National data opt-out: compliance implementation guide

This guidance takes you through the steps you need to follow to achieve compliance with the national data opt-out policy, by March 2020, when all health and care organisations in England must comply.

Page contents

Completing these steps means:

you will comply with Information Standard DCB3058: compliance with national data opt-outs
you will be able to complete the evidence item ‘compliance with national data opt-out policy’ in the Data Security and Protection toolkit for 2019/20.

Before you start

The flowchart below is a high level view of the actions required to become compliant with national data opt-out policy.

flowchart showing actions to take to achieve compliance with national data opt-out policy

You need to consider how long this process will take and who should be involved.

Consider how long it will take to become compliant

If your organisation has already completed a comprehensive assessment of existing data disclosures, to meet the General Data Protection Regulation (GDPR) and Data Protection Act 2018, and there are procedures in place to consider new data disclosure requests, the actions in this guide could be completed within 2-3 months.

If not, plan for the process to take up to 6 months.

These timescales are provided as an indicator. They take into consideration how long it may take to:

get any governance approvals
agree sign-off
complete testing
set up appropriate communications for each action

Consider who should be involved

As you begin implementation, think about who may need to be involved in the compliance plan for the organisation and whose approval and agreement is required to take forward the actions set out in this guide.

Depending upon your organisation, you should consider discussing the compliance position, and getting agreement on actions, with your:

Information governance (IG) lead
Caldicott Guardian
Senior Information Risk Owner (SIRO)
Data Protection Officer (DPO)
Chief Information Officer (CIO)
Chief Clinical Information Officer (CCIO)
Chief Executive Officer
Practice Partners
Trust/Organisational Board

Download our checklist

Download our printable checklist to help you through the compliance process.

asset

Checklist of steps to achieving compliance [docx, size: 21.7 kB]

Actions to take to achieve compliance

Take the following steps.

1. Assess data disclosures and update procedures

Start by looking at your current and ongoing data uses and disclosures to assess if they need to have national data opt-outs applied.

Find or prepare a list of data disclosures

You may already have a list of disclosures – for example a Records of Processing Activity (ROPA) document for your organisation, as required under Article 30 of the General Data Protection Regulation (GDPR).

To assess your disclosures against national data opt-out policy, you will need to be able to identify them all and determine:

whether they contain confidential patient information
if they are being used for purposes beyond individual care
how the Common Law Duty of Confidentiality (CLDC) is being met

Anyone who is requesting information that your organisation is the data controller for should be clear about how the CLDC will be met. This will inform the decision on whether national data opt-outs should be applied.

Do a stock-take

You need to do a stock take if:

you do not have a list
you’re not sure if it’s complete or up-to-date
you have a list which does not contain the necessary information to determine whether opt-outs apply

Make sure you involve everyone in your organisation who is responsible for data protection and confidentiality and for processing patient data such as information managers, analysts, and audit teams. Consider raising awareness across the organisation, through newsletters, bulletins and other established communications routes.

Your organisation must comply with the national data opt-out policy and data protection legislation

You need to make sure you find out if anyone is currently using or disclosing confidential patient information for purposes beyond individual care that may not be recorded on the ROPA or a similar register of information assets.

All staff must be made aware of their responsibilities for appropriate use and disclosure of confidential patient information.

You should make sure there is a documented procedure in place to remind staff:

what is allowed when using/disclosing patient data
when formal approval is required before data is used for another purpose or disclosed to a third party

You should make sure this guidance is easily accessible and staff are regularly reminded of it, for example in yearly refresher training.

Having this will also provide mitigation if your organisation was ever in the unfortunate position that a data breach involving inappropriate disclosure of data had taken place, and it was clear someone had acted outside of your organisation’s policies.

Assess current and ongoing data disclosures

When you are confident you have captured all the data disclosures in your organisation, assess them to see if they are within scope of the national data opt-out policy.

The flow diagram below illustrates the key questions to take into account when determining this.

flowchart showing the scope of the national data opt out

Follow our step by step guide, Understanding the national data opt-out to work out if your data uses or disclosures are in scope.

For more details of the policy, specific cases such as invoice validation, risk stratification and cross-border flows and any specific exemptions look at the national data opt-out operational policy guidance.

To help you make this assessment, we have created a compendium of common data disclosures which we have assessed to show whether opt-outs need to be applied.

Update policies and procedures

You need to update processes for handling new disclosure requests, to make sure the national data opt-out policy is considered when each new disclosure is assessed. You also need to make sure processes are documented, to demonstrate compliance with national data opt-out policy.

You may need to:

identify if there is a recognised procedure in place for managing requests to disclose patient data for purposes beyond a patient’s individual care – it might include application and approval processes from a board or individual
identify who is usually responsible for considering or approving requests and make sure they are involved or kept informed as you work on becoming compliant
identify whether the procedure is documented, for example in a set of Standard Operating Procedures (SOP) - and if so amend the document to include an additional check to consider if the request falls within scope for national data opt-outs to be applied
establish and document a new procedure, if there are no documented procedures in place

2. Decide whether to implement the technical solution

Once you have identified and assessed all current and ongoing data disclosures, you are in a position to decide whether to implement the technical solution.

GP practices, and other organisations using TPP SystmOne modules

To help GP practices to become compliant with the national data opt-out, the four principal GP system suppliers have been commissioned to develop and embed the service into their clinical systems.

Vision and Microtest systems may not have made the new functionality fully available before the 31 March 2020. If your practice uses one of these systems, you should follow the steps on this page, including putting the Check for national data opt-outs service technical solution in place, to make sure you are compliant by the deadline.

TPP expects its new functionality to go live in February 2020, and EMIS expects its new functionality to go live in March 2020.

If your practice uses these clinical systems, you can go to Action 4 as you will not need to implement the technical solution yourselves, unless you use other IT systems to create data disclosures.

If you are a non-GP practice organisation that uses TPP’s SystmOne together with the Strategic Reporting Extract functionality, you will not need to implement the technical solution yourselves, and can go to Action 4, unless you use other IT systems to create data disclosures.

You must implement the technical solution to become compliant if there are:

current data disclosures taking place which are in scope of the national data opt-out policy
no current data disclosures in scope but you will have a data disclosure very soon that would be in scope of the national data opt-out policy – for example you may have agreed to provide data on a quarterly basis

You do not need to implement the technical solution to become compliant if there are no current data disclosures taking place which are in scope of the national data opt-out policy, and it seems unlikely there will be any within the next 3-4 months.

If it's not necessary for you to implement the technical solution, you can still choose to do so – but you can declare compliance without it.

If you do not implement the technical solution before you declare compliance, you must be prepared to do so at any time, if a new data use or disclosure request is made that is within the scope of the policy.

3. Set up the technical solution

To remove records of patients who have a national data opt-out registered, your organisation needs to implement the technical solution we’ve developed. The Check for National Data Opt-outs service uses the Message Exchange for Social Care and Health (MESH), so most organisations will need to install MESH to use the service, or if it’s already installed, configure it for this additional purpose.

Your organisation may already be using MESH. IT and data administration colleagues should use the guidance on the Check for National Data Opt-outs service pages to decide on the most appropriate configuration of MESH for your organisation.

Plan how your organisation will use the service

The service lets you use MESH to send lists of NHS numbers to be checked against the repository on the Spine. You then receive the list back, with the NHS numbers removed of any patients that have a national data opt-out. You need to work out how to incorporate this in your processes.

Read full details of how to send and receive files through the Check for National Data Opt-outs service.

Review the licence agreement

Before using the service, you must review the licence agreement and note that in using the service, your organisation is entering into an agreement with NHS Digital about the rights and conditions upon which your organisation may use the Check for National Data Opt-outs service.

Choose how you will use the service

You can either:

use the service each time you prepare a data disclosure, or
use it to check the NHS numbers of a cohort of patients (including your existing patients, previous patients and deceased patients) who may feature in multiple data disclosures – this is called ‘caching’

If you choose the second option, you must follow the terms of the license agreement on how you can use this cached data.

Decide on process and allocate tasks

Decide who will be responsible for the following tasks and how they will be performed:

Provide a list of just the NHS numbers taken from the records that are planned for disclosure, or the list of NHS numbers that might be disclosed during the time period of the cache – consider who will have the capability and the access to data to create this list.
Prepare the list file and a control file in the correct format and use the service to send them.
Take the returned list from the service (cache it if necessary)
Compare the list of numbers that is returned with the original list and remove the records of any that no longer appear on the returned list from the data disclosure entirely, to create an updated set of data to be disclosed.
Confirm that national data opt-outs have been applied and the data can now be disclosed for the purpose agreed.

There is a test set of data you can use with the service to check your processes for preparing, sending and receiving files and comparing lists work in practice, available on the Check for National Data Opt-outs service page.

Remove the entire record from the data

You must remove the entire record for each patient who has opted out from the prepared data before it is disclosed (not just remove the identifiers).

Data should not be removed from the patient’s original medical/care record.

4. Implement new processes

Complete a Data Protection Impact Assessment (DPIA)

In accordance with guidance provided by the Information Commissioner’s Office, you should complete a Data Protection Impact Assessment (DPIA) that covers the data processing required to prepare a data set for disclosure with national data opt-outs applied.

Guidance and suggested text for your DPIA (Word document - request a different format)

Document and implement the new procedures

Update your standard operating procedures, or any equivalent set of operating instructions your organisation maintains, to include the use of the Check for National Data Opt-outs service and application of national data opt-outs where needed.

5. Plan communications and declare compliance

Internal communications

You should make sure everyone within your organisation who has access to patient data, and/or is responsible for processing or handling it, is made aware of the updated procedures.

Identify who is responsible for staff communications and work with them to develop a communications plan and create suitable materials.

Communicate through whatever channels are available, such as intranets or newsletters.

Make sure documented procedures are accessible, including for new members of staff, by including them in staff training and induction materials.

Patient communications

You should update your privacy notice materials, and include a declaration to state when your organisation is compliant with national data opt-out policy, to comply with the Information Standard.

Identify who produces and/or is responsible for creating patient materials and managing patient communication channels, and work with them to decide how to inform patients appropriately. Consider your organisation’s website if you have one, and work with patient groups such as Patient Participation Groups (PPGs) in GP practices and the Patient Advice and Liaison Services (PALS) in NHS trusts.

Check existing stocks of the ‘Your NHS Data Matters’ printed materials, order more if needed, and make sure they are available in public spaces.

Consider creating and publishing a register of approved requests for data disclosures, if you do not already do so. With the processes in place for considering requests for data disclosures and whether national data opt-outs apply, this provides greater transparency for your patients.

Communications with other organisations

Organisations you work with may be affected by your organisation becoming compliant with the national data opt-out policy. You should tell organisations that use your data, or that you disclose data to, that you are preparing to apply opt-outs, and let them know whether opt-outs will be applied to their data disclosures.

The policy allows you to tell organisations that receive your data how many records have been removed from the set of data after applying national data opt-outs, so you can choose to supply this information with future data disclosures.

If organisations ask about the likely effects of national data opt-outs on the data they will be using or receiving, you can point them to national statistical data published by NHS Digital which provides more information on the numbers of opt-outs. The statistics are also broken down into further categories such as age, gender and geographical area.

Decide date to declare compliance

With all the above either in place or scheduled, you just need to finalise the actual date from which you will declare that your organisation now complies with the national data opt-out policy.

Make sure your agreed staff communications go out before the declared compliance date so that they know when the new procedures come into effect.

Arrange to provide any agreed patient communication materials either on the date from which you are stating compliance or soon after.

If you are providing communications to organisations that use your data or receive disclosures of data from you that will be affected by national data opt-outs, then make sure those communications are ready to be provided before the next data disclosure takes place.

When you have everything in place to support your proposed compliance date make sure you get approval within your organisation through whichever route you agreed at the outset. Make sure all stakeholders are content with the proposed date, and that all actions have been considered and are either in place or ready to be activated.

Important

It is important to recognise that once your organisation has declared compliance:

the processes to consider and apply national data opt-outs must be followed on an ongoing basis, including where there is any change to an existing agreed data disclosure where national data opt-outs were assessed not to apply previously
if at any time in the future you identify that national data opt-outs need to apply and you had not previously set up the MESH service or the procedures to check and apply national data opt-outs to a set of data, then you must follow Actions 3 and 4 so that opt-outs are applied before the data is disclosed
you must make sure the written procedures are maintained and updated if at any time in the future you identify that national data opt-outs need to apply and you had not previously set up the MESH service or the procedures to check and apply national data opt-outs to a set of data

Declare compliance

With all the above complete, you can now declare your organisation’s compliance with national data opt-out policy.

This also means your organisation will be able to complete the compliance with the national data opt-out policy evidence item stated in the Data Security and Protection toolkit from 2019/20.

Last edited: 27 April 2020 7:40 pm