The UK’s Information Commissioner’s Office (ICO) has launched a public consultation on its draft guidance on data privacy transparency in the health and social care sector. The proposed guidance emphasises the importance of going beyond the legal requirements of the GDPR in order to build trust with patients, and builds on themes of openness, honesty and patient engagement. The consultation is open until 7 January 2024, and is essential reading for tech companies providing services in the UK healthcare ecosystem.
We’ve set out our top six takeaways on the proposed guidance below.
- How does the guidance apply? The guidance is aimed at public sector health and social care organisations, but is also relevant to private and third sector organisations who deliver health and social care services. The guidance will be useful when using personal data for secondary purposes, such as research, planning health and social care services, and sharing records for secondary care.
- ‘Privacy information’ vs ‘transparency information’: The guidance distinguishes between ‘privacy information’ and ‘transparency information’:
- Privacy information describes the specific information a controller must provide in order to comply with transparency obligations under the right to be informed.
- Transparency information is the total range of material a controller should provide to comply with the transparency principle. This includes additional information that you could provide to people to make transparency material more effective. Transparency information is essential in maintaining trust and informing expectations when using health data (special category data) for use cases that may not be obvious.
- Going beyond legally mandated privacy information: The guidance encourages controllers to be ‘open’ and extend the principle of transparency beyond the information that typically appears in a privacy notice. For example, organisations may consider publishing lists of information disclosed to researchers and the reasoning behind this, and data protection impact assessments (DPIAs). Controllers may also consider publishing alternative forms of transparency information such as infographics, videos, or case studies; accountability information, including organisational policies (e.g. information governance policies, meeting minutes or data sharing arrangements); and even information that explains how other laws beyond data protection (e.g. health and social care legislation or government directions) provide the basis for organisations using information in certain ways.
- Being honest (disclose the good, the bad and the ugly): The guidance encourages honesty. This includes informing people about the risks or harms they may be exposed to and providing clarity on how an organisation will mitigate these risks or harms (such as following a data breach). This may include proactively dealing with contentious issues, such as when explaining issues about commercial access to health information.
- Distinguish between the GDPR and common law duty of confidentiality: The guidance distinguishes between: (i) identifying a lawful basis for processing under the GDPR (this may be GDPR consent but other bases are available and are more likely to be appropriate in the healthcare context); and (ii) identifying a basis for use under the common law duty of confidentiality (this may be ‘implied’ or ‘explicit’ consent, or certain other bases). In these cases, being transparent is particularly important so that people understand why this duty applies.
- Consider patient engagement processes: The guidance emphasises patient engagement processes, such as workshops, surveys and inviting patient representatives to join governance groups. Effective patient engagement can help develop high-quality transparency material that addresses patient needs and priorities. This can help controllers to design engaging communications; develop different material for groups that may require additional support (e.g. the elderly, or those at risk of being ‘digitally excluded’); and prioritise the order in which you provide your privacy information to people (i.e. layering) based on patient preferences and concerns.
The guidance goes on to encourage organisations to consider the harms associated with failing to provide adequate levels of transparency information and consider the most effective means to communicate transparency information to people.
