Introduction

In detail

• Introduction
• Who is this guidance for?
• What is a legal requirement in this guidance and what is good practice?

Introduction

Transparency is a key principle of the Data Protection Act 2018 (DPA 2018) and UK GDPR. Transparency ensures that people are aware of how you use their personal information. This means they can then make informed choices about how to exercise their information rights.

Being transparent about how you use personal information also has an important role to play in increasing levels of trust and confidence. A lack of transparency can negatively impact levels of trust and lead to poorer outcomes for patients, service users and the public.

Within health and social care, new technologies that use large amounts of personal information are being developed to support both direct care and secondary purposes, such as planning and research. An example of this is the use of Secure Data Environments (SDE). These are secure environments that provide remote access to anonymised health information, whilst protecting people’s privacy. Although these data-driven solutions offer many benefits to the public, you must still explain them clearly to people to increase trust and to comply with data protection requirements. This is true of all uses of personal information across health and social care settings. It is important that you are transparent whenever you are using personal information.

We have developed this guidance to help organisations that process health and social care information to understand our expectations about transparency.

Existing guidance

This guidance supplements existing ICO guidance on areas linked to transparency. We would advise you to read this separately in order to have a better understanding of how to comply with legal requirements. We will include links in our ‘further reading’ boxes where relevant throughout the document on:

• the principle of transparency;
• the right to be informed; and
• using clear and plain language.

We have also provided a glossary as an annex to help you understand the terms we use in this guidance.

Who is this guidance for?

The audience for this guidance is any organisation (including private and third sector organisations) who delivers health and social care services or processes health and social care information, including for secondary purposes (such as research and planning). This also includes:

• local government organisations engaging with health and social care services;
• suppliers who are using personal information to support the health and social care system;  
• universities using health information for research purposes; and   
• other public services that use health information for their own purposes (eg fire service, police and education).

This guidance is also aimed at anyone in health and social care who is involved in preparing and delivering transparency information to the public. This can include:

• policy makers;
• information governance staff;
• data protection officers (DPOs);
• service managers or clinicians with data protection responsibilities (where appropriate in smaller health and social care settings);
• communications and media teams; and
• product teams responsible for explaining new technological solutions.

Although a range of people may be involved in developing and delivering transparency information, remember that it is a data protection requirement. It is important to involve your DPO or someone with the same responsibility in your organisation. Whilst frontline health and social care staff should be able to explain and signpost to transparency information, they are not the intended audience for this guidance.

This guidance will help you to understand:

• what data protection transparency means for health and social care organisations;
• how to develop effective transparency material;
• how to provide transparency and privacy information to people; and

• the factors to consider when assessing your organisation’s level of transparency.

Your transparency measures should be proportionate to your processing activities and the data protection risks to the public. Whilst this guidance is applicable to all organisations within the health and social care sector, you will need to assess how much it applies to your organisation. For example, a small GP practice making minor updates to their privacy notice would not have to consider the steps outlined in this guidance in as much detail as a hospital trust implementing a new health record system.

Examples of activities where this detailed guidance may be useful include:

• implementing a new data collection to support secondary purposes (ie a new research tool);
• setting up a shared care record across a region to support direct care;
• informing people about a new personal health record app;

• setting up a research programme where researchers can contact people to invite them to participate in research; or
• setting up a new system that shares hospital discharge data with social care providers.

What is a legal requirement in this guidance and what is good practice?

To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply with data protection legislation.

Legislative requirements

Must refers to legislative requirements (the scope of this guidance is limited to the requirements of DPA 2018 and UK GDPR).

Good practice

Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.

Could refers to an option for example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.