The national data opt-out was introduced for the health and social care system in England on 25 May 2018 and applied by NHS Digital. Since then Public Health England have become compliant with national data opt-out policy and all health and adult social care providers across England are required to comply with national data opt-out policy by March 2020.
This means that national data opt-outs will need to be applied when disclosing CPI which originates in a health and/or adult social care organisation for purposes beyond an individual’s care and treatment.
For the purpose of compliance with national data opt-outs health and adult social care organisations are defined as:
- NHS bodies and local authorities providing health and adult social care services in England; and
- other organisations or persons who provide health or adult social care services in England under contracts agreed with NHS and local authorities.
Broadly this includes (but is not limited to) health service providers (for example NHS Trusts, GP practices), private providers who deliver services which are publicly funded and or coordinated by a public body, for example local authorities, commissioners of health and care services (for example clinical commissioning groups and local authorities) and arm’s-length bodies.
Once an organisation has declared they are compliant, usually through a privacy notice made available to the public, then the organisation must continue to comply with the policy from that point in time.
The national data opt-out is a facility via which patients can object to their confidential patient information (CPI) being used for research and planning. However, it does not apply to CPI when an individual has given their explicit consent for their CPI to be used for a particular purpose. Specifically, it is applied to a use/disclosure of CPI where a section 251 of the NHS Act 2006 is used as the legal gateway for disclosing the data (see section 4). The national data opt-out will always apply where a section 251 is relied on to enable the data to be shared unless Confidential Advisory Group (CAG) agrees to set aside the national data opt-out. More information about section 251 approvals is set out in section 4 below.
The responsibility for complying with national data opt-out policy rests with the data provider (as Data Controller) or processor acting on behalf of the data provider. In practice this means that national data opt-outs are applied by the health and adult social care provider of the data, that is, disclosing the CPI, (for example a hospital trust), not by the recipient of CPI, (for example a research body.To be clear national data opt-outs are applied to CPI before it is received by a researcher. Researchers are not required to apply national data opt-outs to the data they receive.
Patients can set their national data opt-out preference via both digital and non-digital services. Their preference will remain in place unless and until such a time that the patient decides to change their opt-out preference. A patient’s preference to opt-out will continue to be applied after the person’s death.
National data opt-outs are not applied retrospectively. This means that when a patient sets their opt-out preference for their CPI not to be shared for uses beyond their individual care their records will be removed from any disclosure of CPI from that time onwards. However, it should be noted that patients are notified when setting their opt-out preference that there is a potential 21-day fair processing period from their opt-out being registered with NHS Digital to being fully applied across all disclosures of data. Data providers will not need to recall data which has already been processed prior to this date.