The ICO exists to empower you through information.

In detail

How do we provide transparency and privacy information?

Under the UK GDPR, organisations must:

  • operate transparently (Articles 5(1)(a)); and
  • provide specific privacy information to individuals (Articles 13/14).

These separate requirements mean that you need to think about the most effective ways of providing privacy and transparency information to people. The UK GDPR does not specify the most effective ways. You can achieve this in several ways in the health and social care sector.

Providing privacy information means more than just publishing a privacy notice on your website. You should make efforts to inform people where they can find your privacy information and notify people when you make significant changes. This could involve signposting people to your privacy notice on your website or notifying them directly.

Providing transparency information means making additional information available to people to demonstrate openness and honesty. This is a prime opportunity for you to clearly explain how you will use people’s information and to build trust and confidence.

Remember – if you have received information about someone from a third party, you still need to tell them you have the information and what you intend to do with it (see our detailed guidance below). In these circumstances, you may be more limited in the way you choose to inform people, as you may not be able to provide that information in person.


When assessing how to provide transparency and privacy material to people as part of this requirement, you should think about the following questions.

What are the most effective ways of communicating with our audience?

When implementing new ways of using personal information or making changes to your existing activities, you should decide on the most effective ways of informing people. An effective method is one which increases awareness and understanding in how you are using people’s information. This may include publishing information on your website, using in-person contact points with the service you offer or a paper form.

You may also decide to use a mixture of communication methods, depending on the audience you are trying to reach. This is where it is important to understand your audience’s needs when accessing and understanding the information you wish to provide (for example, providing information in non-digital forms if it’s likely that your audience engages with health and social care services in this way).

Some communications methods typically used to provide transparency information include:

  • posters and leaflets;
  • letters;
  • emails;
  • texts;
  • social media and other advertising campaigns; and
  • website pop-ups and just-in-time notifications.

Whatever method you choose, you must make your transparency information easy to find. One way of achieving this is to ensure that staff members in your organisation (particularly those with public-facing roles) can provide people with or direct them to relevant information at the appropriate time.

How direct do our communication methods need to be?

You should carefully consider how different communication methods can help you provide different elements of your privacy and transparency message. Some methods can engage large audiences (eg a public advertisement), whereas some engage people on a one-to-one basis (eg a letter or email).

In certain circumstances, you could decide to use more direct forms of communication, such as providing information in person or writing directly to affected people. Whilst direct forms of communication may not always be necessary or the most appropriate method, you must ensure that you have provided people with sufficient privacy and transparency information.

To help you make decisions about contacting people directly, you should consider the following points:

  • The impact – how much this may potentially affect people, including any identified risks or harms. For example, it would not be appropriate to send a letter directly to someone if you are aware that they do not have the capacity to understand the information you need to provide. This might lead to harmful or ineffective outcomes.
  • Public expectations – as part of your risk assessment and decision making, you may find it helpful to engage with patient and service user groups to understand their expectations about how you would provide transparency information.

Example

An NHS organisation places a series of adverts at bus stops in an area, informing people that organisations can use their information for medical research. The advert lists some of the benefits the public can expect to see as a result. This is an effective way to raise awareness to a large audience about this use of information. However, this method alone is unlikely to provide enough detail to create a deeper understanding of how that process works or to provide any detailed transparency information.

To achieve this, the organisation decides to supplement this awareness raising activity by providing more detailed information directly to people, using leaflets enclosed in appointment letters.

This results in a more rounded and effective transparency campaign.

How should we present our privacy and transparency information?

People may not always have time to read detailed privacy information. Their levels of engagement with this information are also likely to vary, depending on their circumstances and needs at any given time. While certain people may find a detailed privacy notice useful, many people might find the level of information provided in one place overwhelming or too time consuming.

It can be effective to break the privacy information down and offer a layered approach. The first layer typically consists of a short notice containing key information. This may then allow access to a second layer by expanding each section or including links to more detailed information. This may, in turn, contain links to a third layer that explains more specific issues.

You should place the most important information prominently within the initial layers of your communication. This will help people engage with the substance of your message and quickly gain a broad sense of what is happening to their information.

The first layer of communication should draw people’s attention to the most important elements of your privacy information, including:

  • a brief overview of how you use their information and for what purpose;
  • highlighting any choices or actions available to people about how you use their information; and
  • signposting people to areas where they can find out more detailed information (additional layers).

You could effectively support these layers through engaging communications products such as infographics and videos.

How do we deal with complexity and prevent ‘information overload’?

Some processing activities involving health and social care information can be complex. For example, when multiple, separate programmes are working together as part of a wider programme or strategy to be delivered locally or nationally, the scale can overwhelm people. Other complex processing can involve lots of technical processes, such as implementing privacy-enhancing technologies to deliver enhanced safeguards to personal information. These types of programmes can generate significant amounts of privacy information if separate privacy notices are required. You should consider how to communicate complex or interlinked processing in a clear and accessible manner.

Simplifying your public messaging about these types of programmes can avoid the risk of overwhelming or confusing people. You may find it more effective to pitch transparency material at a high level to ensure people remain engaged and to achieve greater overall awareness.

An alternative method involves breaking down complex information into smaller ‘bite-sized’ explanations – for further details, please see this section in our guidance on transparency as part of our Children’s code (link below). This guidance is also relevant for other types of processing too.

Remember – to make sure your transparency information is easy to understand, you should use clear and plain language. This means using everyday terms that people are familiar with and avoiding using confusing terminology or jargon.

How should we work with others?

You are responsible for conveying effective transparency and privacy information about your processing activities. However, where organisations are working together to deliver health and social care services, it is important to develop transparency and privacy material that is also ‘joined up’ in a way that makes sense to people. To do this, you should consider how and when people use health and social care services. Those interactions may provide opportunities to provide people with additional transparency and privacy information.

By identifying these opportunities, you can work together with relevant services to plan and allocate responsibility for delivering transparency and privacy information. This can result in successfully delivering this information at the most effective point to people.

Smaller organisations may also utilise relevant information or templates already produced by others to provide information where appropriate.

These solutions can reduce the burden on smaller organisations who may not have sufficient resources to develop and deliver this information.

Example

An Integrated Care System (ICS) decides to implement a new project which involves processing health and social care information. An ICS is a partnership of organisations in the same area that come together to plan and deliver health and social care services. Each of the individual organisations remain responsible for ensuring that they provide transparency information.

Through the ICS, the organisations can work together to ensure they are providing the same transparency information  to the public so there is consistency across the region, without a duplication of effort.