Your rights


This section contains a description of your data protection rights.

The right to be informed 

We must explain how we use your personal information. We use different ways to communicate how we use personal information, including: 

  • This data protection notice 
  • Information leaflets 

The right of access 

You have the right to access your own personal information. This right includes making you aware of what information we hold. You also have the opportunity to satisfy yourself that we are using your information fairly and legally.  

You have the right to get: 

  • Confirmation that your personal information is being held or used by us 
  • Access to your personal information 
  • More information about how we use your personal information 

We must provide this information free of charge. If your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.  

Once we have details of your request and you have provided us with enough information for us to locate your personal information, we will respond to your request within one month (30 days). However if your request is complex we may take longer, by up to two months, to respond.  If this is the case we will tell you and explain the reason for the delay. 

The right to rectification 

If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected. 

If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly. This will normally happen within one month, or within two months where the request is complex.  We will contact you as quickly as possible to explain if the need to extend our timescales applies to your request.  

If we do not consider the personal information to be inaccurate, we will add a comment to your record stating your concerns about the information. If this is case we will contact you within one month to explain our reasons for this. 

If you are unhappy about how we have responded to your request for rectification we will provide you with information on how you can:

  • complain
  • take legal action

You can complain to the Information Commissioner’s Office. 

The right to object 

Healthcare Improvement Scotland processes personal information for:

  • the purpose of the performance of a task carried out in the public interest
  • in the exercise of official authority

You have the right to object to this processing. You can also seek that further processing of your personal information is restricted. 

Provided we can demonstrate compelling legitimate grounds for processing your personal information, for instance; patient safety or for evidence to support legal claims, your right will not be upheld. 

The right to complain 

Healthcare Improvement Scotland employs a Data Protection Officer to check that we handle personal information in a way that meets data protection law.  If you are unhappy with the way in which we use your personal information please tell our Data Protection Officer. 

Other rights 

There are other rights under current data protection law. However these rights only apply in certain circumstances. If you wish further information on these rights visit our further information page.

We process personal data for law enforcement purposes under Part 3 of the Data Protection Act 2018. Part 3 generally follows the requirements found in the UK General Data Protection Regulation. However, it takes also into account the operational needs of law enforcement agencies. Certain rights under the UK General Data Protection Regulation such as the right to object and the right to data portability, do not exist in Part 3 of the Data Protection Act 2018. Further, there are exemptions and restrictions that can, in some circumstances, be legitimately applied to prevent individuals from exercising rights. It is important to note that subject access rights and the rights to rectification, erasure and restriction do not apply to the processing of ‘relevant personal data’ in the course of a criminal investigation or criminal proceedings.