Introduction

Running until 7 January 2024, the Information Commissioner's Office is consulting on its new draft guidance on transparency in health and social care. The ICO has not previously provided guidance specifically for this sector. The aim of the new guidance is to provide a reference framework for health and social care services providers on their transparency obligations in relation to their use of personal data.

Policy background

With 5 years now passing since GDPR came into force, most organisations are now familiar with the concept of transparency and its close link with the right to be informed which taken together require organisations to tell individuals about how and why their personal data will be used. The ICO is now taking an active interest in transparency specifically (in other words, the obligation to ensure that individuals are aware of how their information is used), because of its key role in influencing increased trust and positive outcomes for users and the public more generally within health and social care settings. Being transparent may require organisations to go above and beyond providing the 'privacy information' that must be supplied as part of the right to be informed under Article 15 UK GDPR.

One driver underpinning this new guidance is around technology and its increasing pervasiveness throughout the sector. The ICO has identified that the use of technology is becoming more widespread and constantly developing and innovating, and so the ICO is keen that organisations are making sure that individuals are kept up to date with all the ways in which their personal data will be used. Another driver is on data sharing between organisations. While the ICO recognises that there can be clear benefits to individuals arising from data sharing at different stages of an individual's interaction with health and social care organisations, from front line delivery of patient care through to research activities, it remains critical that users are fully informed of these activities to ensure that they are empowered to make decisions about their information rights based on what an organisation tells them.

Key takeaways

In the same way as with other recent guidance published by the ICO, the ICO's approach to expressing its recommendations are categorised as "must" (it's the law), "should" (the ICO's expectation) and "could" (good practice suggestions):

Must

  • When considering the processing of health and social care related information, organisations must make sure they have a clear reason for using the information. Organisations must be open and honest about their intentions and operate transparently.
  • Where technology solutions are used to deliver care (including in relation to Trusted Research Environments), organisations must explain clearly to individuals what the technology is and why it is being used.
  • An organisation's approach to transparency must be proportionate to the nature of its processing. Larger organisations and organisations which process particularly sensitive information will be expected to consider transparency in more detail than smaller organisations with less resource and those which carry out lower risk processing activities.
  • To be transparent, organisations must tell relevant individuals about how their information will be used (e.g., through privacy notices). This should explain why the use of health and social care information is necessary and proportionate, and be easy to find.
  • Where an organisation is processing special category information, additional controls must be deployed to appropriately protect it (data protection by design).
  • If any exemption within UK GDPR or the Data Protection Act 2018 is being relied upon so as to not comply with the transparency requirements then organisations must make sure the exemption is properly applied, and only applied in limited circumstances.
  • Organisations must give individuals enough time to understand how their information will be used.
  • If consent is being relied upon to legitimise processing, the transparency information must be clear when consent is being used.
  • If processing is high risk and/or new technologies are being used, a DPIA must be carried out.

Should

  • In relation to any opt-out policies (including in relation to non-data protection matters), transparency information should inform individuals about how opt-outs work (e.g., how to register a preference).
  • When considering a type of processing activity, organisations should think about what harms could flow to individuals if there is insufficient transparency (this could be done through a DPIA).
  • Organisations should consider running focus groups and using patient groups to gain feedback from relevant stakeholders on prospective transparency information.
  • As well as formulate privacy notices to tell people about the organisation's processing, organisations should also take steps to tell people how they can find the privacy notice and actively communicate updates. When considering how best to communicate, organisations should consider:
  1. What are the most effective ways of communicating with its audience?
  2. How direct do communication methods need to be?
    • How should privacy and transparency information be presented?
    • How can it deal with complexity and avoid 'information overload'?
    • How can the organisation work together with the individuals who interact with it?

    Could

    • When providing transparency information, the following could be considered (e.g. within the corresponding privacy notice):
    • Giving information on how decisions are made concerning the use personal data
    • Setting out the consequences of 'design decisions' including risks from using technology solutions
    • Displaying information in different ways such as visually
    • Accompanying updated documentation with specific public communications
    • Providing information demonstrating the organisation's accountability framework such as meeting minutes and policies on information governance
    • Linking the data protection information to other relevant laws which impact on how the organisation uses health and social care data
    • Letting people know specifically what changes are being made to how their information will be handled
    • Once data is being used, providing individuals with information on what outcomes have flowed from that information (e.g., reports)

    Next steps

    The consultation is open until 7 January 2024. Feedback can be submitted via the ICO's website.

    If you would like to discuss the draft guidance or how your organisation handles personal data, please get in touch.

    Contributors

    Rachel Lawson

    Associate

    Martin Sloan

    Partner