Privacy and Data Protection Notice – Project Lift Web Application
About NHS Education for Scotland
NHS Education for Scotland (NES) is a public-sector body as set out in 2002 No. 103 National Health Service – the NHS Education for Scotland Order 2002. It is one of the organisations which form part of NHS Scotland (NHSS).
NES is an education and training body and a special health board within NHS Scotland, with responsibility of developing and delivering education and training for the healthcare workforce in Scotland.
What types of personal information is collected
NES holds and manages personal data for the administration and evaluation of training and education of health and social care professionals, for the employment of staff, for research and for related activities in support of our core purposes.
We process several categories of personal data, including:
- Training management data: including contact details for trainees, educational history, placements and records of progress
- Educational data: contact details, records of attainment, records of attendance
- Employee data: contact details employment and educational history, leave records, management information, performance and appraisal information
- Contact details for: contractors and suppliers, stakeholders, volunteers, organisational leads or contacts for specific activities
- Equality and diversity data (where provided by individuals): race or ethnicity, religion, sexual orientation, disability
For Project Lift we process the following categories of personal data:
- Employee data, contact details, career history and career aspirations data
- Equality and diversity data
- Self assessment questionnaire results
- As the Project Lift participant progresses through the application, this may involve providing further information from a variety of developmental assessments via resources hosted within and out with the Project Lift application. The self assessment questionnaire, management assessment questionnaire, career history, career development plan and career conversation summary are hosted within the Project Lift App.
- The 360 degree feedback tool is hosted on TURAS Learn Platform and the Wave psychometric test is hosted on the Wave Platform. These tools are both accessed via the Project Lift App but are provided by separate platforms with their own data protection mechanisms.
- Information gathered via career conversations will be taken to a calibration and talent review process. This process will use source data from the career conversation documents which will summarised in to the participant career conversation report which will be retained in the Project Lift App. Once this has been completed, the source data will be deleted.
What is the purpose of processing data
The purpose of collecting this data is for a variety of reasons as listed below:
- To gather data which will support a values-based leadership development, talent management and succession planning approach for NHS Scotland, social services and H&SCPs in Scotland.
- To gather contact details from all Project Lift participants in order to communicate news and development offerings from the Project Lift business group.
- To identify and develop exceptional leaders who will help to create the skills, behaviours and culture to realise the Health and Social Care delivery plan.
- Where appropriate, to share information with the Project Lift business group, Talent Review Group, Organisational Development leads/HR Directors in NHS Scotland boards (for health employees), HSCPs and local authorities (for social service employees) and the Scottish Government about individuals who have demonstrated high potential leadership qualities through the Project Lift leadership self assessment process in order to help boards, HSCPs and local authorities to support and develop talent locally.
- To share information with the Scottish Government and local authorities in Scotland about participants who have demonstrated high potential leadership qualities and are ready to be mobilised for the purposes of regional or national work and/or further career development at aspiring and existing director levels and above.
- To review the outputs of moderation to inform decision making about mobilisation for national projects and for prioritisation for leadership development of participants at aspiring and existing director levels and above.
- To monitor adherence to equality and diversity legislation and to ensure equal opportunities are available to all Project Lift participants. (It should be noted that equality and diversity data will only be accessed for the purposes of monitoring and adherence to relevant legislation and all data produced as a result will be anonymised).
- To evaluate the effectiveness of the Project Lift approach to leadership development, talent management and succession planning and support continuous quality improvement of these activities in line with intended outcomes.
What is the legal basis for using personal information
NES as a data controller and a data processor, is required to have a legal basis when using personal information. NES considers that performance of our tasks and functions are in the public interest. When using personal information, our legal basis usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.
For Project Lift, NES considers our legal basis for processing is:
- That you have given consent to the processing of your personal data for the purposes of Project Lift;
- That you have given consent to the processing of special categories of personal data for Project Lift.
You have the right to withdraw your consent for the processing of your data by contacting us at: email@example.com or via our Data Protection Officer who’s contacts details are below.
Sharing the information
We will share personal data where appropriate and necessary with third parties such as employing NHS Board, HSCP, local authorities and other employers, educational institutions and regulatory and professional bodies. We will also share persona data where required to do so by law.
For Project Lift we will share your data with the Project Lift team hosted by NHS Education for Scotland. In addition, depending on how you progress through the Project Lift App, we may share the data as follows:
- For employees of NHS Scotland (including those working in HSCPs) – the named organisational development lead and HR Director within your employing NHS Scotland board.
- For employees of local authorities (including those working in HSCPs) – the named organisational development lead and HR Director within your local authority within Scotland
- We will share contact email addresses of all those logging in to the Project Lift App for the purposes of communicating news and development offerings with the Office of the Chief Executive, NHS Scotland/Director General, Health and Social Care, Scottish Government and the Project Lift team hosted by NHS Education for Scotland.
For those participants at aspiring and existing director levels and above, we may also share your data with:
- The Office of the Chief Executive, NHS Scotland / Director General, Health and Social Care, Scottish Government.
- The Project Lift Business Group and Talent Review Group which comprises of representatives of the Scottish Government, NHS Education for Scotland, the Golden Jubilee Foundation and Scottish Social Services Council (SSSC).
Transferring personal information abroad
Project Lift will not transfer any of your personal data outside of the UK.
Retention periods of the information we hold
We only keep your information for as long as it is necessary to fulfil the purposes for which the personal information was collected. This includes for meeting any legal, accounting or other reporting requirements or obligations. The NHS Scotland retention policy sets out the minimum retention timescales.
For Project Lift we will retain your personal data for 3 years from when the participant provides personal data in the personal data section at the start of the Project Lift App.
Security of your Information
We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking reasonable measures to ensure the confidentiality and security of personal data for which we are responsible for.
All NES staff are required to undertake annual information governance training and to be familiar with information governance policies and procedures.
Your rights regarding your personal data
You have the following rights in regard to your personal data:
- The right to informed of why we are collecting/holding data about you and how that data will be used;
- The right to access the data we hold about you;
- The right to have the data we hold about you rectified if it is inaccurate or incomplete;
- The right to have your personal data erased and to prevent processing in specific conditions;
- The right to restrict the processing of your data;
- The right to obtain and reuse your personal data for your own purpose across different services;
- The right to object to the processing of your data based on legitimate interests of NES, direct marketing or for the purposes of scientific/historical research and statistics;
- The right not to be subject to a decision based on automated processing.
How to access your personal data?
You have the right to access the information which NES holds about you, and why, subject to any exemptions using a Subject Access Request. Requests must be made in writing and you will need to provide:
- Adequate information [for example full name, address, date of birth, staff number etc] so that your identity can be verified, and your personal data located.
- An indication of what information you are requesting to enable us to locate this in an efficient manner.
You should send your request to the Information Governance Team. Contact details can be found below.
We will aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within 30 days of receipt unless there is a reason for delay that is justifiable.
Complaints about how we process your personal data
In the first instance, you should contact the Information Governance Team – contact details can be found below.
Data Protection Notification
NES is a ‘data controller’ under the Data Protection Act. We have notified the Information Commissioner that we process personal data and our registration number is: Z7921413
The details are publicly available from the: –
Information Commissioner’s Officer
Wilmslow SK9 5AF
How to contact us
Data Protection Officer