Overview
Healthcare sector organisations are increasingly deploying new technologies that use large amounts of personal information to support both direct care and secondary purposes, such as planning and research. Although these data-driven solutions offer many benefits to the public, often people are reluctant to agree to organisations sharing and using their information, especially where it is not clear how it will be used.
Following a consultation last year, the Information Commissioner’s Office (ICO) has published transparency guidance for organisations which deliver health and social care services or process health and social care information, including for secondary purposes such as research and planning. The guidance incorporates feedback from health and social care organisations across the UK.
In Depth
What Are the Transparency-Related Requirements Under the UK GDPR?
Under the UK GDPR, organisations must (i) operate transparently (the transparency principle) and (ii) provide specific privacy information to individuals (the right to be informed). Since the transparency principle is less prescriptive than the right to be informed, the guidance correspondingly distinguishes between “privacy information” (which is required under Articles 13 and 14 of the UK GDPR) and “transparency information” which should be provided as a matter of best practice.
What Are Some of the Recommendations in the New Guidance?
The guidance states that to increase transparency and trust, in addition to providing the privacy information required by Articles 13 and 14, organisations should consider providing extra information, such as:
- confirmation of what the organisation will not do with people’s information;
- lists of information disclosed to researchers and the reasoning behind this; and
- information that challenges or proactively deals with contentious issues, for example when addressing misconceptions relating to third-party access to sensitive health information.
Further, given the co-existence of consents for different purposes in the healthcare and research sector (for example for data protection, common law duty of confidentiality, clinical trial participation and other purposes), the guidance emphasizes that it is important to set out the position in respect of consents and choice clearly. For example, an organisation must make clear for what purposes they are using consent. Is it as a lawful basis to process personal information, or for other purposes, such as consent to research participation?
The guidance also encourages organisations to consult with the public throughout the process of designing or updating transparency information, as it will improve the organisation’s understanding of data subjects’ needs, concerns and expectations, and to consider the most effective means to communicate transparency information.
What Are the Next Steps?
Although some sections of the guidance are written with the NHS organisations in mind, the guidance is highly relevant to life sciences and research organisations, and those providing services to NHS organisations. The next steps for organisations to consider include the following:
- Review what personal information they use and plan to use and why.
- Identify transparency issues and make improvements in response. For example, do they have any additional transparency material beyond privacy notice? Does it contain more than what is strictly required?
- Design an evaluation strategy to ascertain whether their communications raised awareness and understanding of their practice by patients/data subjects.