Principle E1: Transparency

The organisation is transparent about how it collects, uses, shares and stores information. Privacy notices are clear and easy for members of the public to access.

Description

You follow best practice for providing privacy and transparency information to ensure that all individuals have a reasonable understanding of their rights and how their information is being used.

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Privacy information structure - obtain the organisation’s privacy policy or privacy notice, documenting whether it is concise, and written in clear and plain language. This includes:

1. Avoiding the use of technical terms and acronyms. (PA#3)
2. Ensuring information is clearly structured and delineated through headings and subheadings that make it easy for the reader to identify key information. (PA#3)

2. Privacy information contents - verify that the policy or notice includes:

1. How data is collected. (PA#1) 
2. What types of data are collected. (PA#1)
3. Who information is shared with. (PA#1)
4. Whether information is transferred outside the UK. (PA#1)
5. What are the organisation’s lawful bases for using information. (PA#1)
6. How data is stored. (PA#1)
7. The data rights which individuals hold in relation to their data and how to exercise these rights. These rights will include some combination of the following: right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object to processing. (PA#1)
8. How to complain. (PA#1)
9. The data rights which the individual holds in relation to their data and how to exercise these rights. These rights will include some combination of the following: right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, and right to object to processing. (PA#1)

3. Privacy information process - verify that the organisation has a process for reviewing and updating privacy information wherever there are changes to the organisation’s processing of personal data, and how it ensures the process is followed. Privacy information reviews should include key personnel such as the Data Protection Officer (DPO). (PA#1)

4. Accessibility of privacy information - obtain evidence that the organisation has produced additional forms of privacy information which are effective for different audiences. This may include publication formats (such as web, print, audio), variations in length, and privacy information being given verbally through interaction with staff. (PA#2)

Additional approach to testing – Achieved

1. Accessibility of privacy information - Obtain evidence that the organisation has produced additional forms of privacy information which are effective for different audiences. This may include publication formats (such as web, print, audio), variations in length, and privacy information being given verbally through interaction with staff. (A#2)

2. Privacy information layering - Verify that the organisation’s privacy information is easily accessible to people who use its services. The organisation should be able to provide a rationale of how the publication formats they have chosen are appropriate for their audience. (A#3)

3. Transparency information - Obtain evidence of additional transparency measures beyond privacy information which the organisation has undertaken to demonstrate openness and honesty in relation to its initiatives and activities involving personal data. (A#4)

Suggested documentation includes: 

• privacy information (which may be titled 'privacy policy', 'privacy notice' or another variation)
• documents supporting scheduled reviews and updates to privacy information
• rationale for accessibility of chosen privacy information publication formats

Additional documentation includes: 

• evidence of different formats of privacy information being provided, for example website, printed, audio, documentation supporting verbal sharing

• evidence of privacy information layering

•  evidence of additional transparency measures being undertaken beyond providing privacy information