May 16, 2024

ICO publishes new guide on transparency in the health and social care sector

Health and social care

The UK GDPR sets out seven key principles. One of these is “lawfulness, fairness and transparency”. The Information Commissioner’s Office (ICO) has recently developed guidance on how transparency can be implemented in health and social care settings. The guidance is aimed at any organisation that delivers health and social care services or processes health and social care information. The aim of the guidance is to supplement existing guidance to create a better understanding of how to comply with the UK GDPR.

What is the transparency principle?

The purpose of the transparency principle is to make sure individuals are aware of, and understand, when, how and why organisations use their personal information, and make decisions regarding the use of their personal information accordingly.

The principle of transparency is a pivotal one in the health and social care sector due to the detailed and sensitive nature of the personal information processed. A significant amount of this information will be special category data, so an element of trust and confidence in the handling and processing of such information is key.

How can an organisation employ this principle of transparency in practice?

  • Be open and honest with individuals about how and why you use personal information.
  • Provide individuals with a list of specific information about the collection and use of their information i.e. an up to date and comprehensive privacy notice.
  • Consider the information that you provide to individuals and whether you could do more to create trust i.e. improved information access tools, data protection impact assessments and/ or accountability information.

The failure to consider the principle of transparency can give rise to harm. This can range from psychological harm to an individual where there has been a loss of control of their personal information to reputational harm where an organisation is discovered not to have complied with the UK GDPR. To avoid such harms, organisations should identify the risks of failing to provide sufficient transparency material when using health and social care information.

The ICO has recommended the use of patient and public involvement and engagement to ensure that individuals remain at the heart of the decisions being made. The ICO suggests that this can help organisations understand their audience and how best to communicate with them, provide individuals with sufficient detail on the use of their information and design communications accordingly.

Under the UK GDPR, organisations are obliged to assess whether they are acting transparently. This should be reviewed and evaluated on a continual basis to ensure compliance remains accurate and up to date. Organisations should consider referring to the ICO’s transparency checklist which covers factors such as involving your data protection officer in key decisions and communications, awareness of the privacy information which must be provided and consideration of potential harms.

What happens if an organisation fails to comply with the ICO's guidance?

Whilst the ICO’s guidance is substantial, it is worth noting that the transparency measures should be proportionate to your processing activities and the overall data protection risk. Whilst the guidance is applicable to all organisations, it will not apply, in practice, to all organisations in the same way.

Failure to comply with the UK GDPR may lead to enforcement action from the ICO and data protection claims being issued by individuals whose rights have been infringed. This could, in turn, cause regulatory and insurance issues.

How can we help?

If you have any enquiries about this guidance and how it may impact your organisation or any data protection concerns in general, please contact our Health and Social Care team on

Call

Find out more about our Health & Social Care Team

Our team of Health & Social Care Experts