A national data opt-out is applied to confidential patient information at the point it is disclosed for purposes beyond individual care. The most up-to-date national data opt-out must be applied at this point.
A national data opt-out applies to all confidential patient information in relation to the individual in scope, including any historic patient records being disclosed for a specific purpose.
A national data opt-out does not apply retrospectively, meaning it does not need to be applied to data that has already been processed. At the point a particular dataset has been used or released, all patients who have opted out at that time should be removed. Data does not need to be recalled once released or otherwise processed.
A patient may choose to change their opt-out decision at any time and their current choice is respected at any given time, replacing any previous choices made. If a patient has previously opted out, but then subsequently withdraws their opt-out, their confidential patient information (including any historic data) will become available for use beyond their individual care once again. This is true even where the data relates to a period where the patient had previously opted out.
An individual is not able to set a preference that specifically applies to data over a defined period of time, although as described in the NDG Review they can choose to give explicit consent (under common law) for a particular use of their data. For example, a research project or clinical trial.
An organisation is expected to comply with the conditions set out in their data sharing agreements with regards to data retention/destruction and onward sharing of data for future uses. There is no specific requirement for an organisation to remove an individual’s record from data they have already received as a result of an individual’s opt-out preference being changed. However, data sharing agreements may include specific arrangements for the application of the most up-to-date national data opt-out prior to onward sharing if required by the data controller.
Where the terms of the use of the data (i.e. the specific S.251 approval) covers onward sharing, data controllers should apply the most up to date national data opt-out at this point. For example, an organisation that falls within the definition of health and care organisations set out in Section 4 may receive data from a health and social care provider under S.251 support and the S.251 support also allows this data to be linked with Hospital Episode Statistics (HES) data from NHS Digital. The national data opt-out would be applied at the point that the original data is disclosed from the health and social care provider to the organisation but it should also be applied at the point of disclosure to NHS Digital and also by NHS Digital when the linked data is returned to the research organisation.