Skip to main content
Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. More about the merger.

Data sharing standard 10a - Transparency (fair processing)

This standard is part of a series of guidance documents to support the various stages of a DARS application. 


Standard description

Transparency is a requirement of GDPR, NHS Digital do not require a copy of the Privacy Notice for review, but applicants must ensure they comply with the below guidance and clearly state within their application the below text. 

“The data controller(s) listed within this agreement in Section 1 confirm that they will ensure that a GDPR compliant, publicly accessible transparency notice is maintained throughout the life of this agreement” 

Applicants may find it helpful to refer to Information Commissioner's Office (ICO) guidance (in particular the "Individual’s Right to be Informed").   

The rights being:

the existence of the right to request from the controller access to and rectification or erasure of the personal data, or restriction of processing of personal data concerning the data subject, or to object to the processing of such personal data, as well as the right to data portability


Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the (General Data Protection Regulation) GDPR.

In summary you must:

Provide individuals with information including:

  • purposes for processing their personal data
  • retention periods for that personal data
  • who it will be shared with.

This is “privacy information”.

Provide privacy information to individuals at the time you collect their personal data from them.

If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.


The following ICO checklist (reproduced here for ease of reference) provides a summary of what privacy information to provide and when and how to provide it:

What to provide

Provide individuals with all the following privacy information:

☐ The name and contact details of our organisation.

☐ The name and contact details of our representative (if applicable).

☐ The contact details of our data protection officer (if applicable).

☐ The purposes of the processing.

☐ The lawful basis for the processing.

☐ The legitimate interests for the processing (if applicable).

☐ The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).

☐ The recipients or categories of recipients of the personal data.

☐ The details of transfers of the personal data to any third countries or international organisations (if applicable).

☐ The retention periods for the personal data.

☐ The rights available to individuals in respect of the processing.

☐ The right to withdraw consent (if applicable).

☐ The right to lodge a complaint with a supervisory authority.

☐ The source of the personal data (if the personal data is not obtained from the individual it relates to).

☐ The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).

☐ The details of the existence of automated decision-making, including profiling (if applicable).

When to provide it

☐ We provide individuals with privacy information at the time we collect their personal data from them.

If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:

☐ within a reasonable of period of obtaining the personal data and no later than one month;

☐ if we plan to communicate with the individual, at the latest, when the first communication takes place; or

☐ if we plan to disclose the data to someone else, at the latest, when the data is disclosed.

How to provide it

We provide the information in a way that is: 

☐ concise

☐ transparent

☐ intelligible

☐ easily accessible

☐ uses clear and plain language

Last edited: 3 November 2020 1:46 pm