The GDPR includes a longer and more detailed list of information that must be provided in a privacy notice than has been required previously. In addition, GDPR places an emphasis on making privacy notices understandable and accessible.
The specific content of a privacy notice will be individual to each organistion. However, the basic information that must be provided by all privacy notices include:
- who you are
- what information you are collecting
- what you are doing with this information
- with whom will you share the information (including if the information will be transferred to a third country)
- how long you intend to keep the information
- information explaining the data subject's rights
Privacy information should be tiered. General information about data processing should be given at an organisational level, for example through the website and in clinic waiting rooms where data subjects will notice it.
However, information about specific uses of personal data, for example where a patient's data might be used in a research study, should be given via a specific consent form which should provide sufficient information to the patient to allow them give theirexplicit consent to the data processing involved.
Privacy notices for vulnerable individuals
If you collect information from vulnerable individuals, such as children, you must make sure those individuals are treated fairly. This involves drafting privacy notices appropriate to the level of understanding of your intended audience and, in some cases, putting stronger safeguards in place.
Updated privacy notices
An updated notice should be provided where a data controller intends to further process personal data for a different purpose, including for research or where the research purpose may have changed.
This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.
It is intended to be general guidance for educational and informational purposes only.
It is not legal advice.