The ICO exists to empower you through information.

This consultation has closed

Original consultation notice

The Information Commissioner’s Office (ICO) is producing guidance on transparency in the health and social care sector. The draft of this guidance is now published for public consultation.

The draft transparency in health and social care guidance has been developed to help health and social care organsiations understand our expectations about transparency.

The consultation will run from 13 November 2023 to 7 January 2024. We may not consider responses submitted after the deadline.

We are also seeking views on a draft summary economic impact assessment for this guidance. Your responses will help us understand the code’s practical impact on organisations and individuals.

Responding to the consultation

You can respond to the consultation in the following ways.

  1. Complete the Smart Survey – please include your email address if you wish to contribute to further case studies, or if you are happy to be contacted about any of your responses to our impact assessment.
  2. Download the Word document and either email your response to [email protected], putting ‘consultation response’ in the email subject, or print off the documents and post to:

Policy Projects team
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Privacy statement

For this consultation we may publish the responses received from organisations or a summary of the responses. We will not publish responses from individuals acting in a private capacity. If we do publish any responses, we will remove email addresses and telephone numbers from these responses but apart from this we will publish them in full.

Please be mindful not to share any information in your response which you would not be happy for us to make publicly available.

Should we receive an FOI request for your response we will always seek to consult with you for your views on the disclosure of this information before any decision is made.

For more information about what we do with personal data please see our privacy notice.

In December 2023 we launched a public consultation on draft transparency in health and social care guidance.

The consultation ran until 7 January 2024. We have now published the guidance. This document summarises the key themes emerging from the responses.

Responses

We received 38 responses to the public consultation. We thank everyone who took the time to comment and share their views.

About the consultation

We received a range of responses from a range of organisations and individuals, all with an interest in the guidance. The breakdown of respondents was as follows - respondents were able to choose multiple categories and not all respondents provided information.

An organisation or person processing health data 12 respondents
A representative of a professional, industry or trade association 7 respondents
An organisation representing the interests of patients in health settings (eg GP practice, hospital trusts) 4 respondents
An organisation representing the interests of patients in social care settings (eg care home) 5 respondents
A trade union 1 respondent
An academic 1 respondent
A person acting in a private capacity (eg someone providing their views as a member of the public) 1 respondent
Unspecified or other 8 respondents

Overall, the responses were positive. Respondents welcomed the draft guidance. They appreciated the ICO taking an interest in this area and bringing a better indication of what is expected.

In analysing the responses, we identified several key themes. We’ve summarised these themes below and set out how we responded to this feedback. The structure of the summary reflects the structure of the guidance.

Key themes

Who is this guidance for?

The guidance is aimed at anyone in health and social care who is involved in delivering transparency information to the public. It provides a bullet point list of who this could include.

Respondents suggested that the scope of the target audience is wider than this in practice and suggested that this should include:

  • those who may engage with health and social care services and also those who process health and social care information;
  • A wider range of public sector organisations that commission and interact with the health and social care sector;
  • the person with responsibilities for Information Governance - for example, smaller organisations may not always have a DPO but the guidance would apply to the person with those responsibilities;
  • service managers and frontline workers; and
  • those who are involved in new health and social care initiatives.

Some respondents thought that the guidance may be difficult to understand by those who do not have a basic knowledge and understanding in this area. Suggestions received by respondents to help with this included:

  • Make the guidance more accessible and easier to read.
  • Produce a simpler version provided for the layperson.
  • Produce a companion piece aimed at the public.
  • Provide a wide range of accompanying ready-made resources.

ICO response

We have developed this section and made the list of roles the guidance could apply to more broad. We also changed the lead in to say that ‘this can include’ rather than ‘this includes’ to reflect that the list is not exhaustive. We have added a second list which sets out examples of organisations which may be included in the scope.

We have expanded from those who may engage with health and care services to include those who process health and care information to reflect the potential wider audience e.g we have included local government and universities.

Whilst the guidance isn’t aimed at frontline workers, we have made clear that it is beneficial for them to be able to explain and signpost to transparency information.

In relation to the proposed accompanying guidance pieces, we have taken these suggestions on board. Whilst they are outside the scope of this guidance piece, we have recorded the suggestions for future reference.

Considerations for different size organisations

It was acknowledged that the guidance sets out what is required in terms of transparency considerations generally. However, respondents thought that it could provide further detail on what is proportionate for different size organisations. In particular, smaller organisations may not have the resources to focus the same attention on transparency considerations as  a larger organisation with a dedicated team.

It was also suggested that the guidance could provide more detail and be developed in terms of cross system and cross sector transparency requirements.

ICO response

We have revised the guidance in terms of proportionality and explicitly said that smaller organisations won’t be expected to consider transparency in the same level of depth as larger organisations.

We have also now included practical examples of what might be appropriate in different circumstances.

We have elaborated on content in the ‘How can we work with others?’ section and highlighted the need to work in a joined-up way. We have also suggested that smaller organisations, who may not have the resources to develop their own material utilise that of others where appropriate.

External

The guidance included reference to other relevant considerations which fall outside of data protection compliance. For example:

  • Common law duty of confidentiality
  • Opt-outs

Respondents thought that more could be said about these as they are important considerations around the provision of privacy and transparency information.

One respondent thought that the guidance should be clearer that the guidance relates to issues within the ICO’s remit.

Respondents suggested that the guidance would benefit from links to relevant material on external websites in places. For example, this could be where there are templates available for use or where further information can be found on patient engagement. 

ICO response

Referring to relevant considerations in this context which are not covered by data protection and also acknowledging the differences which apply across the UK has been a balancing exercise. We appreciate the need to highlight what needs to be considered in this context. Our approach has been to include references in the relevant sections, and this allows people to look into matters further in the appropriate forum. For example, we have now included reference to Caldicott Guardian’s and Data Guardians in Northern Ireland.

However, where matters fall outside the ICO’s remit and only apply in one region of the UK we have only included a brief reference. For example, opt-outs are referred to and we have made clear that they are used in England only and are not a function of data protection, but we have kept the content brief.

In the introduction we have explained that the guidance supplements our existing guidance and provided links to the relevant ICO materials.

We have also made clear in the legislative requirements section that the scope of this guidance is limited to the requirements of the Data Protection Act 2018 (DPA) and UK GDPR.

The differences across the UK regions were a consideration here as some of the suggested resources would not apply to everyone. We had included a link out to the National Data Guardian’s guidance for organisations in England on promoting benefits where confidential information is processed without consent for purposes beyond individual care. We made it clear that it applies to England only, but we considered this could be applied broadly and would be of benefit.

We have also now added links to relevant external guidance on confidentiality. We have decided against further external links to keep the guidance focused on data protection. By including reference to matters of relevance we hope that people have sufficient information to locate additional resources for further information should they wish.

Legislative requirements

The guidance uses the terms ‘must’, ‘should’ and ‘could’ when referring to legislative requirements. Many respondents found this approach clear and helpful and appreciated the consistent use throughout the guidance.

However, some respondents informed us that the ‘Good medical practice’, the professional standards for all doctors in the UK, also uses these terms. While the use of the term ‘must’ align in both sets of guidance, there is a difference in the way that ‘should’ is used. In the ‘Good medical practice’, ‘should’ is used for duties or principles that either, may not apply to a medical professional or the situation they are in, or which they may not be able to comply with because of factors outside of their control. Respondents said that this could cause confusion among medical professionals.

ICO response

We have kept the terms in line with ICO current guidance policies and to provide regulatory certainty. We have now made clear in the introduction that the guidance says what organisations must, should and could do to comply with data protection legislation. We have also made clear that the scope of the guidance is limited to the requirements of the DPA and UK GDPR when we introduce the terms.

Examples and case studies

Respondents thought that the guidance sets out a good overview of expectations in relation to the transparency principle. But they said that it could be strengthened by including more practical examples of what would be considered good practice and that it would benefit from more specific and practical advice and information.

Some respondents thought that the draft guidance lacked in depth detail but is a useful starting point. This mainly related to the case study placeholders.

Respondents thought that the case studies could be clearer, and some respondents made useful suggestions in relation to how the current wording could be improved.

Some respondents thought that the examples were unbalanced in terms of health and social care with more focus on health. Some thought that the guidance would benefit from further detail in relation to individual areas of service provision. Other respondents thought there was no real distinction between the two areas throughout which made sense in the context of transparency.

ICO response

When drafting the guidance, we included placeholders for case studies and examples to further illustrate certain issues. In the consultation we asked for any examples of good practice relating to specific topics to improve on these.

We felt it important to get knowledge and experiences from people in the health and social care sectors and to share examples of what has worked in practice.

We have used examples and suggestions offered to improve the case studies in the guidance. We have also included shorter examples throughout in the main text and have used these to incorporate examples in the context of social care. We are conscious that examples help readers to apply the guidance in real life scenarios, so it is important to relate content to both sectors as far as possible. However, we did not feel that we were able to provide more detailed information in relation to individual areas of service provision in view of the breadth of these services.

Openness and honesty

The terms open and honest are introduced in the current ICO guidance on the data protection principles, specifically for Principle (a): Lawfulness, fairness and transparency. This guidance provides an interpretation of these terms for clarity on what is meant by transparency.

Respondents appreciated that the recommendations set out practical ways in which people can demonstrate that they are being open and honest.

Some respondents said that they did not understand the distinction between the different interpretations of the two terms which were set out in separate lists and suggested that there was an overlap in some of the examples provided.

One respondent suggested that the word ‘honest’ could be replaced by a different term, perhaps ‘clear’ or ‘integrity’ to avoid the suggestion that organisations might be deliberately dishonest.

Many respondents stressed the need to include reference to the indirect collection of information, making clear that the transparency requirement still applies and how the delivery of this information should be approached.

ICO response

The terms open and honest are not included in data protection legislation and are therefore not defined. We felt it important to provide examples which are relevant in these sectors to show how openness and honesty might be achieved.

We believe that the two terms are distinct, but we accept that there is some overlap. In response to suggestions, we decided to change this section and set out the interpretation of the terms collectively. The two lists have been merged to set out what information could be provided to demonstrate both openness and honesty in this context.

We acknowledge that the suggested alternative terms could be good substitutions. However, as open and honest are used in existing guidance and our aim is to align with and contextualise their meaning, it was important for these terms to remain.

We have included specific reference to indirect collection in the list of ways you can demonstrate that you are being open and honest. We have also included it when we explain how the guidance approaches transparency information.

Language

Respondents observed reference to the importance of organisations ‘considering’ transparency throughout the guidance. However, respondents pointed out that the use of the word ‘consider’ does not make clear what that should involve and what efforts need to be made. They said that compliance with the principle of transparency went further than this and it would not be sufficient to simply show that you had considered the matters but that you had then taken action to comply where appropriate.

This was also true of the statement in the guidance that good transparency means raising awareness. Respondents said that the terms ‘awareness’ and ‘understanding’ were used interchangeably and that the aim is not only to create an awareness but also create an understanding of uses of personal information which is a higher responsibility.

The guidance referred to direct and secondary care purposes throughout. Many respondents thought that reference to secondary care was too restrictive as the information would be used for purposes beyond care in many situations, yet the transparency obligation would still apply.

The guidance also referred to patients and service users throughout. We had considered the use of these terms and decided that they were the most appropriate to use in this sector specific guidance. Respondents said that these would not resonate with some readers and that in social care, the term people is used. Respondents also said that patients and service users did not necessarily cover all those who transparency information might be aimed at. In particular, people would not always be patients in the examples provided.

One respondent thought that the language used was not very inclusive and didn’t necessarily cover their processing activities.

There was a request to explain ‘layering’ in terms of how privacy and transparency information should be provided as this might only be understood by those who work in communications.

ICO response

We reviewed the use of the word ‘considered’ throughout the guidance and changed this to a better term to reflect a higher threshold where appropriate.

We agreed with the need to stress the importance of improving understanding as well as raising awareness and we extended references throughout the guidance to include both terms.

We also expanded all references to secondary care to the wider term secondary purposes.

We took on board the feedback in relation to the terms patients and service users and have changed most references to ‘people’ which is broader. However, we have taken the view that, in some instances reference to patients and service users is still the most appropriate.

We have broadened the language throughout the guidance and this and the addition of examples should make it more inclusive.

We have also provided an explanation of layering to assist people in using this process to provide privacy and transparency information.

Definitions

Respondents suggested that a definitions section or a glossary would be welcomed to include terms and acronyms which might not be understood by all readers. For example, the draft made reference to TRE’s (Trusted Research Environments) and provided a brief explanation of what these are. Many respondents suggested that SDE’s (Secure Data Environments) is the terminology usually used and that a more comprehensive definition of this would assist.

There were also requests to move the section ‘What is transparency?’ which includes the definitions of transparency and privacy information, to the start of the guidance.

ICO response

We have developed a glossary which sits as an annex to the guidance. This is a quick reference tool for key terms and abbreviations and links to other resources for further reference.

We changed references to TRE’s to SDE’s and included a definition of this in the glossary including a link to the government web page which provides a more detailed explanation.

We considered the order of the sections in the guidance and the section on transparency and privacy information remains in its original position. When we make reference to the two terms in the section, this is more than simply providing a definition. We believe that the order of the draft guidance works well in its original form. The introduction is essential in explaining the importance of transparency initially, the scope and intended audience of the guidance and the way the guidance approaches legislative requirements.

Navigation - Strengthen links

The guidance makes reference to existing ICO guidance, particularly on the principle of transparency and the right to be informed (Articles 12, 13 and 14). The guidance contains further reading boxes at the end of each section where links can be found to the guidance where it’s relevant to that particular section.

Respondents thought that these links could be highlighted, and it could be made clearer what further information could be found. Some respondents suggested that content could be repeated in this guidance.

ICO response

We have added a section in the introduction explaining that this guidance supplements existing ICO guidance on areas linked to transparency. We have then listed and linked to that guidance. Where we introduce a term for the first time, we have made specific reference to the further reading boxes and the relevant guidance links for ease of navigation.

We were conscious of not repeating content from other guidance which helps with the overall length and because we have highlighted links when the relevant information can be found in existing, more substantive guidance. One respondent commented that the draft guidance is longwinded and needs to be more digestible and this addresses this point as far as possible.

Relevant links are also included in the glossary.

How do we identify harms arising from a lack of transparency?

This was considered a useful section by many respondents.

There were suggestions made which we considered were valuable, but which fell outside the scope of the guidance. For example:

  • writing to a deceased patient is likely to cause distress to their family;
  • reference to consideration of bias and the implications for creating trust; and
  • broader definition of societal harm to include inadequate housing, impact of poverty, substance abuse etc.

Many respondents also thought that the potential for harm to occur as suggested was overemphasised, especially in the example provided. They felt that it is important to highlight and focus on the harms which are more likely to occur in this context.

ICO response

The examples and case studies we included in the guidance were placeholders and we’d requested real life examples that we could incorporate. We received alternative suggestions for the example in this section and we have now developed this on the basis of these suggestions. It now highlights potential harms to both the individual and to wider society.

We have also provided further detail in relation to the potential types of harms in this context with examples based on suggestions received.

We changed the heading for this section as suggested by one respondent who thought that the previous heading ‘Transparency Harms’ was not very helpful. It did not explain that the section is talking about the potential harms of not being sufficiently transparent. We agreed and have changed the heading to ‘How do we identify harms arising from a lack of transparency?’.

How can we involve the public?

Respondents found this section useful in terms of prompting organisations to think of ways to communicate transparency information. One respondent said that it reflects existing guidance frequently used in the context of secondary uses of patient data for research purposes.

Respondents thought that this section contained useful information and agreed that public engagement was vital. Many thought that the challenge would be putting it into practice and questioned how applicable it is to smaller organisations who would not have the resources for public consultation.

One respondent thought that ‘involvement’ was a better term than ‘engagement’ and some respondents suggested that use of the widely recognised terminology Patient and Public Involvement and Engagement (PPIE) was more appropriate in this section.

One respondent suggested that the guidance needed more detail on meeting people’s needs ie accessible formats, consideration of those who are digitally excluded etc

Some respondents thought that this section should stand alone to make it stand out in the guidance.

ICO response

We have expanded this section to reflect the fact that a proportionate approach should be taken in terms of engagement. We have also included examples of what might be more appropriate for smaller organisations based on suggestions provided.

We decided not to make the section standalone as we did not feel that the level of content warranted this.

We have re-introduced the term PPIE which we had used in previous drafts of the guidance. We were concerned that this was specific to England. However, as it is self-explanatory, it sums up the process and describes what is recommended well.

We have expanded this section to include reference to the benefits of involving the public in terms of tailoring information to meet people’s needs. We have also included alternative forms of transparency information in the list of how you can demonstrate openness and honesty.

How do we assess if we are being transparent?

Many respondents said that the checklist is a useful tool, it is a good summary and would help in addition to completing DPIAs or could be included in a DPIA.

One respondent suggested that the checklist could be more interactive which would help organisations make more informed decisions.

A respondent said that there needed to be reference to the need to review transparency information and the fact that it is an iterative process and not a one-off exercise.

ICO response

We considered how we might achieve a more interactive approach. We concluded that a solution such as a flowchart would not work. This is because the guidance aims to provide more clarity on the transparency obligation, but this will be determined by the circumstances in each case and the addition of examples should help to bring it to life more.

We have changed the format of the checklist and merged the ‘musts’ and ‘shoulds’ into one list which made the order more logical. We also provided links to the relevant sections where appropriate in response to a suggestion, to allow easy navigation to the further information without repeating the content.

We have included an extra paragraph in this section ‘How often should we review our transparency information?’ to set out the importance of review and evaluation.

Miscellaneous comments

One respondent pointed out the need to make clear that being transparent does not include an obligation to disclose all the information you hold.

Some respondents thought that there was a need to highlight the optional nature of DPIAs in the DPIA section.

Many respondents thought that there needed to be more reference to privacy notices throughout the guidance.

ICO response

We agreed with the need to make clear that the transparency principle does not mean making all information available. We have included reference to this in the ‘How does the guidance approach transparency?’ section using commercial information which is confidential as an example.

We have developed the content of the DPIA section, setting out when a DPIA is required. The existing DPIA guidance is referred to in the Further Reading box and we have not repeated this. We have made it clear that a DPIA is not always required but it can be beneficial to carry out the process.

Impact assessment

We also consulted on a summary impact assessment for eight weeks between 13 November 2023 and 7 January 2024.

Responses

23 responses were provided on the survey questions relating to impact and the breakdown of respondents was as follows:

An organisation or person processing health data 9 respondents
A representative of a professional, industry or trade association 4 respondents
An organisation representing the interests of patients in health settings (eg GP practice, hospital trust) 3 respondents
An organisation representing the interests of patients in social care settings (eg care home) 4 respondents
A trade union 1 respondent
An academic 1 respondent
A person acting in a private capacity (eg someone providing their views as a member of the public) 1 respondent

The size of the organisations varied with 10 responses from organisations of less than 250 members of staff, eight respondents were from organisations with over 250 members of staff. Five respondents did not confirm the size of their organisation.

Consultation responses

In relation to the scope and coverage of the impact assessment, 13 respondents agreed that the impact assessment summary adequately scoped the main affected groups and impacts, and three respondents did not offer a view.

The consultation touched on a range of themes and was broadly supportive of our impact approach. Feedback from respondents on impacts included the following response:

“In the costs we should also consider that transparency is a spectrum and that there may be costs in terms of increased privacy risks to the data subjects with published transparency information (for e.g. publishing the names of all practices that contribute data to a database on a website) in the pursuit of excessive transparency”.

In terms of additional benefits and costs:

  • Six respondents thought the guidance presented additional benefits.
  • Seven thought there would be additional cost.
  • Seven respondents thought there would be both additional costs and benefits.
  • Three respondents thought there would be neither.
  • One respondent was unsure.
  • Five did not respond.

Most costs and benefits noted by respondents were included within the summary impact assessment, however some additional types of costs or benefits that respondents felt their organisation might incur, included:

  • Increased (bilingual) communication costs (one respondent).
  • Costs of facilitating and delivering transparency and privacy messages to the public (four respondents).

When asked to provide an estimate of the costs or benefits organisations were likely to incur; the following responses were provided:

  • Some areas of improvement that may require some staff resource (one organisation estimated this could result in an additional £30,000 in staff time).
  • Based on some of the interpretations of what constitutes our duties around transparency and privacy up to an additional £500,000 per annum.
  • Transparency does not always improve public trust and that is a risk we have to accept.
  • We have to accept some costs in terms of increased opt-outs.

ICO response

We noted additional areas of impact highlighted by respondents and the impact assessment reflects the feedback provided during the consultation.

We clarified an estimate of additional costs with one respondent that had outlined the potential for additional costs of up to £500,000. They stated that their estimate was based on the potentially significant costs of putting in place improved information access tools for all GP registered patients.

We have taken account of the additional costs and benefits highlighted by respondents by updating the summary of potential impacts.