The Individual’s Rights to Be Informed – under GDPR
The ICO says:
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR
You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’ (note this was called Privacy Notice by the ICO until recently so we have retained this term for now)
You must provide privacy information to individuals at the time you collect their personal data from them
If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices
You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing. Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage
These are the basics upon which your privacy notice should be based.
CODE has produced two privacy notices one for adults (M 217T) and a simpler one for children (M 217TC). It is essential that patients have the right to be informed about the collection and use of their personal data, this is a good way to do it. You can now call these documents Privacy Policies or anything else if you prefer.
Where to publicise the privacy notice
Note that it would be a good idea to refer to the Privacy Notice on your treatment plan forms and medical history forms to bring it to the attention of patients. You could refer to it on practice the website but also say, “A copy of our Privacy Notice can be obtained from the practice on request:”
See the ICO website, which has recently deleted the term ‘Privacy Notice’ and replaced it on a section with Right to be Informed, which has similar information as they previously had on Privacy notice.