Part of Objective E - Using and sharing information appropriately
Principle: E1 Transparency
E1.a Privacy information
“You follow best practice for providing privacy and transparency information to ensure that all individuals have a reasonable understanding of their rights and how their information is being used.”
Overview
This contributing outcome relates to your organisation being transparent about how it uses and shares information.
Privacy information
You must provide privacy information about your organisation’s data processing activities which informs people about their rights under data protection legislation and how to exercise them. This is a requirement under UK General Data Protection Regulation (GDPR).
In line with the Caldicott Principles, the information you provide should also ensure there are no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this.
Individuals must be made aware of this information. It can be sent to them directly via correspondence, or indirectly by leaflets, noticeboards and websites, but it must be easily accessible.
Your organisation must provide information that is:
- concise
- transparent
- intelligible
- clear
- in plain language
- communicated in an effective way
You may choose to display different privacy notices for different audiences. For example, one for staff and another for members of the public. You may also choose to display separate privacy notices for separate processing; one for the use of cookies on your website; another for the data you process for providing care; and a further one for data used for national screening programmes.
For more detailed guidance on transparency information, please see the ICO’s guidance on transparency in health and social care. A template privacy notice (PN) produced by NHS England is available on NHS England’s universal information governance (IG) templates webpage.
Exceeding the ‘Standards met’ expectation for 2025-26
Approaches to increase transparency
‘Privacy information’ is the information you must legally provide under UK GDPR. ‘Transparency information’ is additional information which you make available about your initiatives and activities involving personal data to demonstrate openness and honesty.
You should evaluate which additional transparency measures would be beneficial to demonstrate to patients or people who use your services how their information is used, stored and protected. These may include:
- running awareness-raising campaigns
- providing information access tools for the public (such as patient portals)
- making IG policies publicly accessible
- publishing accountability information such as minutes from meetings
- having a process for publishing DPIAs, or summaries of them
For more information about transparency measures, see ICO’s guidance on transparency in health and social care.
Supporting evidence
To support your response, you can review and upload (or link to) evidence which best demonstrates your achievement of the contributing outcome. Examples include:
- privacy information (which may be titled 'privacy policy', 'privacy notice' or another variation)
- documents supporting scheduled reviews and updates to privacy information
- rationale for accessibility of chosen privacy information publication formats
- evidence of different formats of privacy information being provided, for example website, printed, audio, documentation supporting verbal sharing
- evidence of privacy information layering
- evidence of additional transparency measures being undertaken beyond providing privacy information
This is not an exhaustive list. You're welcome to provide other types of evidence if you feel they are relevant to the contributing outcome.
Your supporting statement should cross-reference how each piece of evidence provides justification for your achievement of the contributing outcome, including relevant page numbers where appropriate.
Interpreting indicators of good practice
| Indicator(s) of good practice | Term | Interpretation |
|---|---|---|
|
PA#1 Your privacy information is complete and up to date, covering how data is used, what individuals’ rights are and how they can exercise them. |
'complete' |
To be 'complete', your privacy information should:
NHS England’s universal privacy notice template helps you ensure your transparency information covers the necessary information from a health and care perspective. |
|
A#2 Privacy information is easily accessible and provided in a range of different formats for different audiences. |
'range of different formats' |
Your privacy information should be available in an appropriate range of formats to ensure that it's easily accessible for your audience. This means considering different:
|
Last edited: 30 July 2025 2:24 pm