Health and social care organisations: are you meeting your transparency obligations?

The Information Commissioner’s Office (ICO) has published draft guidance for the health and social care sector, to help organisations meet their transparency obligations.

The ICO launched a consultation on the new guidance in November last year which closed on 7 January. We await confirmation from the ICO on any changes to the guidance, as it reviews the responses to the consultation. In the meantime, this article provides an overview of the draft guidance in its current form. 

Why is transparency important?

The UK General Data Protection Regulation (UK GDPR) requires organisations to tell data subjects about how their personal data is being used. Data subjects should be made aware of when and how organisations are using their personal information and for what purposes. This should empower individuals to make decisions about their personal data based on the knowledge available to them, hence transparency is key. This is also closely linked to the data subjects right to be informed. 

Before developing transparency information, organisations must identify their reasons for processing the information and explain how their use of such information is necessary and proportionate. Organisations must also ensure that they have appropriate safeguards in place to protect the personal data, taking into account the often sensitive nature of health data and the context of the processing.

As with most principles behind the UK GDPR, the measures adopted should be proportionate to the processing activities and the risks to the data subjects.

Who is the guidance most relevant to? 

The guidance has been developed to help health and social care organisations, both public and private, understand the ICO’s expectations about transparency of personal data. Whilst the guidance is targeted at public sector organisations, it is also relevant to private organisations operating in the sector.

The guidance is aimed at anyone in a health and social care setting who is involved or responsible for meeting the organisation’s transparency obligations and providing information to the public. The ICO suggests the guidance may be relevant to: policy makers, governance staff, DPOs, communication and media teams, and those developing new technological solutions. It supplements the existing guidance around transparency and the right to be informed, two of the key principles underpinning the data protection framework in the UK.

What does the guidance cover?

The guidance acknowledges that the health and social care sector deal with high volumes of often special category personal data, and that detailed information relating to a person’s health and personal circumstances is given in confidence to the medical profession. It recognises that data subjects may be willing to share such personal information, providing that they understand how and why that information is needed and how it will be used.

The ICO hopes to increase public confidence by strengthening the transparency practices adopted in this sector. This in turn may lead to data subjects agreeing to their information being used for secondary purposes, such as planning or scientific research, as well as the primary purpose which is usually receipt of health care services. 

Transparency information v privacy information

The ICO makes a key distinction between transparency information and privacy information:

• Transparency information - this describes the total range of material organisations should provide to comply with the transparency principle.
• Privacy information - this describes the specific information that organisations must provide to people in order to comply with transparency obligations under the right to be informed.

The UK GDPR doesn’t specify the best or most effective ways to achieve compliance with these requirements and so organisations must consider each in turn and adopt a pragmatic approach, based on the context of the data processing.  

The guidance provides details on how to develop transparency information, including how to identify transparency harms, when to undertake a data protection impact assessment and how to engage with data subjects. 

How to provide data subjects with the required information? 

The guidance suggests that organisations should consider:

• Communication methods – what is the best way to communicate the information with the data subjects? Organisations should consider direct v indirect methods of communication. This includes the impact on the data subject, where communicating directly, and public expectations.
• Presentation of privacy and transparency information – engagement with the information often depends on the circumstances and needs of the individual at the time the information is given to them. Prominently positioning the most important information can be helpful, as well as considering the different layers of information. 
• Complexity of the information provided – whilst ensuring data subjects are given adequate information is key, the guidance discusses the concept of ‘information overload’ which can lead to confusion or overwhelming the recipient. Therefore, considering the complexity of the information provided is an important step.
• Delivery of the information – this is based around timings. How and when someone comes into contact with health and social care services will impact what and how information is presented to them. Organisations should consider each opportunity to provide data subjects with additional transparency and privacy information, where appropriate. 

Are you being transparent?

Organisations are required to assess whether they are acting transparently under data protection law. To help organisations meet their compliance obligations, the ICO has created a checklist. 

If you would like to discuss your compliance obligations in more detail, please get in touch with our data protection team.