The Information Commissioner’s Office (ICO) has published draft guidance for the health and social care sector, to help organisations meet their transparency obligations.
The ICO launched a consultation on the new guidance in November last year which closed on 7 January. We await confirmation from the ICO on any changes to the guidance, as it reviews the responses to the consultation. In the meantime, this article provides an overview of the draft guidance in its current form.
The UK General Data Protection Regulation (UK GDPR) requires organisations to tell data subjects about how their personal data is being used. Data subjects should be made aware of when and how organisations are using their personal information and for what purposes. This should empower individuals to make decisions about their personal data based on the knowledge available to them, hence transparency is key. This is also closely linked to the data subjects right to be informed.
Before developing transparency information, organisations must identify their reasons for processing the information and explain how their use of such information is necessary and proportionate. Organisations must also ensure that they have appropriate safeguards in place to protect the personal data, taking into account the often sensitive nature of health data and the context of the processing.
As with most principles behind the UK GDPR, the measures adopted should be proportionate to the processing activities and the risks to the data subjects.
The guidance has been developed to help health and social care organisations, both public and private, understand the ICO’s expectations about transparency of personal data. Whilst the guidance is targeted at public sector organisations, it is also relevant to private organisations operating in the sector.
The guidance is aimed at anyone in a health and social care setting who is involved or responsible for meeting the organisation’s transparency obligations and providing information to the public. The ICO suggests the guidance may be relevant to: policy makers, governance staff, DPOs, communication and media teams, and those developing new technological solutions. It supplements the existing guidance around transparency and the right to be informed, two of the key principles underpinning the data protection framework in the UK.
The guidance acknowledges that the health and social care sector deal with high volumes of often special category personal data, and that detailed information relating to a person’s health and personal circumstances is given in confidence to the medical profession. It recognises that data subjects may be willing to share such personal information, providing that they understand how and why that information is needed and how it will be used.
The ICO hopes to increase public confidence by strengthening the transparency practices adopted in this sector. This in turn may lead to data subjects agreeing to their information being used for secondary purposes, such as planning or scientific research, as well as the primary purpose which is usually receipt of health care services.
The ICO makes a key distinction between transparency information and privacy information:
The UK GDPR doesn’t specify the best or most effective ways to achieve compliance with these requirements and so organisations must consider each in turn and adopt a pragmatic approach, based on the context of the data processing.
The guidance provides details on how to develop transparency information, including how to identify transparency harms, when to undertake a data protection impact assessment and how to engage with data subjects.
The guidance suggests that organisations should consider:
Organisations are required to assess whether they are acting transparently under data protection law. To help organisations meet their compliance obligations, the ICO has created a checklist.
If you would like to discuss your compliance obligations in more detail, please get in touch with our data protection team.