Principle E1: Transparency

The organisation is transparent about how it collects, uses, shares and stores information. Privacy notices are clear and easy for members of the public to access.

Description

You follow best practice for providing privacy and transparency information to ensure that all individuals have a reasonable understanding of their rights and how their information is being used.

Expand the achievement levels to find out the requirements needed to meet each level.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Privacy information structure - obtain the organisation’s privacy policy or privacy notice, documenting whether it is concise, and written in clear and plain language. This includes:

1. Avoiding the use of technical terms and acronyms. (PA#3)
2. Ensuring information is clearly structured and delineated through headings and subheadings that make it easy for the reader to identify key information. (PA#3)

2. Privacy information contents - verify that the policy or notice includes:

1. How data is collected. (PA#1) 
2. What types of data are collected. (PA#1)
3. Who information is shared with. (PA#1)
4. Whether information is transferred outside the UK. (PA#1)
5. What are the organisation’s lawful bases for using information. (PA#1)
6. How data is stored. (PA#1)
7. The data rights which individuals hold in relation to their data and how to exercise these rights. These rights will include some combination of the following: right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object to processing. (PA#1)
8. How to complain. (PA#1)
9. The data rights which the individual holds in relation to their data and how to exercise these rights. These rights will include some combination of the following: right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, and right to object to processing. (PA#1)

3. Privacy information process - verify that the organisation has a process for reviewing and updating privacy information wherever there are changes to the organisation’s processing of personal data, and how it ensures the process is followed. Privacy information reviews should include key personnel such as the Data Protection Officer (DPO). (PA#1)

4. Accessibility of privacy information - obtain evidence that the organisation has produced additional forms of privacy information which are effective for different audiences. This may include publication formats (such as web, print, audio), variations in length, and privacy information being given verbally through interaction with staff. (PA#2)

Additional approach to testing – Achieved

1. Privacy information layering - Obtain the organisation’s privacy information and verify that key information is provided in a short notice and links to expand sections and access a second layer of more detailed information(A#3)

2. Transparency in data protection impact assessments (DPIAs) - 

1. Verify that the organisation has a process for deciding whether a summary DPIA should be publicly published each time they complete a DPIA. (A#4) 
2. At least some proportion of the organisation’s DPIAs should have met the threshold determined by the organisation for public availability. Verify that these DPIAs are publicly accessible in summary form. (A#4) 

3. Transparency through communication channels - Enquire with the organisation as to the various communication channels it uses to be transparent about its data use beyond its legally mandated privacy information. Inspect any documentation that details what each channel has been used for, and by whom. Inspect a sample of evidence to verify that each channel has achieved a discernible benefit in making the organisation’s data processing more transparent. (A#5)

Suggested documentation includes: 

• privacy information (which may be titled 'privacy policy', 'privacy notice' or another variation)
• documents supporting scheduled reviews and updates to privacy information
• evidence of different formats of privacy information being provided, for example website, printed, audio, documentation supporting verbal sharing

Additional documentation includes: 

• documents supporting process for publishing DPIA summaries
• DPIA summaries which have been shared with the public
• documents showing which different communications channels have been used effectively to be more transparent with the public about the organisation’s data processing