The ICO recently published draft guidance on data transparency in the health and social care sector. The draft guidance is currently open to a public consultation, which is due to close on 7 January 2024.
The ICO aims to improve understanding of its expectations regarding standards of transparency for health and social care through the draft guidance, which supplements existing ICO guidance on the principle of transparency and the right to be informed.
Why has this guidance been prepared?
Transparency in health and social care has become increasingly pertinent in light of new technologies to support direct and secondary care that use large amounts of personal information, such as the use of Trusted Research Environments (TREs). The ICO warns that a lack of transparency not only weakens public trust, leading to individuals opting out of sharing their data, but can also lead to data protection harms.
Research has shown that people are willing to share their personal health data, but not if they do not understand how and why their data is being used. Health data is also, by its very nature, sensitive data that warrants additional protection pursuant to the UK GDPR. Accordingly, the ICO hopes to increase public trust and confidence in the sharing of health data by improving transparency practices in health and social care.
Who is this guidance for?
The guidance is intended for ‘anyone in health and social care who is involved in delivering transparency information to the public’. Examples include DPOs, information governance staff and those developing new technological solutions.
Although targeted primarily at public sector organisations, the guidance is also relevant for private organisations that deliver health and social care services.
What are the key takeaways from the guidance?
The guidance offers suggestions for best practice in three main areas:
- Developing transparency information;
- Providing transparency and privacy information; and
- Assessing transparency.
Note that the guidance differentiates between privacy information (i.e. the specific information required by Articles 13 and 14 UK GDPR to comply with transparency obligations) and transparency information (i.e. materials that should be provided to comply with the transparency principle in Article 5(1) UK GDPR). This is an interesting distinction made by the ICO and clarifies that the transparency requirements under Articles 13 and 14 are separate to that under Article 5(1) UK GDPR.
Developing transparency information
The ICO recommends the following when developing transparency information:
- Additional transparency information. Provide additional transparency information (beyond that which forms part of the required privacy information) to help set expectations and create trust. The additional information to be provided will depend on the type of personal data being processed, the purpose of processing and the impact this will have on individuals, but could include clarity on design decisions for new technological systems and accountability information, such as information governance policies and data sharing arrangements.
- Extent and timing. Organisations should give as much information as possible, including any identified risks or harms and how these will be mitigated, and at the earliest opportunity to provide people sufficient means to engage with the use of their data.
- Choice. Where a choice is available to individuals as to how their personal data may be used, this should be emphasized and explained in full (e.g. data opt-out policies).
- Data protection impact assessments (DPIAs). The use of DPIAs is strongly encouraged. The ICO also suggests publishing DPIAs to increase transparency.
- Patient engagement. Consult with the public throughout the process of designing/updating transparency information, e.g. using patient and public groups. Make sure to incorporate a wide section of the public, including children, as well as patient representatives to tailor the information to those likely to access it.
Providing transparency and privacy information
Organisations should consider the following when presenting transparency and privacy information:
1. Means of communication. The most effective means of communication will vary depending on the intended audience. Transparency information must be easy to find and staff should be able to provide or direct people to the relevant information when needed.
2. Form of communication. Consider the intended impact of the communication and how the public might expect the information to be presented. For example, a bus stop advert will not provide the same level of detail of information as a letter, but can be effective for raising general awareness (e.g. that patient information may be used for medical research).
3. Presentation. Important information should be placed prominently within the initial layers of the communication. This could take the form of a brief overview of the means and purposes of processing, highlighting any choices or actions available about how the data will be used, and signpost to areas containing more detailed information.
4. Complexity. Avoid ‘information overload’ and simplify explanations of complex processing techniques so that they remain clear and accessible. It is better to pitch information at a high level to ensure people remain engaged and achieve greater overall awareness than to risk overwhelming or confusing them.
5. Timing. Work with health and social care services to deliver transparency and privacy information at the most effective point in time to patients and service users.
Transparency is assessed in view of the circumstances of the data use and the transparency measures implemented. The ICO has provided a transparency checklist to help organisations comply with transparency and privacy information requirements.