The UK ICO has recently published guidelines on transparency in health and social care. Our Privacy & Data Security team looks at the implications for organisations, including those looking to use personal data for research.
The ICO has recently published guidelines on transparency in health and social care. This builds on the existing transparency guidelines. The guidelines are directed towards any organisations, public, private or third sector, that process health data, including for research.
The ICO sees transparency as necessary for data protection compliance and building public trust. In that vein, the guidelines are focused on:
- Privacy information - which the organisation must provide in order to comply with the data protection law, and
- Transparency information - which the organisation should provide to comply with the transparency principle and improve the effectiveness of the transparency material.
Key takeaways
Harms arising from lack of transparency
The ICO identifies the following harms as ones that could affect data subjects:
- Psychological harm - this can result in fear, anxiety, and embarrassment where data subjects do not understand how their data is being used.
- Loss of control of personal information - where complex information is provided and users are deterred from reviewing the information. As a result this can cause them to lose control over their personal data as they do not understand how it is being processed.
- Lack of trust in services - where organisations are not transparent then data subjects can be reluctant to continue using the service. This could in turn impact their health where they are not forthcoming about information about themselves.
The identification of harms is important where organisations are considering what mitigations they can put in place as part of carrying out a data protection impact assessment, where one is needed. Increasingly, we have seen privacy data protection authorities focus on loss of control as a harm when looking at how organisations process personal data.
Methods for conveying transparency and privacy information
The ICO states that it is important to understand the data subject’s needs when providing transparency information. For example, where the data subjects are not engaging with the organisation in a non-digital form, then the transparency information should be provided in a non-digital form.
The information can be provided to a larger audience or more directly one-on-one, such as by way of letter, depending on the context. Direct forms of communication are not always necessary or appropriate. When considering whether a direct form of communication is necessary, the organisation should consider:
- The impact the information will have on the data subject, and
- The public expectations around the information provided.
Presenting information effectively
Similar to the existing guidance on transparency, the ICO encourages the use of layered privacy information. The most important pieces of information should be prominently displayed in the first layer, with the second and even third layers providing additional details. The first layer should include:
- A brief overview of how the organisation will use the data subject’s information and for what purpose
- Highlighting any choices or actions available to data subjects about how their information is used, and
- Signposting data subjects to areas where they can find out more detailed information in the additional layers.
Transparency checklist
The ICO has provided a transparency checklist to help organisations assess whether they are complying with the transparency requirements.
Conclusion
The guidelines expand on many of the existing transparency concepts but highlights the importance of thoughtfully approaching transparency for health and social care data. Organisations should consider how their approach to transparency complies with the guidelines, including whether they are using the best method and presenting information effectively, and whether they can make any changes going forward.
For more information and expert advice, contact a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.