The ICO exists to empower you through information.

In detail

How can we demonstrate that we are open and honest?

In order to process data transparently, you must be open and honest and comply with the right to be informed. Being open and honest means being upfront with people about how and why you will use their personal information. It is also about making information available as early as possible, in easily accessible and understandable formats using clear and plain language. You should give people sufficient time to have meaningful engagement or input on how you are using their personal information.

Articles 13 and 14 of the UK GDPR say what people have the right to be informed about. You must provide people with a list of specific information about the collection and use of their information. Organisations usually achieve this by using privacy notices. However, the principle of transparency often extends beyond the information that appears in your privacy notice. You must only apply exemptions about the right to be informed in the limited circumstances where this is appropriate.

Data protection legislation does not specify or limit what information to include as part of the transparency principle. However, providing additional transparency information will help explain how and why you use people’s information which will help set expectations and create trust. You should decide what extra information to provide, how much is necessary and the most effective way to provide it. This assessment depends on the type of personal information you are using, why you are using it and the effect that this may have on people.

This could include providing:

  • additional information (beyond privacy information) that explains how you make decisions about the use of personal information;
  • confirmation of what you will not do with people’s information to provide further reassurance;
  • clarity on design decisions (ie about system architecture) and the risks posed to people’s rights when introducing new technological systems, as well as safeguards applied to mitigate risks;
  • alternative forms of transparency information designed to suit different needs, such as using diagrams, infographics, videos, case studies and storytelling;
  • information in accessible formats, such as large print or braille for people who are visually impaired or non-digital forms for those who may be digitally excluded (remember to explain the meaning and context of any images using alt-text fields to support readers using assistive technologies);
  • public communications which raise awareness about how you use their information (eg advertising on television or at a bus stop);
  • accountability information, including organisational policies (eg information governance policies, meeting minutes or data sharing arrangements);
  • information that explains how other laws beyond data protection (eg health and social care legislation or government directions) provide the basis for organisations using information in certain ways;
  • data protection impact assessments (DPIAs) for certain types of processing activities or systems;
  • lists of information disclosed to researchers and the reasoning behind this;
  • provide further information about how and why you have the data, if you have received it indirectly (from a third party) and how you intend to use it;
  • transparency information (including relevant updates) prompted by requests you may already be receiving from people;
  • improved information access tools for the public to give them greater visibility of the status of their own information (eg patient portals). This could include providing people with specific information about how you used their information (ie which research studies used the data);
  • information about the risks or harms people may be exposed to and providing clarity on how you have, or are going to, mitigate these risks or harms if things go wrong, eg following a data breach (similar to the duty of candour principles that exist in health and social care across some UK regions); or
  • information that challenges or proactively deals with contentious issues, for example when addressing misconceptions relating to third-party access to sensitive health information.

How should we reflect choice?

The first principle of the UK GDPR requires that you must use personal information in a lawful, fair and transparent manner. UK GDPR also provides people with other specific rights over their personal information, for example the right to object. It is only fair that people are made aware of these rights, any circumstances in which they do not apply and can exercise them easily whenever they do apply.

This means highlighting and explaining genuine choices available to people about how you use their information and doing this in a clear and timely manner in your transparency information.

There are limited opportunities for people within a public health and social care system to provide meaningful consent, where data is needed to provide care. This is why the consent lawful basis in the UK GDPR is rarely appropriate in the context of health and social care information. For further information on consent, see the further reading box below.

However, you also need to consider and comply with Common Law Duty of Confidentiality which uses concepts of ‘implied’ and ‘explicit’ consent. This is separate from data protection law and the type of consent you need depends on your purpose and differs for direct care and secondary purposes. For example, a research organisation may require a person’s explicit consent to access their health records if they have agreed to participate in a research study. In these cases, being transparent is particularly important so that people understand why this duty applies.

When producing your transparency and privacy information, it is important to set out the position clearly in respect of choice:

  • Data protection – you must be clear when you are using consent as a lawful basis to process personal information.
  • Data opt-outs – the opt-out policies used in the health and social care sector in England are not a function of data protection legislation. However, the principles of fairness and transparency mean that you should clearly inform people about how the opt-outs apply (including how to register or update a preference).

How do we identify harms arising from a lack of transparency?

It is important to anticipate potential harms in the context of transparency when planning how to use people’s information.

Harm can be difficult to identify and quantify. However, it is clear that when people do not understand how organisations are using their personal information, this can cause anxiety or a loss of trust. This is particularly true given the sensitivities around the use of people’s health and social care information.

Categories of harms include:

  • physical harm (physical injury or other harms to physical health);
  • material harm (harms that are more easily monetised such as financial harm); and
  • non-material harm (less tangible harms, such as emotional or mental distress and social disadvantage).

Harms may fall into more than one of these categories. There may also be a harmful impact on wider society as well as to particular people.

Examples of potential harms to people include:

  • Psychological harms - when people do not understand the intended use of their health and social care information, this can result in fear, anxiety and embarrassment.
  • Loss of control of personal information - if you do not provide descriptions of how you use information, do not provide it adequately, or provide information that is overly complex or difficult to locate, it can cause confusion. This can deter people from accessing and reviewing how you will use their information. If people do not know what is happening with their information, they lose control of it.
  • Lack of trust in services - a lack of transparency about how you use personal information might create anxieties that lead to people being reluctant to engage with services. They may stop using them completely or reduce their use. They may also choose not to be fully open and honest with those providing health and social care. These, in turn, may negatively impact the health and social care they and others receive.

Examples of potential societal harms are:

  • Damage to public health – if people choose not to share their personal information, this might lead to a general lack of availability of health and social care information. This might negatively impact medical research. Also, if people in a particular demographic group or those with rare medical conditions choose not to share their information for research or planning, this may result in inappropriate medical findings to them and their needs. Both of these may result in harm and adverse health outcomes to certain population groups and to wider society.
  • Failure of programmes with significant public benefit - where people are aware of a programme for the proposed use of their health and social care information but do not fully understand what will happen to it, this can lead to the spread of false or inaccurate information. By not providing sufficient and clear information there is a risk that the programme will fail, losing the potential benefits and causing societal harm.

To prevent or reduce harms resulting from a lack of transparency, you should identify the risks of failing to provide sufficient transparency material when using health and social care information. In particular, you should consider the potential harm that your intended use of information may have on the public.

Example

A health and social care organisation asks a person who is suffering from a rare medical condition if they can pass on their information for research and planning purposes. Whilst the person agrees in principle, the organisation does not provide them with any detail on what information they will use, who will have access to it and exactly what the organisation  will use it for. As a result, the person decides that they would prefer not to share their information in this way.

This potentially causes them harm as it reduces the information available to plan their treatment. It may also cause a wider societal harm, as it reduces the already limited research information for the rare medical condition.

One way of identifying harms is through the DPIA process. Once you identify and address a risk of processing, you can seek to mitigate this by providing sufficient transparency information.

How can we involve the public?

The channels you use to provide your transparency information can be just as important as the information you wish to provide. This involves considering both the message you want to send and how you will communicate it. Effective engagement on data protection and information rights can help you develop high quality transparency information that successfully addresses people’s needs and priorities.

Health and social care organisations often use patient and public involvement and engagement (PPIE) processes and voluntary and community groups. These make sure  that people remain at the heart of decisions being made about them. You should consider using these groups to develop and evaluate your transparency material.

This engagement can help you:

  • understand the profile of your audience;
  • understand how best to communicate with them;
  • establish how people understand and respond to transparency information;
  • provide people with a sufficient level of detail on how you will use their information;
  • design engaging communications products for all members of the public through which you can provide transparency and privacy information, in a format they prefer to engage with;
  • develop different material for groups that may require additional support to understand how the use of their information may impact them, or how to exercise their information rights (eg the elderly, those at risk of being ‘digitally excluded’, or anyone receiving information via an intermediary such as someone with parental responsibility or a carer);
  • prioritise the order in which you provide your privacy information to people (often referred to as layering) based on their preferences and concerns, particularly for complex processing activities or multiple workstreams which may generate extensive privacy material; and
  • evaluate the effectiveness of your transparency and communications information.

Meaningful consultation with the public throughout the process of designing or updating transparency information will improve your understanding of their needs, concerns and expectations. It will also help to raise awareness and understanding of how and why you intend to use their information and to show that you will do this in a responsible way.

It is important to include a representative and wide cross-section of the public, for example:

  • children;
  • people from underrepresented groups; and
  • those who are unfamiliar or sceptical about the topic.

You could also collaborate with charities. This will help to ensure that the information you provide is tailored to suit the needs of all those likely to access it.

PPIE can take many forms, including workshops, surveys and inviting representatives to join project delivery or governance groups. The process usually consists of holding open discussions with groups and listening to, acknowledging and responding to their views and concerns and working through issues together. It is important to hold open discussions and establish what representatives already know and what they would like to learn. PPIE also prompts recognition of different views and allows the opportunity for the exchange of ideas.

The level of engagement will vary and be proportionate to both the message you want to get across, the size of your organisation and the level of resourcing you have available. It won’t always be appropriate to work with the public and representative groups. For example, a small care home may find it more effective to ‘road test’ a privacy notice on a few residents, rather than commit to a widespread consultation.

Using information that you already hold is another way of establishing what will work best. For example, you might review previous incident logs or complaints to establish whether being more transparent in those circumstances might have reduced the chance of or prevented the issue from happening.

Case study

A medical research organisation acts as an intermediary between clinical organisations (such as GP practices) and research organisations. Through their service, they make anonymised data provided by GP practices available to researchers at academic, industry and government organisations to support public health and clinical studies.

As well as providing privacy and transparency information online, the organisation directly engages with the public through an extensive PPIE programme. The main objective is to establish a sustainable, effective and inclusive dialogue between researchers and clinicians, as well as patients and the wider public.

These PPIE activities include the following:

  • Representatives of the organisation presenting at GP ‘Patient Participation Group’ meetings, to raise awareness amongst patients and to answer any questions or concerns they may have about the GP practice sharing their data.
  • Annual patient public engagement workshops to discuss various aspects of information use, obtain feedback from the public and respond to queries.
  • Representatives attending conferences attended by GPs or patient representative groups.

As a result of their patient and public involvement and engagement work, the research organisation can provide the right level of detail in their transparency information. This accounts for the concerns and priorities of patients and their representative groups.

 

Further reading – ICO guidance