Approval standards and guidelines: privacy notice
Updated 2 August 2024
Approval standard: privacy notice
When must this standard be met
This standard must be met for all applications to process personal data as defined in UK GDPR.
Standard
1. All applications requesting access to personally identifiable data must demonstrate compliance with the transparency and accountability principles of UK GDPR, unless exempt, by evidencing they have in place a UK GDPR complaint privacy notice. For more information on the other standards to be met under UK GDPR, see Approval standards and guidelines: lawful processing (UK GDPR).
The privacy notice:
- must be project-specific, unless the processing is, or will be, for the provision of individual care or ‘direct care’ of the data subject – if this is the case, the corporate privacy notice of the organisation can be shared
- must comply with the legal provisions of Article 12, Article 13, and Article 14 of UK GDPR – it must contain the specific provisions highlighted in the ICO privacy notice checklist dependent on particular circumstances of the organisation, and how and why personal data is or will be processed
-
must be:
- concise, transparent, intelligible, and in an easily accessible form, avoiding unnecessarily legalistic and technical terminology
- written in clear and plain language, particularly for any information addressed specifically to a child
- delivered in a timely manner
- provided free of charge
2. The privacy notice does not need to be restricted to a single notice or page on a website. Where a blended or layered approach is used to communicate the transparency requirements of Article 12, Article 13 and Article 14, the application must clearly demonstrate compliance with this standard:
- the application must document precisely where the relevant privacy information is available about the project.
3. Where the project is a research project, the data controller named in the privacy notice must be the research sponsor.
4. Where there are joint sponsors or co-applicants, each should be named as joint controllers in the privacy notice. It is the responsibility of joint controllers to determine and agree on their respective responsibilities for compliance with the obligations under UK GDPR. The determination of their respective responsibilities must highlight the exercise of data subjects’ rights and the duties to provide information.
5. All applications requesting access to personally identifiable data must demonstrate that the data controllers has or will make the project-specific privacy notice available to the data subjects, including demonstrating the modes of communication used or to be used.
The application must demonstrate that:
- the mode of communication reflects the origin of the data (the data subject directly or a secondary source) – see ICO guidance on the ways you should provide privacy information
- the application must demonstrate that the timing when the privacy notice will be supplied reflects the source of the data (for example, a ‘just in time’ notice where data is collected directly from the data subject)
6. The privacy notice must clearly and unambiguously stipulate the role of UKHSA and any other organisation involved in the processing including the exact nature of the processing UKHSA will conduct (that is, as a source of data, trusted third party linkage service and so on).
The privacy notice must:
- describe the processing operations involving UKHSA
- describe the processing operations involving other organisations identified in the application
Guidelines
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 set out that any processing of personal data must be lawful, fair, and transparent.
Providing accessible information to individuals about the use of their personal information (data) is a key element of their legal right to transparency. The most common way to inform individuals about the use of their personal data is through a privacy notice. This is sometimes referred to as a fair processing notice.
A privacy notice should provide clear and transparent information to individuals about how personal data are collected, used or otherwise processed, and to what extent personal data are, or will be, processed.
This is so that individuals are made aware of risks, rules, safeguards and rights in relation to the processing of their personal data and how to exercise their rights in relation to such processing. Article 12, Article 13, and Article 14 and associated recitals of UK GDPR provide detailed instructions on how to comply.
Information to include
UKHSA reviews all privacy notices in accordance with the privacy notice checklist published by the Information Commissioner’s Office (ICO) and the purposes, relationships and processing operations set out in the application. Broadly, a good privacy notice will:
- be written in clear language the data subject will understand
- be truthful and in no way misleading
-
contain the following sections:
- who the data controllers and data processors are
- the categories of data collected or processed
- why the data is collected (purpose)
- how the data is used (processed)
- the lawful basis for processing the data, set out in Article 6
- the lawful basis for processing special category data, set out in Article 9, where applicable
- how and where the data is stored and how long for, and how security is ensured (for more details on our expectations of organisations regarding personal data security, see Approval standards and guidelines: data security)
- who or which organisations data is shared with and why
- what those organisations will do with the data
- the individual’s rights over their data (including right of access) and how they can exercise them
- contact details for the data protection lead (for queries), where applicable
- contact details for the ICO in the event the data subject wishes to make a compliant
- highlight any changes made to the way the personal data is processed
When preparing your privacy notice, it is recommended that you review the prevailing guidance from the ICO (see ICO Guide to the UK GDPR: The right to be informed: What privacy information should we provide?).
This guidance specifically highlights what transparency information must always be provided and what information must be included in the privacy notice dependent on particular circumstances of your organisation, and how and why personal data is or will be processed.
Layered approach
The ICO highlights that there is no prescribed format of a privacy notice and transparency information can be made available to the individuals through a variety of formats. This can include using blended or layered approaches, such as the participant information sheet, a leaflet, a poster, orally or through signposting to a website.
Where a blended or layered approach is used for communicating transparency information, the approval standard will still be applied. If you apply this approach instead of having a single document, you must document to UKHSA how the different modes of communication will cumulatively demonstrate the transparency information is made available to individuals.
Language
Article 12(1) of UK GDPR outlines that: “The controller shall take appropriate measures to provide any information referred to in Article 13 and Article 14 and any communication under Article 15 to Article 22 and Article 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”
It is therefore recommended that the privacy notice:
- should be clear on what is happening to the data
- provides concrete and definitive information
- does not contain any abstract phrases or ambivalent explanations, such as “data may be transferred to a third country”
- refrains from using overly legalistic, technical or specialist language or terminology, avoids information fatigue (that is, it does not deliberately overwhelm the individual with information)
Review and maintenance
Before finalising your project-specific privacy notice, it is recommended that the acceptability of the privacy notice is:
- tested with the data subjects, representatives of the data subjects, or a comparable group of individuals with the same lived experience to ensure that it meets their information needs, amending the content if required
- reviewed by your data protection officer to ensure compliance with the legal requirements of UK GDPR and the Data Protection Act 2018
Best practice recommends an annual review of the privacy notice should be undertaken and, in addition, a review conducted whenever there is to be a significant change to how you process personal data, such as changes in purpose, the addition of new sources of data or instructions to data processors. This list is not an exhaustive list and advice should be sought from your organisation’s information governance team.
Describing the role of UKHSA
This standard requires that the privacy notice must clearly and unambiguously describe the role of UKHSA in the project, except for applications requesting data for the provision of individual or direct care.
This means that the privacy notice must explain any processing by UKHSA, such as one-off transfers or ad-hoc requests of personal data that will be shared with you or your data processors, as well other processing operations including data collection, analysis, storage or destruction.
It is expected that sufficient detail is provided so that any data subject can understand the processing and the role of UKHSA.
Where personal data is being shared with UKHSA for linkage, you must also include the lawful basis on which your organisation will share personal data and the frequency.
Direct care
Where data is processed for ‘direct care’ by a health and social care organisation, UKHSA does not expect a project-specific privacy notice to be made available. In such circumstances, the corporate privacy notice of the organisation can be shared. Note that all other provisions in the standard will prevail.