Data protection notice
How we collect, store and use personal data
Our data protection notice is a guide to tell you more about the way we collect, store and use personal information about you following registration as a donor with us and after you have made a donation to us, the Scottish National Blood Transfusion Service.
It also tells you what your rights are under data protection law, how you can request to see your information and what to do if you have any concerns about our management of personal information.
Who are SNBTS?
The Scottish National Blood Transfusion Service (SNBTS) is the specialist provider of blood, tissue and cell products and services in Scotland. We are part of NHS National Services Scotland (NHS NSS) which is a public organisation created in Scotland under Section 10 of the National Health Service (Scotland) Act 1978. ‘NHS National Services Scotland’ is the common name of the Common Services Agency for the Scottish Health Service.
Legal basis for our use of your data
We collect and manage blood, tissue and cell donations from donors in Scotland and use these to make different products for patients. To support this, we need to collect, use and store personal information. Our legal basis for this is that the use of this information is necessary for:
- the performance of a task carried out in the public interest, or the exercise of our official authority, being the provision of our services to patients and donors; or
- compliance with a legal obligation, such as the requirement to make sure that blood, tissue and cell donations are fully traceable from donor to recipient.
Where we use more sensitive personal information, such as health information, our legal basis is usually that the use is necessary for the provision of health or social care or treatment, or the management of health or social care systems and services.
On some occasions we may rely on another legal basis for using sensitive information, which will usually be that the use is necessary:
- for reasons of public interest in the area of public health; or
- for reasons of substantial public interest for aims that are proportionate to and respect people’s rights; or
- for archiving, scientific or historical research or statistical purposes, where appropriate safeguards are in place; or
- to protect the vital interests of an individual.
Once a donor is registered on our system, their information is retained so that we can meet statutory requirements covering the donation process. Please ask us if you would like to discuss this before you are registered, or at any point afterwards.
What personal information do we keep?
- Personal details and contact information: name, address, date of birth, telephone number, email address, occupation, ethnicity, sex, donor ID number
- Attendance details: where you donate, your appointments if relevant and when you donated
- Information affecting eligibility to donate: this can include sensitive information relating to health, lifestyle, sexual relationships, travel and other factors affecting donor or patient safety
- Donation details: this includes your blood group and the results of all the other tests we perform on your donations
- Correspondence: details of letters and other communications we have sent or received in relation to you
- Other medical records: for example, follow up of any problems you report to us after a donation.
How is personal information stored?
Information about you is stored securely on our electronic donor database. We also keep a copy of the questionnaire used to carry out a donor health check which is completed before every donation.
Where we need to keep other information (for example, medical records relating to a donor), this is held confidentially in either paper or electronic form.
We are committed to maintaining the security and confidentiality of your data and take care to keep all our security measures up to date. We also use encryption software, to make sure your information is stored as safely as possible. All our staff and anyone who receives information from us have a legal duty to keep information about you confidential.
What data sources do we use?
Most of the personal information we receive is provided by the donor themselves. Donors are asked to complete a donor health check questionnaire each time a donation is made.
We may receive information about donors from other parts of the health service, including GPs and hospital clinics. We also collect some information about family members of deceased donors.
What do we do with your information?
We use your information:
- to ensure your safety and the safety of any patients who receive your donations;
- to contact you to let you know when and where/how to donate
- to inform you about any problems with your donation
- to improve our service; for example, finding better ways to organise our donation sessions
- for clinical audit and other checks to ensure we are working to the highest standards
- for market research purposes, supporting the recruitment and retention of donors.
If we don’t need your personal details for any of these tasks, we will remove as much information as possible before processing.
Data sharing
SNBTS will only share your data as allowed or required by law. We are, for example, obliged to notify Public Health Scotland when we become aware that someone has contracted certain specific diseases. In some circumstances we may need to release your personal details to a third party supplier: for example, to enable printing of donor cards and donor health check forms for blood donors. All such suppliers will meet the same confidentiality standards as SNBTS.
If we have identified a problem with the donation that is important for your health, we may refer you to an appropriate health care provider, such as your GP. We will always try to speak to you and ask your permission to do this. However, if we are unable to contact you, we may pass information on without this consent. We will only do this where we feel it is in your best interest to do so. If you have previously given blood to another transfusion service and we have detected a blood-borne infection in your blood, we may also need to contact that service. This is in case there is any risk to recipients of your donations made to that service. We will always make an effort to discuss this with you beforehand. All transfusion services are required to follow data protection law and have processes in place to ensure the confidentiality of any information that is passed on to them.
SNBTS will not share your data with a third party for any purpose other than those listed above, without first requesting your consent.
How long do we keep personal information?
We keep personal information as set out in the Scottish Government Records Management: Health and Social Care Code of Practice (Scotland) 2020. This Code of Practice sets out minimum retention periods for information, including personal information, held in different types of records including personal health records and administrative records. Under the terms of the applicable UK regulations on blood, tissue and cell safety, we have to retain records relating to donations for at least 30 years beyond when the donation is used.
Your rights
Data protection law gives you, the donor, a number of rights:
-
The right to be informed
You have a right to be informed about how we use personal information. We do this in a number of ways including:
- this data protection notice
- information leaflets
- discussions with staff providing your care
- information on our website
-
The right of access
You have a right to see, or have a copy of, the information we hold about you. This includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally. You also have the right to obtain:
- confirmation that your personal information is being held or used by us
- access to your personal information
- additional information about how we use your personal information
Although we must provide this information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.
If you would like to access your personal information, you can do this by getting in touch with the NHS NSS Data Protection Officer, at the address provided at the end of this leaflet. Please provide as much information as possible about what personal information you wish to see. Include your full name, date of birth, address and donor registration number (if available) to help us locate your records. You should also let us know if your request applies to a specific time period.
Once we have received your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month. However, if your request is complex we may take longer, by up to two months, to respond. If this is the case we will tell you and explain the reason for the delay.
-
The right to rectification
If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.
If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. However, we will contact you as quickly as possible to explain this further if the need to extend our timescales applies to your request. Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.
If for any reason we have shared your information with anyone else, perhaps during a referral to another service for example, we will notify them of the changes required so that they can ensure their records are accurate.
If on consideration of your request we do not consider the personal information to be inaccurate then we will add a comment to your record stating your concerns about the information. If this is the case we will contact you within one month to explain our reasons for this.
If you are unhappy about how we have responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.
-
The right to object
You have the right to object to our use of personal information about you, and also seek that further processing of personal information about you is restricted. If we can demonstrate compelling legitimate grounds for processing your personal information, for instance: patient or donor safety or to support legal claims, your right will not be upheld. If you would like to object to, or request restriction of, our use of personal information about you, you can do this by getting in touch with the NHS NSS Data Protection Officer at the address given at the end of this leaflet.
-
Other rights
There are other rights under current data protection law, however these rights only apply in certain circumstances. If you wish further information on these rights please look at the data protection pages on the NHS NSS website.
How you can help
Please check that any information in correspondence you receive from us is accurate and up-to-date. This is especially important for contact details (e.g.: address, telephone numbers, email address). Let us know about anything that we’ve got wrong either when you next attend one of our sessions, by telephone at 0345 90 90 999, or by using our online enquiry form.
If you are a regular blood donor, your donor health check form will be posted to your home address before your next session. Please remember to keep this form safe as it contains your personal information. If you are unable to attend one of our sessions, make sure you dispose of it so that your information cannot be read by anyone else.
Don’t forget to update us about any change of name, address or phone number (including mobile phone numbers).
Further information about data protection
NHS NSS employs a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you would like more information, or are unhappy with the way in which we use personal information please tell our Data Protection Officer using the contact details below.
NHS National Services Scotland Data Protection Officer
NHS National Services Scotland
Gyle Square
1 South Gyle Crescent
Edinburgh EH12 9EB
telephone: 0131 275 6000
email: nss.dataprotection@nhs.scot
- Find out more about NHS National Services Scotland's general data protection policy by visiting the NHS NSS website.
- You can download a copy of the Data Protection Notice here
- You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website at www.ico.org.uk.