The ICO exists to empower you through information.

In detail

Introduction

Transparency is a key principle of the Data Protection Act 2018 (DPA 2018) and UK GDPR. Transparency ensures that people are aware of how you use their information. This means they can then make informed choices about how to exercise their information rights.

Being transparent about how you use personal information also has an important role to play in increasing levels of trust and confidence. A lack of transparency can negatively impact levels of trust and lead to poorer outcomes for patients, service users and the public.

Within health and social care, new technologies that use large amounts of personal information are being developed to support both direct care and secondary care purposes, such as planning and research. An example of this is the use of Trusted Research Environments (TREs). TREs are secure environments that provide remote access to health information in de-identified states that protect people’s privacy. Whilst these data-driven solutions offer many benefits to the public, you must clearly explain them to people to increase trust and to comply with data protection requirements. This is true of all uses of personal information across health and social care settings.

We have developed this guidance to help health and social care organisations understand our expectations about transparency. It supplements our existing guidance on the principle of transparency and the right to be informed. That guidance provides more detail on general transparency requirements.

Who is this guidance for?

This guidance is aimed at anyone in health and social care who is involved in delivering transparency information to the public. This includes:

  • policy makers;
  • information governance staff;
  • data protection officers (DPOs);
  • service managers;
  • communications and media teams; and
  • those developing new technological solutions.

Although a range of people may be involved in considering and delivering transparency information, it is a data protection issue. It is important to involve your DPO in your transparency process. Although this guidance is aimed at public sector organisations, it is also relevant to private and third sector organisations who deliver health and social care services.

This guidance will help you to understand:

  • what data protection transparency means for health and social care organisations;
  • how to develop effective transparency material;
  • how to provide transparency and privacy information to patients, service users and the public; and
  • the factors to consider when assessing levels of transparency.

Your transparency measures must be proportionate to your processing activities and the data protection risks to patients, service users and the public. For example, a small GP practice updating their privacy notice would not have to consider transparency in the same depth as a hospital trust implementing a new health record system. Whilst this guidance is applicable to all organisations within the health and care sector, you need to assess how much it applies to your organisation based on the circumstances of your processing.

Examples of activities where this detailed guidance may be useful include:

  • implementing a new data collection for secondary care purposes;
  • setting up a shared care record across a region to support direct care;
  • informing patients about a new personal health record app to support primary or secondary care;
  • setting up a research programme where researchers can contact patients to invite them to participate in research; or
  • setting up a new system that shares hospital discharge data with social care providers.

What is a legal requirement in this guidance and what is good practice?

To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Legislative requirements

Must refers to legislative requirements (the scope of this guidance is limited to the requirements of DPA 2018 and UK GDPR).

Good practice

Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.

Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.