It’s good to talk: transparency on data in the health and social care sector

Medical and social care professionals are well-acquainted with the need to be open and honest with those receiving care. Discussing the risks and benefits of treatment ensures that patients play an active role and feel that they retain control over their conditions. Engaging with social care users ensures they retain as much agency as is possible. Openness generates and reinforces the necessary bond of trust and confidence that allows constructive and helpful conversations, and appropriate decision-making, to occur.

Transparency obligations extend to the use of a patient’s personal data.  Health and social care services must ensure that users are told the purposes for which their data will be used, why it is needed, with whom it will be shared, how long it will be kept, and how it is protected.  In April 2024 the Information Commissioner ‘s Office (ICO) published new Guidance for the health and social care sector, setting out expectations about transparency.

The majority of organisations seek to comply with the first Data Protection Principles – which requires processing to be ‘lawful, fair and transparent’ – via the publication of a privacy notice.  However, ‘transparency’ can require the provision of supplemental materials and information to explain how personal data will be used.  An example given in the guidance is the sharing of policy documents on a hospital trust’s website that set out how the trust makes decisions about sharing personal information with research organisations. The documents themselves do not contain personal data, but in sharing them the trust is being transparent with service users.

The Guidance is not prescriptive as to what must be shared to comply with the transparency principles, but the ICO’s suggestions as to what could be appropriate include:

• information that explains how decisions will be made about the use of personal information;
• confirmation of what an organisation will not do with people’s information to provide reassurance;
• accountability information, including organisational policies (e.g. information governance policies, meeting minutes or data sharing arrangements);
• data protection impact assessments;
• lists of information disclosed to researchers and the reasoning behind that sharing;
• improved access tools for the public to give them greater visibility of the status of their own information, such as patient portals; and
• information that challenges or proactively deals with contentious issues.

Where service users will have genuine choices as to the use of their data, these opportunities should be highlighted and explained. There are limited opportunities within a public health and social care system for users to provide meaningful consent to data processing, as data must and will be processed to provide care. Users should not be misled into thinking they have no choice which in fact they do.

Health and care organisations should aim to develop high-quality transparency information. To identify what level of transparency addresses people’s needs and priorities, the ICO suggests using patient and public involvement and engagement processes, so that people remain at the heart of decisions being made about them.