Special Category Information' refers to more sensitive types of personal information, such as health information.
- Personal Information: Article 6 (UK-GDPR) 1(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- to collect evidence that would support any criminal investigation and future prosecution (should you wish to report the incident to Police Scotland at a later date) we process your personal information in line with Part 3 of the Data Protection Act 2018 (DPA 2018) and under the following legal bases:
- Personal Information: Part 3, Chapter 2, section 35 (DPA) 35(2)(b) – processing is necessary for the performance of a task carried out for that purpose by a competent authority.
'Competent authority' is a legal term for a person or organisation that the law has authorised to perform specific tasks. NHS Shetland acts as a competent authority under The Forensic Medical Services (Victims of Sexual Offences) (Scotland) Act 2021 (FMS 2021). - Sensitive Processing: Part 3, Chapter 2, section 35 (DPA) 35(5)(a) – processing is strictly necessary for law enforcement purpose.
NHS Shetland carries out ‘sensitive processing’ (the processing of special categories of personal information, such as health information) for the purposes of providing specific forensic medical services covered by the FMS 2021.
- Personal Information: Part 3, Chapter 2, section 35 (DPA) 35(2)(b) – processing is necessary for the performance of a task carried out for that purpose by a competent authority.
Who provides the personal information?
Personal information will be provided:
- directly by you when you self-refer to the service
- directly by you when you are referred to us by Police Scotland
- by Police Scotland when they refer you to us. In this case, Police Scotland will share information which is necessary to support you and Police Scotland’s ongoing investigation.
Sharing of personal information
NHS Shetland will only share your information where there is a clear legal basis to do so:
- we will share limited anonymous information with Public Health Scotland (part of NHS Scotland) for the purpose of reporting on the operation of the Forensic Medical Service.
- we may share information with relevant services/agencies as part of onward health related referrals.
- information provided by you will not be shared with Police Scotland unless you decide to report the incident to Police Scotland. The exceptions to this are if any of the following apply:
- you are under 16 years of age
- you are aged 17 or 18 years old and under the care of social work
- you are thought to be in imminent danger
- you were originally referred to the service by Police Scotland
We may also share information when there is a perceived threat to life to someone other than yourself. All health professionals are bound by the duty of confidentiality and their own professional regulatory body.
Security of your personal information
NHS Shetland takes care to ensure your personal information is only accessible to authorised individuals. Our staff have a legal and contractual duty to keep personal health information secure and confidential. Set out below are some example security measures:
- access to your personal information is restricted to those who have a need to access it in order to carry out their legitimate duties
- all staff undertake mandatory training in Data Protection and IT Security
- organisational policy and procedures on the safe handling of personal information
Retaining personal information
NHS Shetland will retain personal information collected to support your health and wellbeing and identify, treat and manage your healthcare needs in line with the Scottish Government Records Management Health and Social Care Code of Practice (Scotland) 2020.
In general, NHS Shetland will retain personal information collected to support possible criminal investigation and future prosecution for a maximum of 26 months.
If the incident has been reported to Police Scotland and Police Scotland have requested the information, NHS Shetland will pass the information to Police Scotland and will no longer retain it or any copies.
In the case of self-referrals (where Police Scotland have not yet been involved) NHS Shetland will retain the information for up to 26 months. Unless you request that the information is destroyed (in line with your rights described below) the information remains available to support possible criminal investigation and future prosecution, in the event that you decide to report the incident to Police Scotland during this period.
Your rights
You have a number of rights under the FMS 2021 along with data protection law rights. Specifically:
FMS 2021 rights
- The right to be informed: we will explain fully what may happen to evidence collected during a forensic medical examination.
- The right to return of evidence: you have the right to request that any evidence gathered during the forensic medical examination is returned to you (that is, items which were worn or otherwise present during the incident which gave rise to the examination, but does not include samples, for example).
- The right to destruction: you have the right to request that evidence is destroyed and will be allowed a 30 day cooling off period to allow you to change your mind.
Data protection rights
- The right to be informed: we explain how and why we use your personal information;
- The right of access: you have the right to access your personal information;
- The right to rectification: if the personal information we hold about you is inaccurate or incomplete, you have the right to have this corrected;
- The right to restrict processing: you have the right to request that further processing of your personal information is restricted;
- The right to erasure: you have the right to request that your personal information is erased.
Some rights are not absolute and only apply in certain circumstances. For more information on your information rights please see: www.ico.org.uk. If you would like to exercise your rights, you can contact the NHS Shetland Information Governance Team at:
Information Governance Team
Breiwick House
South Road
Lerwick
ZE1 0RB
shet.dpo@nhs.scot
Complaints about how we process your personal information
If you are unhappy about how NHS Shetland has processed your personal information you can also contact the Data Protection Officer:
Data Protection Officer
Breiwick House
South Road
Lerwick
ZE1 0RB
shet.dpo@nhs.scot
You have the right to make a complaint to the Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113