Privacy Notice

About this Privacy Notice

This Privacy Notice explains how your data is used as part of the MyCare.scot online service.

As well as this notice, you should also read the MyCare.scot terms and conditions and cookies policy.

MyCare.scot and the wider Digital Front Door Programme

MyCare.scot is part of a wider national programme called the Digital Front Door which is being developed by NHS Education for Scotland, in partnership with Scottish Government. This privacy notice relates to the use of data for the MyCare.scot service only, for further details of the Digital Front Door Programme please visit this page.

What is MyCare.scot

MyCare.scot is an online service where users can interact more effectively with health and care services. It is a digital platform accessible by adults in Scotland which contains personalised health and care information from services which are scheduled to, or already have, given them care.

MyCare.scot will link in to existing or newly created public sector services in order to provide a single secure route through which users can interact with health and social care services.

December 2025 Release: The initial release of MyCare.scot will allow users to access details relating to their healthcare. In future, further services will be added including aspects relating to social care.

Terms We Use in This Privacy Notice (Glossary)

  • Personal Data – is information that relates to a specific living individual.
  • Special Category Personal Data – is personal data that needs more protection because it is sensitive. This includes data about your health.
  • Processed – data is “processed” when any action is taken with it. For example when it is collected, transferred or deleted.
  • Controller – an organisation or person that makes decisions about what, how and why personal data is processed. They are legally responsible for the data.
  • Processor – an organisation or person which processes personal data on behalf of a Controller and under specific instruction.
  • You can find more information about these terms on the Information Commissioner’s Office website.

Organisations Involved in MyCare.scot

The organisations involved in MyCare.scot are:

NHS Education for Scotland

NHS Education for Scotland (NES) is a special health board within NHS Scotland, and part of our functions are to provide “information services” to support the work of other health boards and Scottish Ministers. NES are the lead body for digital development within NHS Scotland and have been commissioned by the Scottish Government to develop the MyCare.scot online service.

For the purposes of MyCare.scot, NES are acting as a Processor of the personal data, acting on the instructions of the Controllers who are the organisations responsible for your healthcare, namely your regional Health Board. In future social care services from your Local Authority will also be available through MyCare.scot.

NES also provide many of the support services used by MyCare.scot as part of our National Digital Platform work. NES again act as a Processor for these services to health boards. For further details of these services please visit this page.

For full details around NES and the range of work NES do, please see the main NES Privacy Notice:

Privacy | NHS Education for Scotland

Health Boards

There are 14 regional Health Boards in Scotland which are responsible for the protection and the improvement of their population’s health and for the delivery of frontline healthcare services. Your Health Board has responsibility for the healthcare services being provided as part of MyCare.scot. They are the Controller of the healthcare personal data processed within MyCare.scot.

For the December 2025 release, MyCare.scot will only be available to users in NHS Lanarkshire.

Data Protection Notice | NHS Lanarkshire

Scottish Government

The ScotAccount service is run by the Scottish Government. ScotAccount provides users a simple way to access multiple public services, by having one account that can link to several services. The ScotAccount Mailbox also provides a single secure mailbox that can be used by different public sector services.

Scottish Government are the Controller for the personal data processed in ScotAccount, including messages in the ScotAccount Mailbox and will retain a copy of your digital mail. You will be able to remove this copy at any time if you no longer wish to store it. Whenever this data is shared with MyCare.scot, the relevant Health Board are Controller for the shared data and NES act as Processor.

ScotAccount Privacy Notice

NHS National Services Scotland

NHS National Services Scotland (NSS) are one of the organisations which forms part of NHS Scotland. For MyCare.scot, NSS provide support services and act as a Processor to the Health Boards (Controller). NSS also manage the National Contact Centre that provides support to users who are having issues with aspects of MyCare.scot.

Data protection | National Services Scotland

Local Authorities

In future, MyCare.scot will enable users to view information relating to social care services. Further details will be added here when these services become available.

What types of personal information is collected/used

Description Data Items Details
ScotAccount Data
  • First Name
  • Middle Name
  • Surname
  • Full Address and Postcode
  • Date of Birth
  • ScotAccount ID Number
 Users must create a ScotAccount and then agree to share these details with MyCare.scot. These data items are used in order to identify an individual’s Community Health Index (CHI) number, which is the unique identifying number used in healthcare records. ScotAccount is managed by Scottish Government.
Community Health Index (CHI) Database
  • CHI Number
  • First Name
  • Surname
  • Date of Birth
  • Address
  • Health Board
 The CHI Database is a central database that holds the details of all individuals in Scotland registered with a GP practice. The details are originally collected when that individual registers with their GP practice. The CHI Database is managed by NHS National Services Scotland.
National Digital Platform (NDP) User Store
  • CHI Number
  • ScotAccount ID Number
 The NDP User Store holds the link between a user’s ScotAccount identity and their CHI Number and is used for several aspects of MyCare.scot. It is held and managed by NHS Education for Scotland.
Identity/Access Tokens
  • CHI Number
  • ScotAccount ID Number
 Identity/access tokens are time-limited parcels of information which MyCare.scot uses when performing all its functions. They are used to determine what users can access and also when communicating with other systems to provide the right information. This aspect is manged by one of the support services provided by NHS Education for Scotland.
Vaccination Records
  • CHI Number
  • Product name
  • Vaccination Date
  • Dose
  • Location
 This data is initially collected when you receive a vaccination and is stored in the National Clinical Datastore, managed by NHS Education for Scotland.
Emergency Care Summary (ECS) Data (Allergies and Medications)
  • CHI Number

Allergies

  • Allergy description
  • Comments
  • Date recorded

Medications

  • Name
  • Dosage
  • Date prescribed
  • Date dispensed
  • Prescribed by
 The Emergency Care Summary is a summary of basic information about your health which might be important if you need urgent medical care when your GP is closed, or when you go to an accident and emergency department. This information is copied from your GP’s computer system into a national database, managed by National Services Scotland.
Appointments Data
  • CHI Number

Details of the Appointment, including:

  • Date/time
  • Location
  • Appointment Status
  • Details of who the appointment is with, such as a Consultant’s name
  • Department/Specialty
  • Attached Documents, such as appointment letters
 Your Health Board will create appointments on their local patient administration systems. Some examples of when this happens is when they receive a referral from your GP, after you attended a previous appointment or other situations. This data is then transferred into one of the support services managed by NHS Education for Scotland and made available for users to access in MyCare.scot.
Digital Communications
  • First Name
  • Surname
  • Address
  • Email Address
  • Phone Number
  • ScotAccount ID Number

Message Content
Details will depend on the type of message but will include specifics around an individual’s care.

For example, appointment messages will include all the details relating to that appointment, including the attached appointment letter.

 As part of the wider Digital Front Door Programme, new services have been put in place to enable digital messages to be sent to a secure mailbox; the ScotAccount Mailbox managed by the Scottish Government. Messages created by health and care services will be transferred into this secure mailbox. The ScotAccount Mailbox makes these messages available to be shown within MyCare.scot.
Website Analytics
  • IP Address
  • Details about the device used, such as the type, operating system, and browser

Plausible Analytics then looks up a visitor’s country, region and city based on the IP Address

 To understand how people are using MyCare.scot, NES use a product called Plausible Analytics. When someone uses MyCare.scot, events about the web page (including device IP address) will be securely transferred to Plausible Analytics who immediately pseudonymise. Individual users are not tracked, and IP addresses are never stored by Plausible. This data is then anonymised and used and to track overall trends and patterns.

Retention Periods

MyCare.scot does not store data long term (beyond 1 hour). Instead, it uses data already stored in other systems and makes that available to users while they are using the online service and is not held for more than an hour by MyCare.scot.

For details around the retention of data in the systems MyCare.scot interacts with:

ScotAccount – for logging into ScotAccount including contact details and digital messages stored in ScotAccount Mailbox.

ScotAccount Privacy Notice

NHS Lanarkshire – for retention of healthcare information.

Data Protection Notice | NHS Lanarkshire

Why We Use Personal Data

The purpose of MyCare.scot is for everyone in Scotland to have a single, secure point of access to their health and social care information – wherever they live, whatever their needs. The aim is to make information clear, consistent and available and enable users to make confident, informed decisions about their care.

Lawful Basis

A user’s regional Health Board is the Controller for the data processed within MyCare.scot.

Under data protection legislation, the lawful bases and condition for processing are:

  • For processing of personal data
    • UK GDPR Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • For processing of special category personal data
    • UK GDPR Article 9(2)(h) - processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems.
    • The Data Protection Act 2018 Schedule 1, Condition 2(2)(f) - the management of health care systems or services or social care systems or services.

The Health Board’s legal gateway is their obligations to provide health and social care services under the National Health Service (Scotland) Act 1978.

A list of all 14 regional Health Boards can be found here:

Organisations – Scotland's Health on the Web

December 2025 Release and Non-Eligible Users

For the December 2025 release, only certain individuals in NHS Lanarkshire will be able to access MyCare.scot.

All users who attempt to access MyCare.scot and share their verified details from their ScotAccount will be CHI-matched and then checked against a list of eligible individuals. If a user is not eligible then they will be provided information why they can’t access the service and no details will be stored by the support services used by MyCare.scot.

If these ineligible users reside in other Health Board areas, the lawful basis above will be the same but will be based on the obligations of that user’s regional Health Board.

Who we share personal data with

Digital Communications

The December 2025 release of MyCare.scot allows individuals to access information relating to their healthcare and is part of the wider Digital Front Door Programme. If a user signs up to use MyCare.scot, then any service that sends digital communications will begin sending these digital messages to the user’s ScotAccount Mailbox. For the December 2025 release, dermatology secondary care services in NHS Lanarkshire are the only service that will send digital messages and the MyCare.scot online service is not involved in this data transfer. NHS Lanarkshire provide the information to NES, who reformat it into the correct message format and then transfer securely to the ScotAccount Mailbox managed by the Scottish Government. These messages are then made available by the Scottish Government to view within MyCare.scot. But the process of creating these messages only occurs after a user has signed up for MyCare.scot for the first time.

Other Sharing

The data shared by MyCare.scot in the December 2025 release is:

  • MyCare.scot uses items called ‘tokens’ to perform its functions. These tokens are small parcels of information held by the app only when a user signs in and uses the service and then deleted. These tokens are used when MyCare.scot requests information from other services, by sharing specific details about that user to ensure the correct information is provided in the response by the other service. This will usually be an individual’s Community Health Index (CHI) number, which is a unique number used to identify an individual in their health and care records. Details from these tokens are shared with any of the organisations who are providing data that is then shown in MyCare.scot. For the December 2025 release, those are: NES, NSS & Scottish Government.
  • If you read an unread message in the messages section of MyCare.scot, a signal will be sent to the ScotAccount Mailbox to note the message has been read.
  • For website analytics, the IP address of a user’s device is shared with the contracted analytics provider, along with details such as browser and device type used. This information is then anonymised and not used to track individual users.

Data we Process about your use of MyCare.scot

How you use MyCare.scot

The support services provided by NES stores data about your activities when you are logged in and using MyCare.scot. This is often referred to as audit data and will include the actions taken and the related technical details and will be captured against your CHI number. NES are acting as a Processor to the Health Board for this data, and it will be held for three years.

Website Analytics

Plausible Analytics have been contracted to provide intelligence around how MyCare.scot is being used. When users click on any pages within MyCare.scot, an event about this web page is created and these events are sent securely to Plausible Analytics. These events include details of the device including IP address, browser and device type. The information is then anonymised and cannot be traced back to individuals. The analytics from this work will provide us an understanding of which pages of MyCare.scot are being used and to identify any patterns or trends in usage.

Transferring data abroad & Automated Decision-Making

MyCare.scot and the healthcare systems it interacts with do not transfer data relating to your healthcare outside of the UK as part of this work.

The ScotAccount Mailbox uses contractors who store data in the UK and European Economic Area, which is covered under the EU-UK Data Adequacy Agreement.

For website analytics, we transfer IP addresses to our provider Plausible Analytics whose servers are based in Germany, however Plausible Analytics never store this data.

Automated decision-making is the process of making a decision by automated means without any human involvement that has a significant effect on individuals. There is no automated decision-making that occurs within MyCare.scot.

Security of your Information

MyCare.scot and the wider Digital Front Door Programme ensure your personal information is only accessible to people with the need and right to see information.

Staff from all the organisations involved have a legal and contractual duty to keep personal information relating to health and social care secure and confidential.

MyCare.scot adheres to the same high standards that are in place for the existing systems providing health and social care services.

For further details on how each organisation involved in the Digital Front Door Programme handles data, please see each organisation’s privacy notice as listed in the “Organisations Involved” section above.

Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

  • The right to be informed - know how and why your data will be collected, processed and stored
  • The right of access - request a copy of your personal data
  • The right to rectification - correct errors or omissions in your personal data
  • The right to erasure – ask us to delete your personal data
  • The right to restrict processing - to ask us to restrict our use of your personal data (for example, if you think it's inaccurate and needs to be corrected)
  • The right to data portability
  • The right to object
  • Rights related to automated decision making including profiling

Some of these rights are not absolute and may not apply in all circumstances. Requests to exercise rights are considered on a case-by-case basis.

How to exercise your rights

You can exercise your rights by contacting the Controller of the data used in MyCare.scot. This will be your regional Health Board.

A list of contact details for the Data Protection Officers in Health Boards can be found on NHS Inform:

How the NHS handles your personal health information | NHS inform

If you think any of the information shown in MyCare.scot is not correct, then you can contact the following areas:

  • For aspects around your vaccination records
    • Contact the National Contact Centre on 0800 030 8014
  • For aspects relating to appointments in MyCare.scot,
    • Contact NHS Lanarkshire's Referral Management Service on the number included in your appointment letter
  • For aspects around your demographic information (including name, address, date of birth) or your medications and allergies
    • Contact your GP Practice

Right to complain

You also have the right to complain to an organisation if you think it has not handled personal information responsibly and in line with good practice. In the first instance you should contact the relevant Controller who will be your regional Health Board.

If you are still not satisfied you can complain to the Information Commissioner’s Office:

Make a complaint | ICO

Assessments and Supporting Documents

Several assessments with regards to the impact on data protection, equality and children’s rights have been undertaken as part of the Digital Front Door Programme. These documents can be found on this page.

User Support

If you are having issues with using MyCare.scot, you can contact the National Contact Centre on 0800 030 8014.