The ICO exists to empower you through information.

In detail

What is transparency?

Transparency in the UK GDPR is the requirement for organisations to tell people about how they are using their personal information. It forms part of the first principle of the UK GDPR, Article 5(1) which requires that:

“personal information shall be:

a) processed lawfully, fairly and in a transparent manner in relation to the data subject.”

Transparency also applies to the requirement to let people know how you will use their information. (their right to be informed). For more information on the right to be informed, see the further reading box below. You must be transparent with people in order to comply with the transparency principle.

The overall purpose of transparency is to make sure people are:

  • aware of when and how organisations are using their personal information and for what purpose; and
  • empowered to make decisions about their information rights based on that knowledge.

You may also be required to act transparently under separate legislation, such as freedom of information legislation. However, for the purpose of this guidance, we refer to transparency where it is about:

  • the use of personal information;
  • data protection harms; and
  • risks (eg programme risks) that can be mitigated through increased levels of data protection transparency.

Example

An organisation wants to deliver a system to patients using pseudonymised data. However, there is a lack of public trust in the system, which means the organisation cannot use it. If the organisation were transparent about identifying and addressing the public’s concerns, this may increase trust and confidence in the system.

How does this guidance approach transparency?

To help provide you with clarity for legal compliance and best practice, we use the following terminology when referring to separate elements of transparency:

  • Privacy information: This describes the specific information you must provide to people in order to comply with transparency obligations under the right to be informed.
  • Transparency information: This describes the total range of material you should provide to comply with the transparency principle. However, this also includes additional information that you could provide to people to make your transparency material more effective.

Below are some examples of the difference between transparency information and privacy information:

Transparency information

A hospital creates a policy document describing how they make decisions when sharing personal information with research organisations.

This is transparency information. It is about sharing personal information, but is not specified as part of the right to be informed.

Privacy information

A hospital trust produces a list of third-party organisations that receive patient information to support the provision of care services.

This is privacy information. It is specific information that the right to be informed requires you to give to people.

Neither

A hospital trust creates an organogram which shows the pictures and profiles of the executive team.

You could consider this as transparency information as it provides further detail about the organisation. However, it is not about the use of patients and service users’ personal information.

Why is transparency in health and social care so important?

The health and social care sectors routinely handle information about the most detailed aspects of a person’s health and personal life. This information is provided in confidence to trusted practitioners to receive health and care services. Some of this information will be classed as special category, which is sensitive information that needs more protection. For more information on special category information, see the further reading box below.

Data protection legislation recognises the importance of this special category information. You must put additional controls in place to protect it. However, acquiring public trust and confidence is also important to ensure that people feel comfortable in sharing their information so that practitioners can use it. This relationship of trust also sets expectations about how you will inform people about the use of their personal information.

Ensuring that people understand what is happening to their information is an important factor in maintaining trust and support in health and social care systems. The need to collect and use health and care information may be obvious to those seeking care, but there are other, less obvious uses that may require further explanation. For example, sharing information for planning health and care services or medical research purposes.

People’s support for you using their information for secondary care purposes may depend on how much they understand the proposed use. People might not reasonably expect you to use their information for a purpose outside of their immediate care or treatment. If it is not clear what you will actually do with their personal information in practical terms, and the potential impact, then it is likely they will be reluctant to agree to you sharing their information. However, people may appreciate the benefits of sharing personal information for certain purposes, such as planning and research, if you explain it clearly to them. Being transparent about the use of personal information for secondary care purposes can help inform people’s expectations and build trust.

Providing more effective transparency information can also help you achieve other legitimate objectives linked to the use of health and social care information. These objectives may include:

  • helping people to make decisions which may have an impact on the services they choose to use;
  • informing ‘opt out’ preferences (if these are available) when their information is used for secondary care purposes;
  • gaining acceptance for innovative uses of information that have a public benefit (eg the use of AI-based health and social care technologies);
  • setting the agenda for public discussions to inform expectations (eg Do we sell information? What is the impact of third-party commercial organisations accessing information in this way?); or
  • promoting the benefits and outcomes of certain types of processing to the public.

The National Data Guardian has published guidance for the health and social care system in England, to help organisations carry out more consistent public benefit evaluations where confidential information is processed without consent for purposes beyond individual care.

What do we need to do before we consider transparency?

It is important that you know exactly what personal information you plan to use and why you want to use it. The clearer your purpose for using information, the easier it will be for you to develop clear and engaging transparency information.

Before developing your transparency information, you must consider the following:

  • Necessity and proportionality – you must have a clear reason for using the information. You must explain how your use of health and care information is necessary and proportionate.
  • Data protection by design – you must introduce safeguards to protect the information. Explaining the steps you have taken to protect people’s privacy within your transparency information (eg pseudonymising or anonymising information where possible) will increase the levels of trust patients and service users have in the system.