Privacy Policy

This privacy policy tells you what to expect when the Scottish Health Competent Authority (SHCA) collects your personal information.

Who we are

Scottish Ministers

St Andrew’s House
Regent Road
Edinburgh
EH1 3DG

Phone Number: 0131 244 4026

E-mail:

NIS SG Health Competent Authority healthca@gov.scot
Central Enquiries Unit ceu@gov.scot

Website: www.scotland.gov.uk

The Scottish Government, on behalf of Scottish Ministers, is the devolved government for Scotland signed into act through the Scotland Act 1998. Its head office is located at St Andrews House, Regent Road, Edinburgh, EH1 3DG and you can contact our Digital Health and Social Care team by post at this address, or by e-mail at healthca@gov.scot

The Network Information Systems Regulations 2018 are designed to strengthen the overall security of network and information systems that support the delivery of essential services across the EU. The Regulations apply to sectors that are critical to the functioning of society and the economy, including the supply of electricity, water, healthcare, and transport services.

Their purpose is to ensure that organisations providing these essential services maintain robust measures to protect the systems and infrastructure on which these services depend.

The Legal Basis of collecting this information

The legal basis for this requirement is set out in the Network and Information Systems Regulations 2018. Under Regulation 11(1), designated Operators of Essential Services (OES) in the digital infrastructure subsector have a duty to report to their Competent Authority any incident that has a significant impact on the continuity of the essential service they provide.

Information We Require

To support incident assessment and regulatory reporting, the following information is required:

Name and contact details, including current role, email address, and telephone number
Additional information provided when responding to questions or submitting feedback
Website user statistics, as supplied by Google Analytics

How we process your information

Reporting an incident as an Operator of Essential Services (OES) under the NIS Regulations when an event meets the criteria for affecting the continuity, security, or resilience of an essential service.
Notifying the Digital Health and Care Division of any personal data breach that meets the Thresholds for Incident Reporting to the Information Commissioner’s Office (ICO) under UK GDPR / DPA 2018.
Responding to any follow‑up queries or providing feedback as part of the incident handling and regulatory process.

How we handle your information

Information provided to the Scottish Health Competent Authority (SHCA) is protected in the same way we safeguard our own confidential information: it is held securely and access is restricted to authorised colleagues only.
Any personal data you provide may be accessed by authorised personnel within the Scottish Government. All information is stored within eRDM, our corporate records management system, and is restricted to individuals who require access for official purposes.
The SHCA retains personal data only for as long as necessary to fulfil the purposes outlined in this document and to meet statutory requirements. After three years, your personal information will be redacted from the Incident Report and from any associated metadata.

Who the information will be shared with

We may share information with the National Cyber Security Centre (NCSC), Police Scotland, and relevant departments within the Scottish Government where necessary to support investigation and mitigation activities.
We will not share any details with external regulators—such as the Information Commissioner’s Office (ICO)—without first seeking your explicit consent, unless we are legally obliged to do so.
If you contact us requesting information, we may need to engage with other government bodies to locate or confirm the information you require.

Visitors to our websites

We use a third‑party service, Google Analytics, to collect information about how users interact with our site. This is done through the use of cookies.

Three Google Analytics cookies are stored on your device: “_gat”, “_gid”, and “_ga”. These cookies gather information in an anonymous form, including:

The number of visitors accessing the site
How visitors arrived at the site
The pages users viewed during their visit

This information helps us understand site usage and improve the user experience.

Information you have given to us about other people

If you have provided anyone else’s personal details on the Incident Reporting Form, please ensure that you have informed them that their information has been shared with the Scottish Government. Any such information will be deleted immediately.

If you require further details on how we use the information provided, please contact us at the address supplied in the form or email:

📧 dpa@gov.scot

Your rights under data protection law

You have a right of access to any personal data we hold about you by making a Subject Access Request (SAR).

In addition, if you believe that the data we hold is inaccurate or incomplete you can ask us to update our records.

For more information on the rights you have over how your personal data is handled, please visit your data matters | ICO

Complaints

If you have any concerns about our use of your personal information, you can make a complaint to us by sending an email to dpa@gov.scot

or writing to us at:

Data Protection Officer
Victoria Quay
Edinburgh
EH6 6QQ

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.