The ICO exists to empower you through information.

In detail

What is transparency?

Transparency in the UK GDPR is the requirement for organisations to tell people about how they are using their personal information. It forms part of the first principle of the UK GDPR, Article 5(1) which requires that personal information shall be:

“a) processed lawfully, fairly and in a transparent manner in relation to the data subject.”

Transparency also applies to the requirement to let people know how you will use their information (the right to be informed). For more information on the right to be informed, see the further reading box below. You must be transparent with people in order to comply with the transparency element of Article 5(1). In this guidance we refer to this as “the transparency principle”.

The overall purpose of transparency is to make sure people are:

  • aware of and understand when and how organisations are using their personal information and for what purpose; and
  • empowered to make decisions about their information rights based on that knowledge.

You may also be required to act transparently under separate legislation, such as Freedom of Information legislation. However, for the purpose of this guidance, we refer to transparency where it is about:

  • the use of personal information;
  • data protection harms; and
  • risks (eg programme risks) that organisations can mitigate through increased levels of data protection transparency.

Example

An organisation wants to deliver a system to patients using pseudonymised data. However, people do not support it because they do not understand it and fear it will make their information less safe. The organisation needs to identify and address the public’s concerns and be transparent about the aims of the system. They need to explain why they are using pseudonymised data and the steps they’re taking to keep information safe. Doing this may increase trust and confidence in the system.

How does this guidance approach transparency?

To help provide you with clarity for legal compliance and best practice, we use the following terminology when referring to separate elements of transparency:

  • Privacy information: This describes the specific information you must provide to people to comply with transparency obligations under the right to be informed. You need to provide this when you receive information directly (from someone) or from a third party (Articles 13 and 14 UK GDPR).
  • Transparency information: This describes the total range of material you should provide to comply with the transparency principle. This also includes additional information that you could provide to people to make your transparency material more effective. You still need to be transparent even when you have received information indirectly.

It is important to note that the transparency principle does not include an obligation to make all the information you hold available. There will be types of information that you may not want to disclose, eg confidential commercial information, and this is acceptable.

Below are some examples of the difference between privacy and transparency information:

Privacy information

A hospital trust publishes on their website a list of third-party organisations they share patient information with to support the provision of care services.

This is privacy information. It is specific information that you are required to provide to people as part of the right to be informed.

Transparency information

The hospital trust also creates a policy document which they publish on their website, choosing to make it available to the public. The policy describes how the trust makes decisions when sharing personal information with research organisations.

This is transparency information. It is about sharing personal information, but is not specified as something that you are lawfully obliged to do as part of the right to be informed or include within a privacy notice.

Neither

The hospital trust creates an organisation chart, which shows the pictures and profiles of the executive team.

This information contains the personal information of the executive team and provides further information about the organisation. However, this is not transparency or privacy information as it does not provide information about how they will use people’s personal information.

Why is transparency in health and social care so important?

The health and social care sectors routinely handle information about the most detailed aspects of a person’s health and personal life. This information is provided in confidence to trusted practitioners to receive health and social care services. Some of this information will be classed as special category, which is sensitive information that needs more protection. For more information on special category information, see the further reading box below.

Data protection legislation recognises the importance of this special category information. You must put additional controls in place to protect it. However, acquiring and maintaining public trust and confidence is also important. This ensures people feel comfortable in sharing their information so that practitioners can use it. This relationship of trust also sets expectations about how you will inform people about the use of their personal information. The transparency information which you provide can be equally as important to people as the privacy information in building this trust and confidence.

Ensuring that people understand what is happening to their information is an important factor in maintaining trust and support in health and social care systems. The need to collect and use health and social care information may be obvious to those seeking care, but there are other, less obvious, uses that may require further explanation. For example, organisations might need to share information for planning health and social care services or medical research purposes.

People’s support for you using their information for secondary purposes is likely to depend on how much they understand the proposed use. People might not reasonably expect you to use their information for a purpose outside of their immediate care or treatment. If it is not clear what you will actually do with their personal information in practical terms, and the potential impact, then it is likely they will be reluctant to agree to you sharing their information. However, people may appreciate the benefits of sharing personal information for certain purposes, such as planning and research. It is more likely that people will be supportive if the explanation is clear. Being transparent about the use of personal information for secondary purposes can help inform people’s expectations and build trust.

Example

A person attends a hospital for emergency treatment. They will want and expect the hospital to share their personal information for the purposes of that treatment. In these circumstances, it is not a priority for the hospital to provide transparency and privacy information. Instead, the person can find this information in the hospital’s privacy notice at a later date.

Providing more effective transparency information can also help you achieve other legitimate objectives linked to the use of health and social care information. These objectives may include:

  • helping people to make decisions which may have an impact on the services they choose to use;
  • informing ‘opt out’ preferences (if these are available) when the organisation uses their information for secondary purposes;
  • gaining acceptance for innovative uses of information that have a public benefit (eg the use of AI-based health and social care technologies);
  • setting the agenda for public discussions to inform people’s expectations about how organisations use their healthcare information (eg do we pass on information? What is the impact of third-party commercial organisations accessing information in this way?);
  • complying with the principles of the Caldicott Guardians in England, Wales and Scotland and Personal Data Guardians in Northern Ireland; or
  • promoting the benefits and outcomes of certain types of processing to the public.

Further reading – ICO guidance

National Data Guardian guidance

The National Data Guardian has provided guidance to organisations on promoting benefits where confidential information is processed without consent for purposes beyond individual care. Whilst the guidance only applies to England, it should be of broader interest to health and social care organisations across the UK.

What do we need to do before we consider transparency?

It is important that you know exactly what personal information you plan to use and why you want to use it. The clearer your purpose for using information, the easier it will be for you to develop clear and engaging transparency information.

Before developing your privacy and transparency information, you must consider the following:

  • Necessity and proportionality – you must have a clear reason for using the information. You must explain why you are processing the information, your legal basis and, if relying upon legitimate interests, what those interests are.
  • Data protection by design – you must introduce safeguards to protect the information. Explaining the steps you have taken to protect people’s privacy within your transparency information (eg pseudonymising or anonymising information where possible) will increase the levels of trust people have in the system.

When do we do a data protection impact assessment (DPIA)?

In certain circumstances, such as when you are using new technologies, your processing is likely to pose a high risk to people’s rights and freedoms. If so, you must conduct a DPIA. This is highly likely when you are using people’s health and social care information. A DPIA is also required when using information on a large scale. However, even when it is not required, using this process can bring broader benefits. For example, you can demonstrate your compliance with data protection principles, including transparency. By documenting the risks you have identified and the steps you will take to mitigate them, you are being transparent about your thinking. Publishing your DPIA, where appropriate, may further help to achieve this and also build trust and confidence. For more information on DPIAs, see the further reading box below.