Accessibility Tools
Accessibility Tools
Mobile menu icon
Menu

Citizens Advice Scotland is a registered Data Controller with the Information Commissioner’s Office (ICO). Our registration number is Z9715836.

We deliver the Patient Advice and Support Service (PASS) in partnership with local Citizens Advice Bureaux (CABx). Bureaux are Joint Controllers for the personal data held on systems managed by CAS. You can find more information in the CAS Privacy Notice.

This Privacy Notice describes how we collect and process the personal data of people who engage with the Patient Advice and Support Service. It also explains people’s rights and how to contact us.

We will review this notice regularly and will publish any changes on our website.

Please send any questions about how we use personal information to DPO@cas.org.uk

Patient Advice and Support Service: Privacy Notice

Our Privacy Notice is downloadable here or at the bottom of this page.

About Us

The Patient Advice and Support Service supports anyone who uses NHS Scotland to understand their rights and responsibilities as a patient, raise concerns, give feedback, or make a complaint about the NHS.

PASS is an independent service delivered by the Citizens Advice Network in Scotland.

Information we collect about you

Personal data is any information that can identify you.

We only ask for personal data that is relevant to your case. This may include:

  • Personal details such as name, contact information, and date of birth
  • Details about your complaint and the support you need
  • Information about your circumstances relevant to your complaint, including information related to your current health and medical history
  • Demographics information
  • If you have agreed to be contacted for feedback
  • If someone is acting on your behalf, we may collect their details too.

If you do not want us to keep a record of the advice we provide, we can help you as best we can, but advice will be limited and general rather than specific to your circumstances.

How we collect your information

We may collect your information:

  • When you contact us including in person, by phone, videocall, webchat, email, letter or through our website
  • From someone acting on your behalf
  • From an organisation that referred you
  • From the NHS as part of the complaints process
  • When you provide us feedback
  • From cookies on our website.

Sometimes to help with your enquiry we may need to ask the NHS for copies of your health records. We will only do this with your consent and in line with guidance on the NHS Inform website.

How we use your information

We may use your information to:

  • Explain how we can help and support with your enquiry
  • Keep a record of our conversations and actions to inform your advice and support needs
  • Keep records for quality and insurance purposes
  • Share information with other organisations, such as for referrals
  • Report to funders
  • Develop and improve our service
  • Ask for your feedback on our service.

If you call us, we may record the conversation for training and monitoring purposes.

Our lawful basis for using your information

We only process your personal data when there is a lawful basis for us doing so. We may rely upon:

  • Public task, as PASS is a statutory service under the Patients Right (Scotland) Act 2011.
  • Legitimate interests, such as for defending legal claims and to maintain a high-quality service.
  • Legal obligation, when we need to process your data to meet a legal obligation such as a reasonable adjustment under the Equality Act 2010.
  • Your consent, such as when we contact you for feedback or refer you to another support organisation.

 

Where we process special category data (such as health information), in addition to the above we may rely upon the following:

  • substantial public interest conditions
  • conditions relating to health or social care purposes
  • defence of legal claims
  • archiving, research and statistics
  • your consent
  • vital interest.

 

When relying on substantial public interest conditions in Schedule 1 Part 2 of the Data Protection Act 2018 we are required to have an Appropriate Policy Document in place.

Who we share your information with

We only share your personal data when necessary and in line with data protection laws.

  • With CAS or other Bureaux, where necessary
  • With our internal auditors, to maintain standards
  • With funders for audit, research and reporting purposes. We anonymise this where possible
  • If you have a complaint about PASS, we may share your information with our insurers
  • If we use external service providers, we put in place contracts to ensure they follow data protection rules.

 

We may share information with the following only when you have consented:

  • If we refer you to another organisation for support
  • If we contact another organisation on your behalf, for example the NHS or Scottish Public Services Ombudsman (SPSO)
  • If someone is acting on your behalf.

 

In exceptional circumstances, where there is a high risk of harm to an individual, information may be shared with third parties. We have strict Safeguarding procedures in place for this.

Will we share your information outside of the UK?

We only store personal data in the UK or the EU.

However, some of our suppliers may be based in other countries. If we need to share your data with these companies, we take steps to make sure your data is protected.

How long we keep your information

For most people, we keep your data for a maximum of seven years. This is from the point of last contact. We keep recordings of phone calls for two years.

In rare cases, we might keep your data for longer if there is a legal reason, such as an on-going complaint or legal case.

Your rights

You have rights over your personal data. You can contact our Data Protection Team on DPO@cas.org.uk.

You can:

  • Ask for a copy of your personal information
  • Ask us to fix anything that’s no longer accurate
  • Ask us to delete your personal data. There are some exceptions, and we may need to keep some of your data, for example to defend legal claims
  • Object to how we use data in some situations
  • Ask us to send your information to you or someone else, in some situations
  • Withdraw your consent.

 

We do not use any automation or profiling to make decisions.

If you’re unhappy with how we have handled your data, you can complain to the Information Commissioner’s Office at ico.org.uk.

 

Google reCAPTCHA

We use reCAPTCHA on this website to protect against automated abuse and spam. The reCAPTCHA service is provided by Google LLC and is subject to the Google Privacy Policy and Terms of Service.

To provide this protection, reCAPTCHA collects personal information from users to determine if they are human or bot. The collected information includes IP addresses, user agent details, and other data that reCAPTCHA deems necessary for its service. This data is subject to Google’s privacy practices.

By using this website, you acknowledge and agree to the use of reCAPTCHA and the processing of your information by Google in accordance with their privacy policy and terms of service.

For more information about reCAPTCHA and how it works, please visit the reCAPTCHA page.

Privacy notice

Supported by:
Supported by Scottish Government Riaghaltas na h-Alba gov.scot
Supported by:
Supported by Scottish Government Riaghaltas na h-Alba gov.scot