Links Medical Centre 4 Hermitage Place, Leith, Edinburgh, EH6 8BW | Tel: 0131 554 1036

Data Protection


This GP practice has agreed to take part in the DataLoch research programme. Both your GP practice and NHS Lothian are the data controller for the DataLoch programme (Data is only hosted within NHS Lothian), and are working in partnership with the University of Edinburgh. The aims of the DataLoch programme are to support research for the benefit of local residents in the South-East Scotland region. A Data Sharing Agreement is in place that covers the sharing of patient data with DataLoch, and all approved research is anonymous.

In line with data protection legislation, the legal basis that permits processing of patient data is:

• 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

• 9(2)(j) – Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1)

The DataLoch website covers the researcher data, public enquiries, and newsletter subscriptions for which the University of Edinburgh is the Data Controller:

About the Personal Information we Use

We use personal information on different groups of individuals including:
  • Patients,
  • Staff,
  • Complainants, enquirers,
  • Survey respondents,
  • Professional experts and consultants,
  • Individuals captured by CCTV.
The personal information we use includes information that identifies you like your name, address, date of birth and postcode. We also use more sensitive types of personal information, including information about racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic and biometric data, health; sex life or sexual orientation.
The information we use can relate to personal and family details; education, training and employment details; financial details; lifestyle and social circumstances; goods and services; visual images; details held in the patient record; responses to surveys.

Our Legal Basis for Using Personal Information

NHS Lothian, as data controller, is required to have a legal basis when using personal information. NHS Lothian considers that performance of our tasks and functions are in the public interest. So when using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us. In some situations we may rely on a different legal basis; for example, when we are using personal information to pay a supplier, our legal basis is that its use is necessary for the purposes of our legitimate interests as a buyer of goods and services.
Another example would be for compliance with a legal obligation to which NHS Lothian is subject to, for example under the Public Health etc (Scotland) Act 2008 we are required to notify Health Protection Scotland when someone contracts a specific disease.
When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:
  • For the provision of health or social care or treatment or the management of health or social care systems and services; or,
  • For reasons of public interest in the area of public health; or,
  • For reasons of substantial public interest for aims that are proportionate and respect people’s rights, for example research; or
  • In order to protect the vital interests of an individual; or,
  • For the establishment, exercise or defence of legal claims or in the case of a court order.

On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this we will explain what it means, and the rights that are available, to you. You should be aware that we will continue to ask for your consent for other things like taking part in a drug trial, or when you are having an operation.

Who Provides the Personal Information

When you do not provide information directly to us, we receive it from other individuals and organisations involved in the delivery of health and care services in Scotland. These include other NHS Boards and primary care contractors such as GPs, dentists, pharmacists and opticians; other public bodies e.g. Local Authorities and suppliers of goods and services.

Sharing Personal Information With Others

Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following:
  • Our patients and their chosen representatives or carers.
  • Staff.
  • Current, past and potential employers.
  • Healthcare social and welfare organisations.
  • Suppliers, service providers, legal representatives.
  • Auditors and audit bodies
  • Educators and examining bodies.
  • Research organisations.
  • People making an enquiry or complaint.
  • Financial organisations.
  • Professional bodies.
  • Trade Unions.
  • Business associates.
  • Police forces..
  • Security organisations.
  • Central and local government.
  • Voluntary and charitable organisations.

Transferring Personal Information Abroad

It is sometimes necessary to transfer personal health information overseas for example if you require urgent medical treatment abroad. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with NHSScotland Information Security Policy.

How we Protect Personal Information

We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. The following security measures are in place to protect personal information:
  • All staff undertake mandatory training in Data Protection and IT Security.
  • Compliance with NHS Scotland Information Security Policy.
  • Organisational policy and procedures on the safe handling of personal information.
  • Access controls and audits of electronic systems.