GDPR for Healthcare Professionals – Fair Processing Information
Transparency is a key element of the GDPR. Article 5 states that data must be processed “lawfully, fairly and in a transparent manner in relating to the data subject”. “Fair and transparent” processing means that the data controller must provide information to data subjects about the processing of their data, unless the data subject already has this information.
How can transparency be ensured?
The GDPR sets out specific information which must be provided to data subjects when their personal data is being processed in order to maintain transparency. This information must be:
- concise, transparent, intelligible and easily accessible;
- written in clear, plain language (especially if it is in relation to a child’s personal data); and
- free of charge.
The purpose of such requirements is to ensure that privacy information provided to data subjects is easily understandable and clear to data subjects.
Under the GDPR, there is now an explicit emphasis on making privacy information suitable for children – this is additional to the requirements of the DPA. This means that data controllers will have to consider the ability of the children to comprehend the notices in the age group that they are processing and tailor their notices accordingly.
How can privacy information be presented?
In the majority of situations where privacy information needs to be presented to data subjects, a ‘Privacy Notice’ will be the most effective way of delivery.
A Privacy Notice should include:
- the identity and the contact details of the data controller;
- the contact details of the company’s data protection officer (if applicable)
- how the company will use and store the collected personal data;
- the legal basis for the collection, use and storage of the data;
- whether the data will be shared with any third parties;
- whether the data will be transferred to a third country or international organisation, including how the personal data will be protected;
- details as to how long personal data will be stored, or the criteria used to determine how long this will be;
- details of how the individual can obtain a copy of information held about them;
- details of the individual’s right to lodge a complaint with the ICO; and
- details of whether the personal data is provided as a statutory or contractual requirement, as well as whether the individual is obliged to provide the personal data and what the possible consequences of failure to provide such personal data are.
It is imperative that healthcare organisations begin to consider how they will present this information, particularly where they are to be collecting children’s data, as the data of the implementation of the GDPR on 25 May 2018.
If you would like to discuss any of the points raised in this blog, or would like to speak to a specialist solicitor in our healthcare team, then contact us on 0161 926 9969.