Recommended Summary Plan for Emergency Care and Treatment (ReSPECT)

The set of personal and health data we use contains information about your:

• Identity
• Contact details
• People to contact in an emergency
• Preferences on how, and where, you wish to be treated in an emergency should you be unable to communicate
• Diagnoses, medicines and medical history (these may be recorded by your care professional in the system but would have been discussed as part of your conversation)

The data we process comes from your conversation about your preferences for care and treatment with your care professional. A family member or legal proxy may have been involved in the discussion where appropriate.

NES requires to process your personal data and care preferences in order that your healthcare professional has the information to provide you with the appropriate care and treatment. 

NES processes your personal data and care preferences in its role as a lead digital provider for the provision of, and management of, health and social care systems and services, supporting NHS Boards in the delivery of health and social care treatment.

These data are processed by NES as the Processor for Digital ReSPECT. NES processes these data on behalf of the Territorial Health Boards who are the Controllers.

NES considers that processing in Digital ReSPECT is in the public interest. So, when using your personal information our legal basis is that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us [UK GDPR Article 6(1)(e)]. 

For the processing of your care preferences data, NES considers that its use is necessary for the management of health or social care systems and services [UK GDPR Article 9(2)(h)].

Your personal data is shared with the following organisations:

• Territorial Health Boards and GP Practices
  • These are your local area health board and the GP practice in which you are registered. They are responsible for your care. They are the Controllers for your data held in Digital ReSPECT.
• Unscheduled Care Services
  • These are national health boards such as NHS 24 and the Scottish Ambulance Service, along with GP Out of Hours services. They provide care services in, for example, emergency situations. They are Controllers when viewing your data held in Digital ReSPECT for the service they provide.

All data processing in Digital ReSPECT takes place in the UK.

We only keep your information for as long as is necessary to fulfil the purposes for which the personal information is collected.

This includes for the purposes of meeting any legal, accounting, or other reporting requirements or obligations.

The information in the ReSPECT application is retained in accordance with the Scottish Government Records Management: Health and Social Care Code of Practice (Scotland) 2024. The recommended retention periods for Adult and Children health records are defined in section 1.1 (Annex B) – Patient Health Records - Digital. This decision is based on your preferences being in place for your lifetime and therefore healthcare professionals require access over an extended period of time to ensure you are treated and cared for according to your wishes.

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking reasonable measures to ensure the confidentiality and security of personal data for which we are responsible for.

All NES staff are required to undertake annual information governance training and to be familiar with information governance policies and procedures.

You have rights regarding how we process your personal data:

• The right to be informed
• The right of access
• The right to rectification
• The right to object
• The right to restrict processing
• The right to portability
• The right to erasure
• Rights in relation to automated decision making and profiling. 

See the NES privacy page for details about your rights and how to invoke them.

You have the right to access the information which NES holds about you, and why, in Digital ReSPECT. You can do this by submitting a Subject Access Request (SAR) to your local area health board Data Protection Officer (DPO) (contact details on NHS Inform) or to the NES DPO (contact details below).

NES will inform your local area health board DPO of the request as they are the Controllers of your data. NES will provide information under SAR on instruction from your local area health board.

Requests must be made in writing, and you will need to provide:

• Adequate information [for example full name, address, date of birth, staff number etc] so that your identity can be verified, and your personal data located.
• An indication of what information you are requesting to enable us to locate this in an efficient manner. 

We will aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within 30 days of receipt unless there is a reason for delay that is justifiable.

NES employs a Data Protection Officer to check that we handle personal information in ways that meet data protection law. If you are unhappy with the way in which we use your personal information you can contact our Data Protection Officer at this email address:

nes.informationassurance@nhs.scot 

Or through our Edinburgh postal address: 

Data Protection Officer, Westport 102, West Port, Edinburgh, EH3 9DN 

If you believe your complaint has not been answered, you have the right to complain about how we use your personal information to the Information Commissioner's Office (ICO). 

Details about this are on their website at https://ico.org.uk/your-data-matters/how-to-make-adata-protection-complaint/