This website places cookies on your device to help us improve our service to you. To find out more, see our Privacy and Cookies statement.

Privacy and Data Protection

How NHS Education for Scotland manages personal data.

NES holds and manages personal data for the administration and evaluation of training and education of health and social care professionals, for the employment of staff, for research and for related activities in support of our core purposes

Go to the Turas Privacy Policy to see how personal data is managed in Turas.

Go to the Turas Cookies Statement to see what cookies are used in Turas.

NES is registered as a data controller with the  Information Commissioner (registration number  Z7921413).  This describes the kind of information we may hold about you, how it may be processed and with whom it may be shared.

We process several categories of personal data:

  • Training management data: including contact details for trainees, educational history, placements and records of progress.
  • Educational data: contact details, records of attainment, records of attendance.
  • Employee data: contact details, employment and educational history, leave records, management information.
  • Contact details for: contractors and suppliers, stakeholders, volunteers, organisational leads or contacts for specific activities.
  • Equality and diversity data (where provided by individuals): race or ethnicity, religion, sexual orientation, disability.

Personal data will be held for no longer than necessary in line with our records retention policy.

We will share personal data where appropriate and necessary with third parties such as employing NHS Boards and other employers, educational institutions and regulatory and professional bodies. We will also share personal data where required to do so by law.

NES or our partners may use your contact details to tell you about relevant training opportunities, educational events or related activities.  We may also contact you to invite you to participate in the evaluation of education or related research.

Special categories of personal data and why they may be processed

NES will only process sensitive personal data (for example on health, disability, ethnicity or sexual orientation) where it is necessary to carry out our role in health workforce development; for example in mandatory monitoring of equality and diversity, to ensure that NES is a safe place to work, or to ensure compliance with other legal obligations, such as the sick pay policy or equal opportunities policy.

Your rights regarding your personal data

You have the right to:

  • know what information NES holds about you and how it is processed
  • ask for inaccurate data to be corrected
  • receive a copy of information NES holds about you
  • raise concerns with the supervisory authority (the Information Commissioner)

If you would like to see information we hold about you, please complete and return ' NES Subject Access Request Form' (doc).

We will ask for proof of identity (such as a passport or photo ID driving licence). Once we have received your request, identification, we must respond to you within 30 days.

You  also have the right to raise concerns about the handling of your personal data with the Information Commissioner

Legal basis for processing personal data

NES processes personal data under the following conditions of the General Data Protection Regulation:

"6(1)(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract";

"6(1)(c) processing is necessary for compliance with a legal obligation";

"6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller."

"9(2)(b) - Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement" (for special categories of data)

Retention periods for the information we hold

We only keep your information for as long as it is necessary to fulfil the purposes for which the personal information is collected. This includes for the purposes of meeting any legal, accounting or other reporting requirements or obligations. The NHS Scotland retention policy sets out the minimum retention timescales.

NES Data Protection Contact Details

For further information on data protection in NES, please contact:

Data Protection Officer
NHS Education for Scotland,
Westport 102, West Port,
Edinburgh, EH3 9DN

Caldicott Guardian

Every NHS organisation has a Caldicott Guardian charged with protecting patient identifiable information. NES does not deal directly with patient care and therefore we do not hold or process medical records. NES does, however, have a Caldicott Guardian tasked with ensuring patient privacy is protected in our work. He can be contacted as follows:

Dr Stewart Irvine, Director of Medicine and Caldicott Guardian

NHS Education for Scotland, Westport 102, West Port, Edinburgh EH3 9DN

Use of Cookies on NES websites

A cookie is a small data file that certain websites write to your hard drive when you visit them. This site uses different types of cookie.

If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies. You can access them through some types of browser. Search in your cookie folders for 'NES' to find our cookie and the Google Analytics cookie if you wish to delete them.

More information about cookies, including how to block them or delete them, can be found at

The information below describes the use of Cookies on the NES corporate website:

Where other NES websites and portals use different cookies, this will be detailed on those websites.

Cookies used by this website

Visitors can use this website with no loss of functionality if cookies are disabled from the web browser.

The NES Corporate website uses Google Analytics, a popular web analytics service provided by Google, Inc. Google Analytics uses cookies to help us to analyse how users use the site.

The information generated by the cookie about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google undertakes not to associate your IP address with any other data held by Google.

This list shows all cookies used by the main NES website, and what each is used for.

Cookie Name Purpose Expiry
__utmb Google Analytics cookie. This stores the domain name (hash code) of site, pages viewed this session, current time. 30 minutes
__utmc Google Analytics cookie. This stores the domain name (hash code) of site. At end of session
__utma Google Analytics cookie. This stores the domain name (hash code) of site, a unique visitor id (randomly generated number), time of first visit, time of previous visit, current time, number of sessions since first visit. 2 years
__utmz Google Analytics cookie. This stores the domain name (hash code) of site, time when cookie last set, total number of visitor sessions, number of different channels or sources through which this site was reached, source of the last cookie update, search hit tag identifier (or just 'organic' if reached via normal search hit), search medium, keyword phrase used to find site. 6 months
NESCookiesWarning This stores the name of the site (, the current time and the expiry time of the cookie. This cookie is used to test whether the visitor has accepted the cookie message. 356 Days

Collection and use of technical information

Technical details in connection with visits to this website are sometimes logged and collected in the Turas Hosting platform (Microsoft Azure).

We will make no attempt to identify individual users. However access to web pages will generally create log file entries in the systems of your Internet Service Provider (ISP) or network services provider.

Log files of all requests for files on Microsoft Azure may be maintained and analysed. Aggregated analyses of these log files are used to monitor website usage. These analyses are used to allow us to monitor and evaluate the effectiveness of our websites. All log file information collected by NHS Education for Scotland is kept secure and is not provided to any third parties.


Data Protection Links

Information Commissioner Web Site: