Part of Objective E - Using and sharing information appropriately
Principle: E1 Transparency
E1.a Privacy information
“You follow best practice for providing privacy and transparency information to ensure that all individuals have a reasonable understanding of their rights and how their information is being used.”
Overview
This contributing outcome relates to your organisation being transparent about how it uses and shares information.
Mapping to the 23-24 DSPT framework
Under the previous 23-24 Data Security and Protection Toolkit (DSPT) framework, your organisation was required to perform activities that help meet the expectations of this contributing outcome.
For more detail on what these activities were, see the mapping exercise published by NHS England and Department of Health and Social Care (DHSC).
Privacy information
You must provide privacy information about your organisation’s data processing activities which informs people about their rights under data protection legislation and how to exercise them. This is a requirement under UK General Data Protection Regulation (GDPR).
In line with the Caldicott Principles, the information you provide should also ensure there are no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this.
Individuals must be made aware of this information. It can be sent to them directly via correspondence, or indirectly by leaflets, noticeboards and websites, but it must be easily accessible.
Your organisation must provide information that is:
- concise
- transparent
- intelligible
- clear
- in plain language
- communicated in an effective way
You may choose to display different privacy notices for different audiences. For example, one for staff and another for members of the public. You may also choose to display separate privacy notices for separate processing; one for the use of cookies on your website; another for the data you process for providing care; and a further one for data used for national screening programmes.
For more detailed guidance on transparency information, please see the ICO’s guidance on transparency in health and social care. A template privacy notice (PN) produced by NHS England is available on NHS England’s universal information governance (IG) templates webpage.
Additional transparency measures
Additionally, where practical, you should provide additional information about your data processing activities to enhance transparency. This means making information such as data protection impact assessments (DPIAs) available to people to demonstrate openness and honesty around specific data processing activities.
To learn more about the difference between privacy and transparency information, see ICO’s guidance on transparency in health and social care.
Supporting evidence
To support your response, you can review and upload (or link to) evidence which best demonstrates your achievement of the contributing outcome. Examples include:
- privacy information (which may be titled 'privacy policy', 'privacy notice' or another variation)
- documents supporting scheduled reviews and updates to privacy information
- evidence of different formats of privacy information being provided, for example website, printed, audio, documentation supporting verbal sharing
- documents supporting process for publishing DPIA summaries
- DPIA summaries which have been shared with the public
- documents showing which different communications channels have been used effectively to be more transparent with the public about the organisation’s data processing
This is not an exhaustive list. You're welcome to provide other types of evidence if you feel they are relevant to the contributing outcome.
Your supporting statement should cross-reference how each piece of evidence provides justification for your achievement of the contributing outcome, including relevant page numbers where appropriate.
Interpreting indicators of good practice
| Indicator(s) of good practice | Term | Interpretation |
|---|---|---|
|
PA#1 Your privacy information is complete and up to date, covering how data is used, what individuals’ rights are and how they can exercise them. |
'complete' |
To be 'complete', your privacy information should:
NHS England’s universal privacy notice template helps you ensure your transparency information covers the necessary information from a health and care perspective. |
|
PA#2 Privacy information is easily accessible and provided in a range of different formats for different audiences. |
'range of different formats' |
Your privacy information should be available in an appropriate range of formats to ensure that it's easily accessible for your audience. This means considering different:
|
Additional guidance
For additional guidance, see:
NHS England | Universal information governance templates and FAQs
Information Commissioner’s Office | Right to be informed
Information Commissioner’s Office | Transparency
Information Commissioner’s Office | Transparency in health and social care
Mapping to other cyber frameworks
NHS England and DHSC have produced a mapping document showing where the requirements of the CAF-aligned DSPT overlap with those of other cyber frameworks. New frameworks will be added to this document over the course of the year.
Last edited: 17 December 2024 10:11 am