The policies on this website are from phase 1 of the ‘Once for Scotland' Workforce Policies Programme.
Further policies will become available in later phases.

Personal information

The employer has a responsibility under the General Data Protection Regulation (GDPR) to manage and store employee’s information safely and securely. Personal data linked to the application of workforce policies in paper and electronic formats will be retained.

General Data Protection Regulation (GDPR)

Under the GDPR law there are the six principles employers must follow:

  • information is processed lawfully, fairly and in a transparent manner in relation to individuals
  • information is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • information held is adequate, relevant and limited to what is necessary, in relation to the purposes for which they are processed
  • information is accurate and, where necessary, kept up to date - every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay
  • information is kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • information is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Employee rights under GDPR

GDPR gives employees a number of rights over their data:

  • employees must be told what will happen with their data – usually through data protection notices
  • employees must be able to access their data on formal request - this is often called a data Subject Access Request
  • employees have a right to request their data be corrected if inaccurate or incomplete. The employer has 1 month to respond to such a request
  • employees can request data is deleted if it no longer needs to be held. This can be refused by the employer if they can show that holding the data is still necessary and legitimate

Record management

The required standards of practice in the management of records for those who work within or under contract to NHS organisations in Scotland are detailed in The Scottish Government Records Management: NHS Code Of Practice (Scotland) Version 2.1 January 2012.

Learn about the principles and values that make sure employees and workers are treated fairly and consistently at work.

Find out about the roles and responsibilities of the people using our workforce policies across the NHS in Scotland.

View the advice and support available to help anyone involved in workforce policy processes.

Was this page helpful?

This is the site feedback form

Enter your email address if you would like a response.

All fields are optional. Enter your email address and a comment if you'd like a response