We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Completing these steps means:
- you will comply with Information Standard DCB3058: compliance with national data opt-outs
- you will be able to complete the evidence item ‘compliance with national data opt-out policy’ in the Data Security and Protection toolkit for 2019/20.
Assess current and ongoing data disclosures
When you are confident you have captured all the data disclosures in your organisation, assess them to see if they are within scope of the national data opt-out policy.
The flow diagram below illustrates the key questions to take into account when determining this.
Follow our step by step guide, Understanding the national data opt-out to work out if your data uses or disclosures are in scope.
For more details of the policy, specific cases such as invoice validation, risk stratification and cross-border flows and any specific exemptions look at the national data opt-out operational policy guidance.
To help you make this assessment, we have created a compendium of common data disclosures which we have assessed to show whether opt-outs need to be applied.
Update policies and procedures
You need to update processes for handling new disclosure requests, to make sure the national data opt-out policy is considered when each new disclosure is assessed. You also need to make sure processes are documented, to demonstrate compliance with national data opt-out policy.
You may need to:
- identify if there is a recognised procedure in place for managing requests to disclose patient data for purposes beyond a patient’s individual care – it might include application and approval processes from a board or individual
- identify who is usually responsible for considering or approving requests and make sure they are involved or kept informed as you work on becoming compliant
- identify whether the procedure is documented, for example in a set of Standard Operating Procedures (SOP) - and if so amend the document to include an additional check to consider if the request falls within scope for national data opt-outs to be applied
- establish and document a new procedure, if there are no documented procedures in place
You must implement the technical solution to become compliant if there are:
- current data disclosures taking place which are in scope of the national data opt-out policy
- no current data disclosures in scope but you will have a data disclosure very soon that would be in scope of the national data opt-out policy – for example you may have agreed to provide data on a quarterly basis
You do not need to implement the technical solution to become compliant if there are no current data disclosures taking place which are in scope of the national data opt-out policy, and it seems unlikely there will be any within the next 3-4 months.
If it's not necessary for you to implement the technical solution, you can still choose to do so – but you can declare compliance without it.
Your organisation may already be using MESH. IT and data administration colleagues should use the guidance on the Check for National Data Opt-outs service pages to decide on the most appropriate configuration of MESH for your organisation.
Plan how your organisation will use the service
The service lets you use MESH to send lists of NHS numbers to be checked against the repository on the Spine. You then receive the list back, with the NHS numbers removed of any patients that have a national data opt-out. You need to work out how to incorporate this in your processes.
Read full details of how to send and receive files through the Check for National Data Opt-outs service.
Choose how you will use the service
You can either:
- use the service each time you prepare a data disclosure, or
- use it to check the NHS numbers of a cohort of patients (including your existing patients, previous patients and deceased patients) who may feature in multiple data disclosures – this is called ‘caching’
If you choose the second option, you must follow the terms of the license agreement on how you can use this cached data.
Decide on process and allocate tasks
Decide who will be responsible for the following tasks and how they will be performed:
- Provide a list of just the NHS numbers taken from the records that are planned for disclosure, or the list of NHS numbers that might be disclosed during the time period of the cache – consider who will have the capability and the access to data to create this list.
- Prepare the list file and a control file in the correct format and use the service to send them.
- Take the returned list from the service (cache it if necessary)
- Compare the list of numbers that is returned with the original list and remove the records of any that no longer appear on the returned list from the data disclosure entirely, to create an updated set of data to be disclosed.
- Confirm that national data opt-outs have been applied and the data can now be disclosed for the purpose agreed.
There is a test set of data you can use with the service to check your processes for preparing, sending and receiving files and comparing lists work in practice, available on the Check for National Data Opt-outs service page.
Declare compliance
With all the above complete, you can now declare your organisation’s compliance with national data opt-out policy.
This also means your organisation will be able to complete the compliance with the national data opt-out policy evidence item stated in the Data Security and Protection toolkit from 2019/20.