Check for national data opt-outs service licence

The service is provided to enable organisations in health and adult social care to comply with the national data opt-out policy. The service takes an input list of NHS numbers and returns a ‘cleaned’ list of NHS numbers where any NHS numbers in the input list with a national data opt-out are removed from the ‘cleaned’ list. This ‘cleaned’ list will be termed the ‘service data’ for the purposes of this licence:

• you are licensed to receive data via the service for the purpose of enabling you to comply with the national data opt-out policy
• when you receive data from the service, you are the data controller for the service data 

The national data opt-out policy places the following restrictions on the use of the service data:

• the service data may only be accessed for the purposes of applying national data opt-outs or where there is a legal or statutory reason for the data to be accessed
• the service data must not be explicitly added to a patient’s record
• the service data must not be shared with any other organisation unless it is for the express purpose of the other organisation being able to apply national data opt-outs on your behalf (however also see the Caching the service data section below as to how long the service data may be retained by the other organisation)
• the service data must not be used to explicitly provide those staff who are performing a clinical role (clinicians or care staff) with a view of a patient’s national data opt-out preference. The only exception to this is if the member of staff performs multiple roles and as part of their non-clinical role, they are responsible for disclosing service data when it is cached (see Caching the service data section below)

You are responsible for the security of the service data:

• the service data must be stored securely with appropriate access controls. This includes any cached and superseded cached data (see Caching the service data section below)

The national data opt-out policy allows organisations to submit the list of NHS numbers for their entire cohorts of patients to the service and then cache the resulting ‘cleaned’ list for a limited time period. This is so that this cached list can then be applied to data disclosures for this limited time period. For example, an organisation may choose to submit the list of NHS numbers for their entire cohort of patients to the service each Sunday evening in order to minimise the impact on their technical infrastructure. However, the terms of this licence agreement impose restrictions on this cached data:

• the entire cohort of patients must include all patients that may appear in data disclosures, i.e. all existing patients, historical patients and deceased patients
• the maximum time period that the cached data may be retained is a calendar week from the point at which it was obtained from the service. In the event of system failures that prevent the cached data being updated as expected, you must ensure that the existing cached data does not continue to be used such that the national data opt-out fair processing window is exceeded, as defined in the operational policy guidance.
• the superseded cached data must not be retained in the ‘live’ system when the cached data is replaced at the prescribed interval of a calendar week. However it is permissible to retain the superseded cached data in order to ensure that national data opt-outs have been applied as expected
• if it is necessary to restore data from a backup, the cached data must be replaced once the restore is complete if the cache is older than the prescribed limit of a calendar week
• the cached data may be disclosed where there is a legal or statutory reason for the disclosure (for example in response to a Subject Access Request from a patient)
• where a data disclosure includes patients (for example new patients) who were not part of the original cohort on which the cache was based, the opt-out preference for these patients must be checked before inclusion in any data disclosure