Skip to main content

Compliance with the national data opt-out

The deadline for health and care organisations to comply with national data opt-out policy is currently the end of September 2020. The deadline was extended to enable health and care organisations to focus their resources on the coronavirus (COVID-19) outbreak. It may be reviewed again.Use our compliance implementation guide to find out what you need to do within your organisation, and find out which national organisations are already compliant.

Compliance with the national data opt-out policy

The deadline for health and care organisations to comply with national data opt-out policy is currently the end of September 2020. The deadline was extended to enable health and care organisations to focus their resources on the coronavirus (COVID-19) outbreak. It may be reviewed again. This requirement is supported by Information Standard: DCB3058: Compliance with National Data Opt-outs.

To comply with national data opt-out policy, you need to put procedures in place to review uses or disclosures of confidential patient information against the operational policy guidance.

See our guidance overview of the national data opt-out policy to  help you understand how it works and which data uses, or disclosures, are in scope.

If current uses or disclosures should have national data opt-outs applied, you need to:

  • implement the technical solution  to enable you to check lists of NHS numbers against those with national data opt-outs registered
  • have a process in place, when you get the results back, to ensure that you only use or disclose information for the returned list of NHS numbers, as any with national data opt-outs registered will have been removed

If you have no uses or disclosures which need to have national data opt-outs applied, you must still put procedures in place to assess future uses or disclosures against the national data opt-out operational policy guidance, and can choose to either:

  • implement the technical solution in readiness, or
  • be ready to implement it if needed for future data uses or disclosures

Once compliant, confidential patient information must not be used or disclosed before it has been assessed and national data opt-outs applied when necessary.

The Check for National Data Opt-outs service - technical solution

National data opt-outs are held on the NHS Spine against an individual’s NHS number. If your use or disclosure of data needs to have national data opt-outs applied, you must remove records for patients with an opt-out registered from the data being used.

The Check for National Data Opt-outs service uses the messaging exchange for social care and health (MESH) to enable you to submit lists of NHS numbers and receive lists back with the NHS numbers removed for those patients that have opted out.

To help GP practices to become compliant with the national data opt-out, the four principal GP system suppliers have been commissioned to develop and embed the service into their clinical systems. Further information will be made available as the GP system suppliers confirm their delivery plans. See further information for GP practices.

Compliance resources

Compliance implementation guide: provides a step-by-step guide to help organisations understand and plan the actions required to become compliant with national data opt-out policy.

Check for National Data Opt-outs service: guidance on how to install and configure MESH to enable lists of NHS numbers to be processed through the Check for National Data Opt-outs service, including a full test data pack.

Check for National Data Opt-outs licence agreement: notes the rights and conditions upon which your organisation may use the Check for National Data Opt-outs service provided by NHS Digital.

National Data Opt-out checker app: a simple tool you can use when submitting to national clinical audits, developed by University Hospitals Plymouth NHS Trust.

Recommended text for privacy notices: contains some suggested text to include in your organisation's patient privacy notice. (Word file - request in a different format.)

DPIA guidance: guidance for completing a data protection impact assessment on the data processing activity being taken to apply national data opt-outs. (Word file - request in a different format.)

Data Uses and Releases Compendium (27 April 2020): provides real examples of data disclosures and the assessment as to whether national data opt-outs apply or not. (Pdf file - request in a different format.)

Declaring compliance

NHS organisations have responsibility for making sure that they comply with the national data opt-out. NHS Digital is not responsible for monitoring organisations’ compliance. Organisations prove their compliance by publishing their privacy notice and submitting their Data Security and Protection Toolkit assessment. This is mandatory for all NHS organisations. Information on which organisations have achieved ‘standards met’ on the DSP Toolkit will be published later in the year. There is also an Information Standard: DCB3058: Compliance with National Data Opt-outs requiring compliance with the national data opt-out standard, which requires organisations to conform with the policy by March 2020. 

Last edited: 11 August 2020 12:43 pm