Introduction
The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their confidential, identifiable patient information being used for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.
The national data opt-out applies to data that originates within the health and adult social care system in England and is applied by health and care organisations that subsequently process this data for purposes beyond individual care.
The Practice must comply with the national data opt-out policy by 31 July 2022. This deadline has been extended repeatedly from the original compliance deadline of 31 March 2020 to allow health and care organisations to focus on the response to the coronavirus (COVID-19) pandemic.
Background
The national data opt-out is aligned with the authorisation used for sharing a patient’s data in accordance with the common law duty of confidentiality (CLDC). In broad terms the national data opt-out applies unless there is a mandatory legal requirement or an overriding public interest for the data to be shared. The opt-out does not apply when the individual has consented to the sharing of their data or where the data is anonymised in line with the Information Commissioner’s Office (ICO) Code of Practice on Anonymisation.
Patients can set an opt-out via several channels that include online, digitally assisted, and non-digital channels. Any person registered on the Personal Demographic Services (PDS) and who consequently has an NHS number allocated to them can set a national data opt-out. The opt-out is stored in a central repository against their NHS number on the Spine, which supports the IT infrastructure for health and social care in England.
NHS Digital and Public Health England are applying the national data opt-out to any in scope data releases and are compliant with this policy.
Patients can view or change their national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters or by clicking on “Your Health” in the NHS App, and selecting “Choose if data from your health records is shared for research and planning”.
Type 2 opt-outs
The national data opt-out has replaced type 2 opt-outs. The Practice must no longer
use the type 2 opt-out codes to record a patients opt-out choice as they are no
longer collected or processed.
Where a patient had a type 2 opt-out registered on or before 11 October 2018, this was automatically converted to a national data opt-out and if they were aged 13 or over they were sent a personal letter explaining the change and a handout with more information about the national data opt-out.
Patients can be reassured that their choices will continue to be respected. If they want to change their choice, they can use the national data opt-out service to do this.
Type 1 opt-outs
Some patients will have a type 1 opt-out registered with their GP practice, which
indicates they do not want their confidential patient information leaving the practice
for research and planning purposes. These existing type 1 opt-outs will continue to
be respected until the Department of Health and Social Care conducts a consultation
with the National Data Guardian on their removal.
Patients who can choose to set a national data opt-out
Anyone who has an NHS number and has registered for care or treatment with the NHS in England can set an opt out if they wish to, even if they don’t currently live in England.
Patients who can set an opt-out choice for themselves
If a patient is aged 13 or over, they can set their own opt-out choice using the online service, the telephone service, the NHS App, or ‘print-and-post’, completing a form by hand and sending it in
Patients who can set an opt-out choice on behalf of someone else
Someone can set an opt-out choice on behalf of a patient, by proxy, if:
- they are the parent or legal guardian of the patient, who is a child aged 12 or under
- they have a formal legal relationship with the patient, for example they have legal power of attorney or are a court-appointed deputy
They can only do this using the ‘print and post’ service.
Changing an opt-out choice
An opt-out choice can be changed at any time by the patient or their proxy.
Using the online service
Patients can set their own opt-out choice by visiting www.nhs.uk/your-nhs-data-matters using any internet enabled device. So that the service can confirm their identity, they will need to provide:
- their NHS number, or their postcode (as registered with their GP practice)
- their mobile phone number or email address provided previously at a GP practice or other NHS service
The online service is available 24 hours a day, 7 days a week.
Using the NHS App
Patients who have registered for the NHS App using NHS login can set a national data opt-out using the app.
Using the telephone service
Patients can set their own opt-out choice by calling 0300 303 5678.
Calling this number should cost no more than calls to a normal landline number.
The telephone service is available 9am to 5pm, Monday to Friday, apart from on English bank or public holiday.
Using ‘print-and-post’
If a patient is unable to use the online or telephone service, or would prefer not to, they can compete a paper form and post it.
The form can be downloaded from www.nhs.uk/your-nhs-data-matters or requested by calling the telephone service on 0300 303 5678.
Patients in prison or secure settings
There are special arrangements for patients in prison or other similar secure settings, known as detained and secure estates. A health and care professional can help register a patients opt-out choice. See Guidance for detained and secure estates.
Confirmation
During the process of setting their opt-out choice, the patient can choose their preferred communication method:
- SMS text
- letter
Once the process has been completed, the patient will receive a confirmation that their national data opt-out choice has been set.
Is the use or disclosure confidential patient information?
Data is recorded whenever a patient has contact or interaction with the health and care system. The opt-out only applies to confidential patient information (CPI) – data that includes both:
- information that identifies or could be used to identify the patient
- information about their health, care or treatment
The national data opt-out does not apply to information that is anonymised in line with the Information Commissioner’s Office (ICO) Code of Practice (CoP) on Anonymisation or is aggregate or count type data.
Do you have explicit consent for the use or disclosure?
If a patient has agreed to a specific use of data, after being fully informed, then the national data opt-out does not apply. Even patients who have registered a national data opt-out can agree to take part in a specific research project or clinical trial, by giving their explicit consent.
What the national data opt out applies to
The opt-out relates to information about an individual’s health and adult social care provided in England only. It will not apply to information flowing from outside England (this includes from the other home nations) directly to a research or planning body. However, when information from another home nation comes into a GP surgery (where the opt-out applies), then it is subject to the national data opt-out restrictions.
- information about the deceased as the GDPR only applies to living individuals.
- Any confidential patient information generated or processed by a health or adult social care organisation within England
- Confidential patient information held by other organisations relating to care provided or co-ordinated by a public body
- Any disclosure of data for purposes beyond individual care
The opt-out will apply unless:
- the patient has consented to a specific data use
- the data is required by law
- where there is an overriding public interest for the disclosure
- the data is anonymised in line with the ICO code of practice on anonymisation
- a specific exemption has been granted.
Opt-outs from other UK countries
Opt-outs offered in Wales, Scotland (the “Spire Opt-out”), Northern Ireland, or the Isle of Man (IoM) or the Channel Islands do not apply in England – but they may be applied prior to receipt of any data in England. Opt-outs that are implemented in other countries are for a specific purpose, but this does not mean they apply in England.
When the data opt-out will not apply
Is the disclosure for the purpose of monitoring and control of communicable disease or other risks to public health?
The national data opt-out does not apply to disclosure of confidential patient information if it is being used to protect public health, for example to:
- diagnose communicable diseases
- control or prevent their spread
- deliver and monitor vaccination programmes
- manage risks of infection from food or water supplies or the environment
Overriding Public Interest
Opting out does not apply to disclosure of information where there is an overriding public interest in the disclosure, such as;
- reporting of gun and knife wounds in line with GMC guidance, and
- patients’ fitness to drive and reporting concerns to the DVLA or DVA in line with GMC guidance
Data controllers should have their own arrangements in place to apply a ‘public interest test’ as and where necessary.
Is the information being disclosed because of a legal requirement?
When there is a legal requirement to disclose information that sets aside the common law duty of confidentiality, the national data opt-out policy does not apply.
Is the use or disclosure for individual care or research and planning?
The national data opt-out policy does not apply where information is being used or shared for an individual patient’s care. It only applies to use or disclosure of data for purposes beyond individual care such as research and planning.
Required by Law / court order
Examples of disclosures required by law;
- CQC Inspect & entry requirements
- NHS Digital collecting information as directed by the Secretary of State or NHS England
- NHS Counter Fraud Service requests in order to prevent, detect and prosecute NHS fraud
- professional regulators investigating fitness to practise (e.g. GMC, NMC)
- Coroners’ investigating the circumstances of a violent death, or death in custody
- Health professionals reporting notifiable diseases, including food poisoning
- Chief Medical Officer must be notified of termination of pregnancy
- Employers reporting deaths, major injuries and accidents to the Health and Safety Executive
- Providing information to the police when requested if an offence has been caused
- Prevention of terrorism or prosecuting a terrorist under Terrorism Acts
- Child or vulnerable adult safeguarding purposes (e.g. s.47 Children Act 1989);
- Cases of female genital mutilation to police (Female Genital Mutilation Act 2003)
- Court order from a judge or presiding officer of a civil or criminal court
- information reported to HFEA for inclusion on the register of assisted reproduction and fertility treatments (Human Fertilisation and Embryology Act 1990
- Some disclosures to the Office of National Statistics
- Information relating to transplant approvals
- Providing information to Responsible bodies including health boards, trusts and regulatory bodies relating to the management and use of controlled drugs.
This is not an exhaustive list, so information governance and/or legal advice should be sought where necessary.
In order to comply with the National Data Opt-Out Kenmore Medical Centre has taken the following steps
- Read and kept copies of the
- National Data opt out – Data protections impact assessment Updated patient privacy policy
- National data opt out Operation policy guidance document
- Added Your “Data matters” posters in the waiting room
- Updated Adult and child registration forms with information regarding where to find more information on national data and how to opt in or out
- Cathy Starkey completed training on e-Learning for Health
- Checked that Functionality for applying national data opt out in emis was active. Instructions shown below.
To apply National Data Opt-outs in a search
It is the Data Controller’s responsibility to ensure that the National Data Opt-out Operational Policy for Health and Social Care must be considered for disclosures of confidential patient information, and when required to apply the National Data Opt-outs to a search.
- Access Population Reporting.
Click , point to Reporting, and then select Population Reporting.
The Population reporting screen is displayed.
2. On the ribbon, click Add, point to Patient, and then click Search.
The New Search screen is displayed.
To apply National Data Opt-outs and remove patients who chose to opt out from the search, select the Opt out option.
If you apply the national data opt out filter to a search where the National Data Opt-out has not been enabled for that organisation, no results will be produced.
You can also apply the national data opt out filter when you edit search properties. The option will be displayed in the Details tab.
When this option is applied, the Recipients section is added to the screen, and the Description and Recipients sections become mandatory. If you leave the description field empty and try to proceed, a pop-up explaining that a purpose must be entered into this field is displayed. You must do this before you continue.
- Continue creating the search as normal. Read more information about creating searches
Run and view a National Data Opt-out Audit
- Access Audit Trails.
Click , point to System Tools, and then click Audit Trails.
The Audit Trails screen is displayed. - On the ribbon, click NDOP Audit.
3. Apply filters to the audit trail and then click Apply.
The audit trail information is displayed in the right-hand pane.