The ICO exists to empower you through information.

In detail

How do we provide transparency and privacy information?

Under the UK GPDR organisations must:

  • operate transparently (Articles 5(1)(a)); and
  • provide specific privacy information to individuals (Articles 13/14).

These separate requirements mean that you need to think about the most effective ways of providing privacy and transparency information to people. The UK GDPR does not specify which ways are most effective. You can achieve this in several ways in the health and social care sector.

Providing transparency information means making additional information available to people to demonstrate openness and honesty. This is a prime opportunity for you to provide as much information as possible to clearly explain how you will use people’s information and to build trust and confidence.

Providing privacy information means more than just providing a privacy notice on your website. You should make efforts to inform people where they can find your privacy information and to notify people when you make significant changes.

When assessing how to provide transparency and privacy material to patients and service users as part of this requirement, you should think about the following questions.

What are the most effective ways of communicating with your audience?

When implementing new ways of using personal information or making changes to your existing activities, you should decide on the most effective ways of informing people. You may decide to do this by publishing information on your website or in paper form. You may also decide to use different communication methods depending on your audience.

Whatever method you choose, you must make your transparency information easy to find. One way of achieving this is to ensure that staff members (particularly those with public-facing roles) also understand data protection transparency. They can provide patients and service users with and direct them to relevant information at appropriate points in time.

How direct do communication methods need to be?

You should carefully consider how different communication methods can help you provide different elements of your privacy and transparency message. Some methods engage large audiences, whereas some engage people on a one-to-one basis (eg a letter).

For example, it is unlikely that some indirect forms of communication, such as an advert at a bus stop, can provide the required level of detail to be considered privacy information. However, these same methods can be effective for communicating certain transparency messages ie raising awareness that you may use patient information for medical research).

In certain circumstances, you could decide to use more direct forms of communication, such as providing information in person or writing directly to affected patients or service users. Whilst direct forms of communication may not always be necessary or the most effective method, you must ensure that you have provided people with sufficient privacy and transparency information.

To help you make decisions about contacting people directly, you should consider the following points:

  • The impact on people – how much this may potentially impact affected patients and service users, including any risks or harms identified in your DPIA.
  • Public expectations – as part of your risk assessment and decision making, you may find it helpful to engage with patient and service user groups to understand their expectations about how you would provide transparency information.

How should we present our privacy and transparency information?

Patients and service users may not always have time to read detailed privacy information. Their levels of engagement with this information are also likely to vary depending on their circumstances and needs at any given time. While certain people may find a detailed privacy notice useful, many people might find the level of information provided in one place overwhelming. 

You should place the most important information prominently within the initial layers of your communication. This will help people engage with the substance of your message and quickly gain a broad sense of what is happening to their information.

The first layer of communication should draw people’s attention to the most important elements of your privacy information, including:

  • a brief overview of how you use their information and for what purpose;
  • highlight any choices or actions available to people about how you use their information; and
  • signposting people to areas where they can find out more detailed information (additional layers).

You could effectively support these layers through engaging communications products such as infographics and videos.

How do we deal with complexity and prevent ‘information overload’?

Some processing techniques involving health and social care information can be complex. For example, a number of separate programmes may be working together as part of a wider programme or strategy to be delivered locally or nationally. This can generate significant amounts of privacy information if separate privacy notices are required.

Simplifying your public messaging about these types of programmes can avoid the risk of overwhelming or confusing people. It may be more effective to pitch transparency material at a high level to ensure people remain engaged and to achieve greater overall awareness. In particular, you should consider how to communicate complex or interlinked processing in a clear and accessible manner.

How should we work together?

You are responsible for conveying effective transparency and privacy information about your processing activities. To do this, you should consider how and when people come into contact with health and social care services. Those interactions may provide opportunities to provide people with additional transparency and privacy information.

By identifying these opportunities, you can work together with relevant services to plan and allocate responsibility for the delivery of transparency and privacy information. This can result in successfully delivering this information at the most effective point to patients and service users.

Example

A GP surgery decides to provide their patients with privacy information about local and national data use programmes and information rights.