The UK’s data protection regulator, the Information Commissioner’s Office (the ‘ICO’), has published new guidance for health and social care organisations to ensure they are being transparent.
Organisations must comply with data protections laws, such as the UK General Data Protection Legislation (UK GDPR) and the Data Protection Act 2018. This may seem daunting at first, but the ICO proactively publish guidance and training on all aspects of data protection law, including how to be transparent.
What does being transparent mean, and why is it important?
The first of seven key principles written in the UK GDPR says “[data must be] processed lawfully, fairly and in a transparent manner in relation to the data subject”. This ties in with one of the statutory rights available to individuals: the right to be informed.
It’s important to remember that a data subject could be anyone who’s personal data is processed by an organisation, including patients, residents, family or close contacts, staff, contractors, suppliers and other third parties. By being transparent with all data subjects, you will create a high level of trust and understanding.
The ICO’s guidance describes transparency as ensuring people are:
- Aware of and understand when and how organisations are using their personal information and for what purpose; and
- Empowered to make decisions about their information rights based on that knowledge.
Transparency is especially important for the health and social care sector, as, in addition to large amounts of personal data, organisations process ‘special category personal data’ which is more sensitive and requires further protection, such as health data, for example.
Another reason why transparency is important is the continuing trend in the health and social care sector of data driven solutions, such as emerging and innovative technologies or the use of artificial intelligence. If an organisation utilises these types of technologies (subject to establishing a lawful basis to do so and completion of a data protection impact assessment), then data subjects must be well informed about how their personal information may be used.
ICO Guidance
The new guidance published by the ICO explores what transparency means, how to develop transparent material, how to provide information to individuals, and factors to consider when assessing your level of transparency. It also contains other information applicable to transparency requirements, such as pre-emptive steps to take before developing transparent information, how to develop transparent information, how to identify risks, and when a data protection impact assessment is required.
The guidance helpfully refers to what organisations must do, should do, and could do:
| Legislative requirement | Must do | A legal requirement that must be complied with (data protection laws that the guidance refers to are UK GDPR and Data Protection Act 2018 only). |
| Best practice | Should do | Not a legislative requirement, but nevertheless what an organisation should do as the ICO would expect them to do so to comply with the law. |
| Could do | An option which could elevate an organisation to the best possible standard. |
We encourage all organisations in the health and social care sector to read the guidance. The full guidance published by the ICO can be found on their website: Transparency in health and social care | ICO.
So, how do you become transparent?
Exactly how you are transparent with people will depend on multiple factors. Broadly speaking, here are some points for you to consider further:
- Policies and Notices
You should ensure that you are proactively publishing information for the relevant people to see. A good place to start is a comprehensive privacy policy.
- Appoint a Responsible Individual
You may be statutorily required to appoint a data protection officer (see the ICO website for more information on this). Even if you do not require a DPO, you should ensure someone in the organisation has sufficient knowledge on your private and data protection requirements at an operational and strategic level.
- Create a Clear Communication Channel
You should ensure that people know where they can go to ask questions about their personal data. The email address published on your website and within your policies should reach the a select few people who can assist with data protection matters, rather than to one individual. This email address (such as ‘dataprotection@…’) will ensure that emails are not missed or delayed due to someone being out of the office,
- Be Honest
A simple but important point – be honest. If you are asked about your privacy and data protection practices, be honest with people. Some information may not be proactively published (you may chose to only list the categories of third parties you may share personal data with, as opposed to listing the names of those third parties, for example). Remember that individuals have rights under data protection law, such as the right of access, the right to be informed, or the right to erasure, to name but a few.
If you wish to discuss anything covered in this article please contact our our Intellectual Property, Data Protection and Technology team and we will be happy to help.