Data transparency: obligations for organisations in the Healthcare sector

Transparency in the use of patient data is essential to lawful healthcare practice across England and Wales.

With the rise of digital health services, healthcare organisations face strict legal duties to inform individuals about how their data is collected, used, and shared. These obligations are critical for maintaining public trust and ensuring compliance with regulatory standards.

Legal Framework

In April 2024, the Information Commissioner’s Office (“ICO”) published detailed guidance for the health and social care sector to help organisations meet their transparency obligations. This guidance applies to all UK organisations (including private and third sector organisations) that deliver health or social care services.

While the legal requirements under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”) have not changed, the guidance demonstrates the ICO’s awareness of how emerging technologies within the healthcare sector are increasingly capable of using large volumes of sensitive personal data to provide direct care, while also potentially exploiting that data for secondary purposes. The guidance highlights the significant privacy risks that can arise from such developments and acknowledges the high volumes of particularly sensitive and special category personal data processed in this sector.

Accordingly, healthcare organisations have a positive obligation to ensure that individuals are willing to share their personal information only on the basis of clear understanding on (i) how and why that information is needed, and (ii) how it will be used.

What is transparency?

Transparency ensures that organisations make data subjects aware of how their personal information is being processed, enabling individuals to make informed decisions about exercising their information rights. This is a fundamental part of the first principle of the UK GDPR, set out in Article 5(1)(a), which requires that personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject.”

Transparency is also linked to the individual’s ‘right to be informed’ under data protection law.

How is transparency measured?

The ICO guidance helpfully refers to what organisations:

• Must do: legislative requirements under the UK GDPR and DPA that organisations are legally obliged to comply with
• Should do: recommended good practices that, while not mandatory, the ICO expects organisations to follow to meet legal standards effectively
• Could do: optional practices that can help organisations achieve the highest standards of transparency and enhance public trust.

Organisations are strongly encouraged to read the ICO guidance in full, which provides detailed examples of what must, should, and could be done to ensure full compliance with data protection legislation and to demonstrate transparency.

How does an organisation become more transparent?

The steps to achieving transparency will vary depending on the organisation, but healthcare providers should consider the following:

• Privacy policies & notices: Healthcare organisations must provide clear, accessible notices explaining how they use personal data, the legal bases for processing, data sharing practices, retention periods, and individuals’ rights
• Appoint a responsible individual: Some organisations are legally required to appoint a Data Protection Officer (“DPO”). Even where a DPO is not mandatory, organisations should ensure that a suitably qualified person is responsible for privacy and data protection compliance at both operational and strategic levels
• Consent and opt-outs: Where consent is required, it must be freely given, specific, informed, and unambiguous. Patients must also be informed about their rights under schemes such as the ‘National Data Opt-Out’
• Duty of candour: Healthcare providers must be open with patients, not only about general privacy and data protection practices, but also about serious incidents, including data breaches. This aligns with the UK GDPR requirements and the statutory duty under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014.

To assist organisations, the ICO has published a transparency checklist, enabling organisations to self-assess and ensure they are meeting compliance obligations under data protection law.

Enforcement and Risks

The ICO is responsible for enforcing data protection law and has the power to investigate breaches and impose financial penalties. The Care Quality Commission (“CQC”) also assesses organisations’ compliance with data transparency obligations during inspections.

Failure to meet transparency obligations can result in significant regulatory penalties, civil claims for damages, and serious reputational harm.

Healthcare organisations must embed transparency into every aspect of their data handling practices to comply with the law, safeguard patient trust, and support the ethical development of digital health services. Clear communication, lawful processing, and proactive engagement with individuals are essential pillars of responsible data stewardship.

By adopting good practices and striving for the highest standards of openness, organisations will not only meet their legal obligations but also contribute to a healthcare system that patients can trust with their most sensitive information.