Privacy Notice: National iMatter Staff Experience Continuous Improvement Programme – Survey Recipients and Respondents

Privacy Notice: National iMatter Staff Experience Continuous Improvement Programme – Survey Recipients and Respondents

21 June 2023

The iMatter staff experience survey is managed by the Scottish Government on behalf of NHS National Services Scotland (Data Controller).  The survey, responses, reports and analysis are held on an external IT system hosted by an independent organisation, Webropol Ltd (Data Processor).

This notice sets out how your data will be used and your rights under the General Data Protection Regulation (GDPR).

  1. Data

Webropol Ltd will anonymously process your responses to the survey questions and metadata about how you complete the survey. This includes:

  • any responses given to attitudinal questions that ask you about your experiences at work
  • any responses given to demographic questions that ask about your personal characteristics (including age, sex, sexual orientation, disability, maternity/paternity, religion and ethnicity)
  • Respondents first and surname, email addresses where they exist, and mobile telephone if supplied for the purposes of an SMS response

Your participation in the survey is voluntary. If you choose to participate, the first four questions, (Me, My Team, My organisation and Overall experience) are the only questions you must answer in full, with questions relating to Demographics, Staff Groupings and Raising Concerns being optional. Your answers will be grouped together with other survey respondents in your team, Directorate and Organisation for analysis and reporting purposes.

Webropol use a unique identifier to ensure that no individual can be identified from the respondent data.

While we do not ask you to identify yourself, it may be possible in a small number of cases for individuals to be identifiable from a combination of their responses. For this reason we treat iMatter survey data as personal data and apply the appropriate protections.     

  1. Purpose

The purpose for which Webropol Ltd is processing your personal data is to help teams and leaders within your organisation to measure, understand, improve and evidence staff experience; identifying where there are areas of success and those which require improvement.  It is recognised that improved staff experience and wellbeing should ultimately benefit patient and client care and NHSScotland are committed to improving the experience of those we provide care for, through enhancing staff experience and wellbeing.

By running the same survey across all Health Boards and participating Health & Social Care Partnerships (HSCPs), we are able to compare employee views and experiences and provide a means for teams and leaders to be held accountable for staff experience in a consistent way.

2.1 Legal basis

The legal basis for processing your data is that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. 

The NHS Reform Scotland Act 2004 committed to staff governance being reinforced by legislation and supported by the introduction of the Staff Governance Standard, the aims of which are to improve how NHS Scotland’s diverse workforce is treated.  This legislation, in tandem with data protection legislation, provides a lawful basis in a two-step process:           

  • The legislation related to health provides SG with a power to understand the issues staff face with a view to informing decisions that will support improving these experiences, and to carry out this task we require to consult with healthcare staff
  • We determine that, due to the nature of the consultation, it’s necessary to collect personal, sensitive or special category data in order for us to carry it out.
  1. Recipient and Respondent Data

Recipient data (name, email addresses where they exist, and mobile telephone if supplied) is added to the external IT system by authorised users within each Health Board. They will not have access to individual-level survey responses.

Individual-level survey responses will only be accessible to a limited number of database administrators within Webropol Ltd. Main support personnel and analysts within Webropol Ltd will not have access to individual-level survey responses. 

To maintain anonymity and protect confidentiality, survey results will be aggregated and reported at team level only, for all teams of 5 individuals or more.  Teams with staff numbers of 4 or less, will only be reported where there is a 100% response rate.

Responses to demographic, staff grouping and ‘raising concerns’ questions will be further aggregated to enable an enhanced level of protection, at either Directorate, Board or National level.

  1. Retention

Data held within the staff experience portal will be held by Webropol Ltd for a period of 5 years after the date the survey is complete, at which point retention will be reviewed. 

Annual, anonymised data will be transferred and retained by the Scottish Government for performance and improvement purposes because historical data can be very useful in this context.  Data which consists of anonymised results from the iMatter Survey do not count as personal data.   The data will therefore be kept indefinitely, or until they are no longer considered useful. 

Data which does not form part of the central anonymised record, will be deleted by Webropol Ltd.

  1. Data Sharing

In some circumstances, such as under a court order, we are legally obliged to share information. Where data is shared with third parties for research purposes, they will be required to destroy the data when the project is complete, as set out in their data access agreement. 

Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be shared.

  1. Your rights

All individual data received through the iMatter Survey is classed as personal data even though it is generally provided anonymously. That is because in some circumstances, certain individuals may be identifiable if they have a set of characteristics that allows them to be picked out.

There is no intention to attempt to identify any individuals from the gathered data.  Precautions are also in place to prevent this.

Where you wish to exercise one of your rights, Webropol Ltd may need to be able to identify your individual response to be able to comply.

You have the right to:

  • request information about how your personal data is processed, and to request a copy of that personal data
  • request that any inaccuracies in your personal data are rectified without delay
  • request that any incomplete personal data are completed, including by means of a supplementary statement
  • request that your personal data are erased if there is no longer a justification for them to be processed
  • in certain circumstances (for example, where accuracy is contested) request that the processing of your personal data is restricted
  • object to the processing of your personal data, sensitive or special category data.

If you wish to exercise your data protection rights, please contact your NHS Board iMatter Operations Lead in the first instance.

  1. International transfers

Data held by the Scottish Government is held in the United Kingdom.

Our processors, Webropol Ltd, have IT infrastructure located in Finland, and so there will be a transfer of personal data outside the UK. This transfer is safeguarded by the adequacy agreements between the United Kingdom and the European Commission, covering the transfer of personal data between the two territories.

As an EU member state, Finland has equivalent data protection legislation (EU GDPR) to the UK (UK GDPR and Data Protection Act 2018).     

No data is transferred outside the EU.

  1. Complaints

If you consider your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator (casework@ico.org.uk). Any complaint to the Information Commissioner is without prejudice your right to seek redress through the court.

  1. Contact details

NHS National Services Scotland is the data controller for your data.

You may contact the NSS Data Protection Officer via:

NSS Data Protection Officer 
Gyle Square
1 South Gyle Crescent
Edinburgh
EH12 9EB
Tel: 0131 275 6000

Email: nss.dataprotection@nhs.scot

 

 

(For the privacy statement for the this iMatter.Scot website, please see Website Privacy Statement)