We are currently consulting on this draft guidance.
In detail
- How can we demonstrate that we are open and honest?
- How should we reflect choice?
- How do we identify transparency harms?
- When do we do a DPIA?
- How do we engage with patients and service users?
How can we demonstrate that we are open and honest?
In order to process data transparently, you must be open and honest, and comply with the right to be informed.
Openness
Being open means being upfront with people about how you will use their personal information and why. It is also about making information available in easily accessible and understandable formats. Under the right to be informed, you must provide people with a list of specific information about the collection and use of their information. Organisations usually do this through a privacy notice. However, the principle of transparency often extends beyond the information that appears in your privacy notice.
For instance, some organisations provide additional transparency information about how and why they use people’s information to help set expectations and create trust. Examples of this include publishing:
- lists of information disclosed to researchers and the reasoning behind this; and
- data protection impact assessments (DPIAs) for certain types of processing activities or systems.
Data protection legislation does not limit what information to include as part of the transparency principle. It is up to you to manage how to do this effectively. Therefore, you have to decide what information to provide and the most effective way to provide it. This assessment will depend on the type of personal information you are using, why you are using it and the effect that this may have on patients and service users.
You could consider providing:
- additional information (beyond privacy information) that explains how you make decisions about the use of personal information;
- clarity on design decisions (ie about system architecture) and the risks posed to people’s rights when introducing new technological systems;
- alternative forms of transparency information such as diagrams, infographics, videos, case studies or storytelling;
- public communications which let people know about how you use their information (eg advertising on television or at a bus stop);
- accountability information, including organisational policies (eg information governance policies, meeting minutes or data sharing arrangements);
- information that explains how other laws beyond data protection (eg health and social care legislation or government directions) provide the basis for organisations using information in certain ways;
- transparency material (including relevant updates) prompted by requests you may already be receiving from people; and
- improved information access tools for the public to give them greater visibility of the status of their own information. This could include providing people with specific information about how you used their information (ie which research studies used the data).
Honesty
The term honesty applies broadly and can include:
- informing people about the risks or harms they may be exposed to and providing clarity on how you have, or are going to, mitigate these risks or harms if things go wrong, eg following a data breach (similar to the duty of candour principles that exist in health and social care across some UK regions);
- challenging or proactively dealing with contentious issues, for example when explaining issues about commercial access to health information;
- giving as much privacy information as you can. You must only apply exemptions about the right to be informed in the limited circumstances where this is appropriate; and
- being open and transparent with people at the earliest opportunity. People must be given sufficient time to have meaningful engagement or input on how you are using their personal information.
How should we reflect choice?
The first principle of the UK GDPR requires that you must use personal information in a lawful, fair and transparent manner. It also provides people with other specific rights over their personal information, for example the right to object. It is important that people are made aware of these rights and can exercise them easily.
This means highlighting and explaining genuine choices available to patients and service users about how you use their information. It is only fair to do this in a clear and timely manner in your transparency information.
There are limited opportunities for people within a public health and social care system to provide meaningful consent, where data is needed to provide care. This is why the consent lawful basis in the UK GDPR is rarely appropriate in the context of health and care information. For further information on consent see the further reading box below.
However, there may be circumstances where you need to consider the separate Common Law Duty of Confidentiality and its associated concepts of ‘implied’ and ‘explicit’ consent. For example, it may apply when processing personal information for planning and research purposes. In these cases, being transparent is particularly important so that people understand why this duty applies.
When producing your transparency and privacy information, it is important to set out the position clearly in respect of choice:
- Data protection – You must be clear when you are using consent as a lawful basis to process personal information.
- Common Law – You should be clear about how you are meeting the common law duty of confidentiality.
- Data opt-outs – The opt-out policies used in the health and social care sector in England are not a function of data protection legislation. However, the principles of fairness and transparency mean that you should clearly inform people about how the opt-outs apply (including how to register or update a preference).
Further reading – ICO guidance
How do we identify transparency harms?
It is important to anticipate potential data protection harms in the context of transparency. These can include harms to society as well as to particular people.
Harms can be difficult to identify and quantify. However, it is clear that when people do not understand how organisations are using their personal information, this can cause anxiety or a loss of trust. This is particularly true given the sensitivities around the use of people’s health and care information.
Examples of potential harms to people include:
- Psychological harms - when people do not understand the intended use of their health and social care information, this can result in fear, anxiety and embarrassment.
- Loss of control of personal information - if descriptions of how you use information are overly complex, or difficult to locate, it can deter people from accessing and reviewing them. As a result, people lose control of their information. This lack of certainty can lead to emotional distress.
- Chilling effects - a lack of transparency around how you use personal information could lead to people stopping using services or reducing their use. This, in turn, could negatively impact health and care outcomes.
An example of a potential societal harm is:
- Damage to public health – if people choose not to share their personal information, this could lead to a general lack of availability of health and care information. Also, if people in a particular demographic group choose not to share, this could result in medical findings through research or service planning not being appropriate to that part of society. Both of these may result in adverse health outcomes for society or societal groups.
To prevent or reduce harms resulting from a lack of transparency, you should identify the risks of failing to provide sufficient transparency material when using health and social care information. In particular, you should consider the potential harm your intended use of information may have on the public. You can do this through the DPIA process. Once you identify and address a risk of processing, you can seek to mitigate this by providing sufficient transparency information.
Example
A person does not own or have access to a mobile phone. The only way that the public are informed about a current public health campaign is through an app. As this person does not see the messages, they act in a way that is damaging to their health and they experience bodily harm as a result. They also experience psychological harm in the form of emotional distress from knowing that everyone else is getting the messages, but they are being excluded.
When do we do a DPIA?
In certain circumstances such as when you are using new technologies, your processing is likely to be high risk and you must conduct a DPIA. This is highly likely when you are using people’s health and social care information, especially on a large scale given the increased risks this information presents to people’s rights and freedoms. For more information on DPIAs see the further reading box below. However, even when it is not required, using this process can bring broader benefits. For example, you can demonstrate your compliance with data protection principles, including transparency. By documenting the risks you have identified and the steps you will take to mitigate them, you are being transparent about your thinking. Publishing your DPIA will further help to achieve this and also build trust and confidence with patients and service users.
Further reading
How do we engage with patients and service users?
The way in which you provide transparency information to people is almost as important as the information itself. To do this effectively, you need to understand who your audience is, how best to communicate with them and also provide them with a sufficient level of detail on how you will use their information. Meaningful consultation with the public throughout the process of designing or updating transparency information will improve your understanding of their needs, concerns and expectations. It will also help to raise awareness of how and why you intend to use their information. It is important to include a representative and wide cross-section of the public, including children for example. This will help to ensure that the information you provide is tailored to suit the needs of all those likely to access it.
Patient engagement processes are often used within health and social care to make sure that people remain at the heart of decisions being made about them. You should consider using patient and public groups to develop and evaluate your transparency material.
Patient engagement can take many forms, including workshops, surveys and inviting patient representatives to join project delivery or governance groups. The process usually consists of working with groups that are representative of the different communities an organisation serves, to work through issues together. Effective patient engagement on data protection and information rights can help you develop high-quality transparency material that successfully addresses patient and service user needs and priorities.
For example, patient engagement can help you:
- understand the profile of your audience;
- establish how patients and service users understand and respond to transparency information;
- design engaging communications products for all members of the public through which you can provide transparency and privacy information, in a format they prefer to engage with;
- develop different material for groups that may require additional support to understand how the use of their information may impact them, or how to exercise their information rights (eg the elderly, those at risk of being ‘digitally excluded’, or anyone receiving information via an intermediary such as someone with parental responsibility or a carer);
- prioritise the order in which you provide your privacy information to people (often referred to as layering) based on their preferences and concerns, particularly for complex processing activities or multiple workstreams which may generate extensive privacy material; and
- evaluate the effectiveness of your transparency and communications material.