Completing these steps means:
The flowchart below is a high level view of the actions required to become compliant with national data opt-out policy.
You need to consider how long this process will take and who should be involved.
If your organisation has already completed a comprehensive assessment of existing data disclosures, to meet the General Data Protection Regulation (GDPR) and Data Protection Act 2018, and there are procedures in place to consider new data disclosure requests, the actions in this guide could be completed within 2-3 months.
If not, plan for the process to take up to 6 months.
These timescales are provided as an indicator. They take into consideration how long it may take to:
As you begin implementation, think about who may need to be involved in the compliance plan for the organisation and whose approval and agreement is required to take forward the actions set out in this guide.
Depending upon your organisation, you should consider discussing the compliance position, and getting agreement on actions, with your:
Download our printable checklist to help you through the compliance process.
Take the following steps.
Start by looking at your current and ongoing data uses and disclosures to assess if they need to have national data opt-outs applied.
You may already have a list of disclosures – for example a Records of Processing Activity (ROPA) document for your organisation, as required under Article 30 of the General Data Protection Regulation (GDPR).
To assess your disclosures against national data opt-out policy, you will need to be able to identify them all and determine:
Anyone who is requesting information that your organisation is the data controller for should be clear about how the CLDC will be met. This will inform the decision on whether national data opt-outs should be applied.
Do a stock-take
You need to do a stock take if:
Make sure you involve everyone in your organisation who is responsible for data protection and confidentiality and for processing patient data such as information managers, analysts, and audit teams. Consider raising awareness across the organisation, through newsletters, bulletins and other established communications routes.
You need to make sure you find out if anyone is currently using or disclosing confidential patient information for purposes beyond individual care that may not be recorded on the ROPA or a similar register of information assets.
All staff must be made aware of their responsibilities for appropriate use and disclosure of confidential patient information.
You should make sure there is a documented procedure in place to remind staff:
You should make sure this guidance is easily accessible and staff are regularly reminded of it, for example in yearly refresher training.
Having this will also provide mitigation if your organisation was ever in the unfortunate position that a data breach involving inappropriate disclosure of data had taken place, and it was clear someone had acted outside of your organisation’s policies.
When you are confident you have captured all the data disclosures in your organisation, assess them to see if they are within scope of the national data opt-out policy.
The flow diagram below illustrates the key questions to take into account when determining this.
For more details of the policy, specific cases such as invoice validation, risk stratification and cross-border flows and any specific exemptions look at the national data opt-out operational policy guidance.
To help you make this assessment, we have created a compendium of common data disclosures which we have assessed to show whether opt-outs need to be applied.
You need to update processes for handling new disclosure requests, to make sure the national data opt-out policy is considered when each new disclosure is assessed. You also need to make sure processes are documented, to demonstrate compliance with national data opt-out policy.
You may need to:
Once you have identified and assessed all current and ongoing data disclosures, you are in a position to decide whether to implement the technical solution.
To help GP practices to become compliant with the national data opt-out, the four principal GP system suppliers have been commissioned to develop and embed the service into their clinical systems. Further information will be made available to practices as the GP system suppliers confirm their delivery plans. Practices can go to Action 4 as you will not need to implement the technical solution yourselves, unless you use other IT systems to create data disclosures.
If you are a non-GP practice organisation that uses TPP’s SystmOne together with the Strategic Reporting Extract functionality, you will not need to implement the technical solution yourselves, and can go to Action 4, unless you use other IT systems to create data disclosures.
You must implement the technical solution to become compliant if there are:
You do not need to implement the technical solution to become compliant if there are no current data disclosures taking place which are in scope of the national data opt-out policy, and it seems unlikely there will be any within the next 3-4 months.
If it's not necessary for you to implement the technical solution, you can still choose to do so – but you can declare compliance without it.
If you do not implement the technical solution before you declare compliance, you must be prepared to do so at any time, if a new data use or disclosure request is made that is within the scope of the policy.
To remove records of patients who have a national data opt-out registered, your organisation needs to implement the technical solution we’ve developed. The Check for National Data Opt-outs service uses the Message Exchange for Social Care and Health (MESH), so most organisations will need to install MESH to use the service, or if it’s already installed, configure it for this additional purpose.
Your organisation may already be using MESH. IT and data administration colleagues should use the guidance on the Check for National Data Opt-outs service pages to decide on the most appropriate configuration of MESH for your organisation.
The service lets you use MESH to send lists of NHS numbers to be checked against the repository on the Spine. You then receive the list back, with the NHS numbers removed of any patients that have a national data opt-out. You need to work out how to incorporate this in your processes.
Read full details of how to send and receive files through the Check for National Data Opt-outs service.
Before using the service, you must review the licence agreement and note that in using the service, your organisation is entering into an agreement with NHS Digital about the rights and conditions upon which your organisation may use the Check for National Data Opt-outs service.
You can either:
If you choose the second option, you must follow the terms of the license agreement on how you can use this cached data.
Decide who will be responsible for the following tasks and how they will be performed:
There is a test set of data you can use with the service to check your processes for preparing, sending and receiving files and comparing lists work in practice, available on the Check for National Data Opt-outs service page.
You must remove the entire record for each patient who has opted out from the prepared data before it is disclosed (not just remove the identifiers).
Data should not be removed from the patient’s original medical/care record.
In accordance with guidance provided by the Information Commissioner’s Office, you should complete a Data Protection Impact Assessment (DPIA) that covers the data processing required to prepare a data set for disclosure with national data opt-outs applied.
Guidance and suggested text for your DPIA (Word document - request a different format)
Update your standard operating procedures, or any equivalent set of operating instructions your organisation maintains, to include the use of the Check for National Data Opt-outs service and application of national data opt-outs where needed.
You should make sure everyone within your organisation who has access to patient data, and/or is responsible for processing or handling it, is made aware of the updated procedures.
Identify who is responsible for staff communications and work with them to develop a communications plan and create suitable materials.
Communicate through whatever channels are available, such as intranets or newsletters.
Make sure documented procedures are accessible, including for new members of staff, by including them in staff training and induction materials.
You should update your privacy notice materials, and include a declaration to state when your organisation is compliant with national data opt-out policy, to comply with the Information Standard.
See recommended content to include in your organisation’s website and privacy notice.
Identify who produces and/or is responsible for creating patient materials and managing patient communication channels, and work with them to decide how to inform patients appropriately. Consider your organisation’s website if you have one, and work with patient groups such as Patient Participation Groups (PPGs) in GP practices and the Patient Advice and Liaison Services (PALS) in NHS trusts.
Check existing stocks of the ‘Your NHS Data Matters’ printed materials, order more if needed, and make sure they are available in public spaces.
Consider creating and publishing a register of approved requests for data disclosures, if you do not already do so. With the processes in place for considering requests for data disclosures and whether national data opt-outs apply, this provides greater transparency for your patients.
Organisations you work with may be affected by your organisation becoming compliant with the national data opt-out policy. You should tell organisations that use your data, or that you disclose data to, that you are preparing to apply opt-outs, and let them know whether opt-outs will be applied to their data disclosures.
The policy allows you to tell organisations that receive your data how many records have been removed from the set of data after applying national data opt-outs, so you can choose to supply this information with future data disclosures.
If organisations ask about the likely effects of national data opt-outs on the data they will be using or receiving, you can point them to national statistical data published by NHS Digital which provides more information on the numbers of opt-outs. The statistics are also broken down into further categories such as age, gender and geographical area.
With all the above either in place or scheduled, you just need to finalise the actual date from which you will declare that your organisation now complies with the national data opt-out policy.
Make sure your agreed staff communications go out before the declared compliance date so that they know when the new procedures come into effect.
Arrange to provide any agreed patient communication materials either on the date from which you are stating compliance or soon after.
If you are providing communications to organisations that use your data or receive disclosures of data from you that will be affected by national data opt-outs, then make sure those communications are ready to be provided before the next data disclosure takes place.
When you have everything in place to support your proposed compliance date make sure you get approval within your organisation through whichever route you agreed at the outset. Make sure all stakeholders are content with the proposed date, and that all actions have been considered and are either in place or ready to be activated.
It is important to recognise that once your organisation has declared compliance:
With all the above complete, you can now declare your organisation’s compliance with national data opt-out policy.
This also means your organisation will be able to complete the compliance with the national data opt-out policy evidence item stated in the Data Security and Protection toolkit from 2019/20.