The ICO’s healthcare transparency guidance: Going beyond the legal minimum

Collecting, using, and sharing health data can enhance research and improve healthcare organizations’ operations. But unless patients get the right information, using their personal data for reasons other than direct care might be unlawful, unfair, or impossible. 

Here’s an overview of new guidance from the Information Commissioner’s Office (ICO), which explains how healthcare organizations can meet or exceed their transparency obligations under the UK General Data Protection Regulation (UK GDPR). 

Who should read the ICO’s guidance

The ICO’s guidance is for organizations that collect, use, and share personal data in the health and social care sector, including: 

• Healthcare providers like hospitals, GP practices, care homes, etc. 
• Social care providers 
• Medical research organizations 
• Integrated Care Systems (partnerships of health and social care organizations) 

Beyond the above example, any organization processing personal data related to health and social care services should benefit from reading the guidance. 

Aims of the ICO’s guidance

The primary aim of the guidance is to help organizations in the health sector inform the public about how they use personal data through measures such as: 

• Explaining how and why personal data is used in order to help set public expectations and build trust. 
• Helping people make informed choices about opting out of secondary uses of their data. 

The guidance ultimately aims to expand the processing of health data, including by: 

• Promoting the benefits of certain types of data processing to the public, such as medical research using health data. 
• Encouraging the public to accept the use of health data for innovative uses with a potential public benefit, such as AI-based technologies. 

The ICO also covers legal compliance and risk mitigation issues, such as the following: 

• Explaining the UK GDPR’s transparency requirements and how organizations can exceed them. 
• Aiding compliance with the principles of health information schemes such as the Caldicott Guardians and Data Guardians. 
• Mitigating potential physical, material, and non-material harms that can arise from a lack of transparency. 

Transparency under UK data protection law

When collecting, sharing, or otherwise processing health data, healthcare organizations’ main obligations derive from the UK GDPR. 

• Article 5(1)(a) imposes a general principle of transparency that generally applies whenever processing personal data. 
• Article 13 sets out the information that controllers must provide when collecting personal data directly from data subjects. 
• Article 14 sets out the information controllers must provide when collecting personal data indirectly (i.e., from a source other than the data subjects. 
• Article 12 explains how controllers must provide the above information. 

Both the UK GDPR and the UK’s Data Protection Act 2018 provide exceptions and exemptions: Situations where controllers (sometimes specifically controllers in the healthcare sector) do not need to provide certain information to data subjects.  

The ICO emphasizes that controllers should only rely on the law’s exemptions after careful consideration and assessment. 

Going beyond the minimum

The ICO says that “data protection legislation does not specify or limit what information to include as part of the transparency principle.”  

While it’s perhaps misleading to suggest that data protection legislation does not specify what information to provide (Articles 13 and 14 provide enumerated lists of transparency information), it’s true that the GDPR does not limit how much transparency information to provide. 

“Providing additional transparency information will help explain how and why you use people’s information, which will help set expectations and create trust,” the guidance states. 

The ICO says that healthcare organizations should consider going beyond the GDPR’s baseline transparency requirements by:  

• Providing extra information to patients, for example about how they make decisions about using personal data or what risks might be involved in sharing personal data. 
• Providing information in different formats, for example using diagrams, graphics or videos. 
• Providing information in other places, such as via public awareness campaigns on social media or billboards. 

Methods of providing information

As noted, Article 12 of the GDPR provides the minimum requirements for delivering transparency information to data subjects. The ICO makes some additional recommendations based on these requirements. 

Transparency information must be: 

• Easy to access 
• Easy to understand 
• Free of jargon or technical language where possible 

The ICO recommends that healthcare organizations: 

• Use a variety of communication methods tailored to the audience, such as websites, leaflets, social media, videos, and in-person contact points. 
• Employ a layered approach in online privacy notices, starting with a brief overview and allowing access to more detailed information through links or expandable sections. 

The guidance states that taking a “layered approach” will “help people engage with the substance of your message and quickly gain a broad sense of what is happening to their information.” 

Engaging with the public

The ICO suggests running public consultations to help ensure healthcare organizations can get their message across in the right way. 

“Meaningful consultation with the public throughout the process of designing or updating transparency information will improve your understanding of their needs, concerns and expectations,” the guidance states. 

The ICO recommends that healthcare organizations: 

• Include a representative cross-section of the public, such as children, underrepresented groups, and those unfamiliar or skeptical about the topic. 
• Use public engagement to evaluate the effectiveness of transparency materials and make improvements.

Evaluating and reviewing transparency measures 

The ICO provides the following tips for healthcare organizations when reviewing their communication methods: 

• Regularly evaluate transparency materials to ensure they are accurate and effective. 
• Identify transparency issues and make improvements in response to feedback and evaluations. 
• Consider using a transparency checklist to ensure compliance and improvement across projects. 

The ICO’s message is clear: Think bigger than just the GDPR’s minimum requirements. Embracing transparency helps people make more informed decisions about their health data and should help healthcare organizations collect and use personal data more effectively.