National data opt-out operational policy guidance document

Executive summary

The national data opt-out applies to the disclosure of confidential patient information for purposes beyond individual care across the health and adult social care system in England.

This document provides operational guidance to understand the application of national data opt-out policy – it sets out when the national data opt-out must be applied along with the exemptions when it will not apply. The national data opt-out applies to data that originates within the health and adult social care system in England and is applied by health and care organisations that subsequently process this data for purposes beyond individual care. The opt-out does not apply to data disclosed by providers of health and care services outside of England or to children’s social care services. This document includes guidance in relation to several specific data uses, for example risk stratification.

The national data opt-out is aligned with the authorisation used for sharing a patient’s data in accordance with the common law duty of confidentiality (CLDC). In broad terms the national data opt-out applies unless there is a mandatory legal requirement or an overriding public interest for the data to be shared. The opt-out does not apply when the individual has consented to the sharing of their data or where the data is anonymised in line with the Information Commissioner’s Office (ICO) Code of Practice on Anonymisation.

A member of the public is able to set an opt-out via a number of channels that include online, digitally assisted and non-digital channels. Any person registered on the Personal Demographic Services (PDS) and who consequently has an NHS number allocated to them is able to set a national data opt-out. The opt-out is stored in a central repository against their NHS number on the Spine, which supports the IT infrastructure for health and social care in England.

NHS Digital and Public Health England are applying the national data opt-out to any in scope data releases and are compliant with this policy.  Other relevant organisations are required to be compliant with the opt-out by March 2020.

The opt-out applies regardless of the format of the data and this includes structured and unstructured electronic data and paper records.  When the opt-out is applied, the entire record (or records) associated with that individual must be fully removed from the data being disclosed.  The NHS number is used as the identifier for the removal of the records.

A national data opt-out publication provides statistics on the national data opt-out against various dimensions, including age and geography to help organisations to understand the impact of the opt-out on their data. Related documents that set out requirements and guidance on the application of the national data opt-out include the Data Security and Protection Toolkit (DSPT), the forthcoming Information Standard on Compliance with the National Data Opt-out and the NHS Digital Code of Practice on Confidential Information. Further information and guidance on the opt-out is available from the national data opt-out webpages.