Following a public consultation, the ICO has published new guidance on transparency in health and social care, available here: Transparency in health and social care | ICO
What is Transparency?
Transparent processing is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data. Transparency forms one of the key principles of data protection law (under Article 5(1) of the UK GDPR).
Who is the guidance aimed at?
The ICO has widely defined the audience of the guidance as any organisation (including both private and third sector organisations) who delivers health and social care services or processes health and social care information, including for secondary purposes.
Why is Transparency important in healthcare?
Transparency is of crucial importance in the health and social care sector. One of the key reasons for this is due to the fact that the nature of the information routinely handled is often highly sensitive (e.g. special category data which is afforded additional protection) and in the case of consent requests, specific attention must be given to ensuring that such consent is truly informed.
Transparency also plays a significant role in ensuring public trust and confidence within the healthcare sector. It is essential for organisations to be open and honest with individuals in relation to what their personal information is being used for and in connection with.
A lack of transparency has the potential to impact the development of new healthcare related technologies. Anne Russell, Head of Regulatory Policy Projects at the ICO, noted that personal information is becoming ‘more important than ever’ in boosting the efficiency and public benefit of new technology systems. Ms Russell also highlighted that open communication on the use of personal information is more likely to encourage individuals to share their health information for the benefit of initiatives such as medical research.
Key Takeaways from the ICO Guidance
The guidance does not specify what information should be provided in accordance with the principle of transparency as this will differ amongst all organisations (although please remember Articles 13 and 14 of the UK GDPR). However, it is advised that providing additional information on how and why information is used will increase trust and help manage an individual’s and the wider public’s expectations. The guidance also provides a helpful list of the type of information that organisations should consider providing.
Other factors to be considered when determining what information is provided include:
- The importance of choice
It must be made clear to individuals if their consent is being used as the lawful basis to process their personal information and they should also be informed on how opt-outs apply.
- Potential harm
A lack of transparency can give rise to potential harms. For example, if individuals are reluctant to share information which could be crucial to medical research this may lead to wider societal harms.
- Public involvement
Organisations should consider their communication methods and engagement with the public.
After determining what information is to be provided, organisations then require to turn their attention to how this information will provided. The UK GDPR states that organisations must operate transparently (Article 5(1)(a)) and provide specific privacy information to individuals (Articles 13/14).
Privacy notices are generally the most common method of conveying this information. However, the guidance stipulates that more than a notice is required. Efforts must be made to ensure individuals know where to access their privacy information and are notified when significant changes are made.
When assessing how information is provided organisations are encouraged to consider:
- The most effective ways of communicating with their audiences
This will differ depending on the organisation, however, it may include methods such as leaflets, social media posts or emails and text messages.
- The direct nature of their communication methods
In certain circumstances it may be appropriate to adopt a more direct method of communication such as letters or emails. On the other hand, if the aim is to engage larger audiences, methods such as public advertisements may be better suited.
- The presentation of privacy and transparency information
The most important information should be displayed prominently. Attention should be drawn to key points such as how information is used, the purpose for which it is used, any choices and actions people may have in relation to the use and where more detailed information can be found.
- The complexities of information overload
It is recognised that information processing within health and social care can be complex. Therefore, organisations are required to take this into account when considering how to communicate information and should look to simplify aspects to ensure it is readily understood.
- Working with others to deliver transparent information
The guidance notes that where organisations are working together it is important that information and materials are ‘joined up.’ This requires consideration of how and when people use different healthcare services.
The guidance also advises that organisations should be actively assessing whether they are being transparent. A checklist is provided within the guidance to assist organisations in assessing their compliance. However, it is important to note that if an organisation is processing information which poses a high risk to an individual’s rights and freedoms, a data protection impact assessment (DPIA) is required. A DPIA allows an organisation to identify and minimise the data protections risks associated with any particular project or exercise. The IPTC team at Morton Fraser MacRoberts would be pleased to provide advice and assistance in relation to DPIA’s.
Should you have any queries in relation to the transparency guidance, require assistance to review your privacy notices in consideration of the new guidance, and/or more generally wish to discuss your compliance with the data protection laws, please do not hesitate to get in touch with Valerie Armstrong-Surgenor, Partner in the IPTC team at Morton Fraser MacRoberts.