National data opt-out: compliance implementation guide

Completing these steps means:

• you will comply with Information Standard DCB3058: compliance with national data opt-outs
• you will be able to complete the evidence item ‘compliance with national data opt-out policy’ in the Data Security and Protection toolkit

The flowchart below is a high level view of the actions required to become compliant with national data opt-out policy.

You need to consider how long this process will take and who should be involved.

Consider how long it will take to become compliant

If your organisation has already completed a comprehensive assessment of existing data disclosures, to meet the General Data Protection Regulation (GDPR) and Data Protection Act 2018, and there are procedures in place to consider new data disclosure requests, the actions in this guide could be completed within 2-3 months.

If not, plan for the process to take up to 6 months.  

These timescales are provided as an indicator. They take into consideration how long it may take to:

• get any governance approvals
• agree sign-off
• complete testing
• set up appropriate communications for each action

Consider who should be involved 

As you begin implementation, think about who may need to be involved in the compliance plan for the organisation and whose approval and agreement is required to take forward the actions set out in this guide.

Depending upon your organisation, you should consider discussing the compliance position, and getting agreement on actions, with your: 

• Information governance (IG) lead
• Caldicott Guardian
• Senior Information Risk Owner (SIRO)
• Data Protection Officer (DPO)
• Chief Information Officer (CIO)
• Chief Clinical Information Officer (CCIO)
• Chief Executive Officer
• Practice Partners
• Trust/Organisational Board

Take the following steps.

Start by looking at your current and ongoing data uses and disclosures to assess if they need to have national data opt-outs applied.

Find or prepare a list of data disclosures

You may already have a list of disclosures – for example a Records of Processing Activity (ROPA) document for your organisation, as required under Article 30 of the General Data Protection Regulation (GDPR).

To assess your disclosures against national data opt-out policy, you will need to be able to identify them all and determine:

• whether they contain confidential patient information
• if they are being used for purposes beyond individual care
• how the Common Law Duty of Confidentiality (CLDC) is being met

Anyone who is requesting information that your organisation is the data controller for should be clear about how the CLDC will be met. This will inform the decision on whether national data opt-outs should be applied.

Do a stock-take

You need to do a stock take if:

• you do not have a list
• you’re not sure if it’s complete or up-to-date
• you have a list which does not contain the necessary information to determine whether opt-outs apply

Make sure you involve everyone in your organisation who is responsible for data protection and confidentiality and for processing patient data such as information managers, analysts, and audit teams. Consider raising awareness across the organisation, through newsletters, bulletins and other established communications routes.

Assess current and ongoing data disclosures

When you are confident you have captured all the data disclosures in your organisation, assess them to see if they are within scope of the national data opt-out policy.

The flow diagram below illustrates the key questions to take into account when determining this.

Follow our step by step guide, Understanding the national data opt-out to work out if your data uses or disclosures are in scope.

For more details of the policy, specific cases such as invoice validation, risk stratification and cross-border flows and any specific exemptions look at the national data opt-out operational policy guidance.

To help you make this assessment, we have created a compendium of common data disclosures which we have assessed to show whether opt-outs need to be applied. 

Update policies and procedures

You need to update processes for handling new disclosure requests, to make sure the national data opt-out policy is considered when each new disclosure is assessed.  You also need to make sure processes are documented, to demonstrate compliance with national data opt-out policy.

You may need to:

• identify if there is a recognised procedure in place for managing requests to disclose patient data for purposes beyond a patient’s individual care – it might include application and approval processes from a board or individual
• identify who is usually responsible for considering or approving requests and make sure they are involved or kept informed as you work on becoming compliant
• identify whether the procedure is documented, for example in a set of Standard Operating Procedures (SOP) - and if so amend the document to include an additional check to consider if the request falls within scope for national data opt-outs to be applied
• establish and document a new procedure, if there are no documented procedures in place

Once you have identified and assessed all current and ongoing data disclosures, you are in a position to decide whether to implement the technical solution.

You must implement the technical solution to become compliant if there are:

• current data disclosures taking place which are in scope of the national data opt-out policy
• no current data disclosures in scope but you will have a data disclosure very soon that would be in scope of the national data opt-out policy – for example you may have agreed to provide data on a quarterly basis

You do not need to implement the technical solution to become compliant if there are no current data disclosures taking place which are in scope of the national data opt-out policy, and it seems unlikely there will be any within the next 3-4 months.

If it's not necessary for you to implement the technical solution, you can still choose to do so – but you can declare compliance without it.

To remove records of patients who have a national data opt-out registered, your organisation needs to implement the technical solution we’ve developed. The Check for National Data Opt-outs service uses the Message Exchange for Social Care and Health (MESH), so most organisations will need to install MESH to use the service, or if it’s already installed, configure it for this additional purpose.

Your organisation may already be using MESH. IT and data administration colleagues should use the guidance on the Check for National Data Opt-outs service pages to decide on the most appropriate configuration of MESH for your organisation.

Plan how your organisation will use the service

The service lets you use MESH to send lists of NHS numbers to be checked against the repository on the Spine. You then receive the list back, with the NHS numbers removed of any patients that have a national data opt-out. You need to work out how to incorporate this in your processes.

Read full details of how to send and receive files through the Check for National Data Opt-outs service.

Choose how you will use the service

You can either:

• use the service each time you prepare a data disclosure, or
• use it to check the NHS numbers of a cohort of patients (including your existing patients, previous patients and deceased patients) who may feature in multiple data disclosures – this is called ‘caching’

If you choose the second option, you must follow the terms of the license agreement on how you can use this cached data.

Decide on process and allocate tasks

Decide who will be responsible for the following tasks and how they will be performed:

1. Provide a list of just the NHS numbers taken from the records that are planned for disclosure, or the list of NHS numbers that might be disclosed during the time period of the cache – consider who will have the capability and the access to data to create this list.
2. Prepare the list file and a control file in the correct format and use the service to send them.
3. Take the returned list from the service (cache it if necessary) 
4. Compare the list of numbers that is returned with the original list and remove the records of any that no longer appear on the returned list from the data disclosure entirely, to create an updated set of data to be disclosed.
5. Confirm that national data opt-outs have been applied and the data can now be disclosed for the purpose agreed.

There is a test set of data you can use with the service to check your processes for preparing, sending and receiving files and comparing lists work in practice, available on the Check for National Data Opt-outs service page.

Complete a Data Protection Impact Assessment (DPIA)

In accordance with guidance provided by the Information Commissioner’s Office, you should complete a Data Protection Impact Assessment (DPIA) that covers the data processing required to prepare a data set for disclosure with national data opt-outs applied.

Guidance and suggested text for your DPIA (Word document - request a different format)

Document and implement the new procedures

Update your standard operating procedures, or any equivalent set of operating instructions your organisation maintains, to include the use of the Check for National Data Opt-outs service and application of national data opt-outs where needed.

Internal communications

You should make sure everyone within your organisation who has access to patient data, and/or is responsible for processing or handling it, is made aware of the updated procedures.

Identify who is responsible for staff communications and work with them to develop a communications plan and create suitable materials.

Communicate through whatever channels are available, such as intranets or newsletters.

Make sure documented procedures are accessible, including for new members of staff, by including them in staff training and induction materials.

Patient communications

You should update your privacy notice materials, and include a declaration to state when your organisation is compliant with national data opt-out policy, to comply with the Information Standard. 

See recommended content to include in your organisation’s website and privacy notice.

Identify who produces and/or is responsible for creating patient materials and managing patient communication channels, and work with them to decide how to inform patients appropriately. Consider your organisation’s website if you have one, and work with patient groups such as Patient Participation Groups (PPGs) in GP practices and the Patient Advice and Liaison Services (PALS) in NHS trusts.

Check existing stocks of the ‘Your NHS Data Matters’ printed materials, order more if needed, and make sure they are available in public spaces.

Consider creating and publishing a register of approved requests for data disclosures, if you do not already do so. With the processes in place for considering requests for data disclosures and whether national data opt-outs apply, this provides greater transparency for your patients.

Communications with other organisations 

Organisations you work with may be affected by your organisation becoming compliant with the national data opt-out policy. You should tell organisations that use your data, or that you disclose data to, that you are preparing to apply opt-outs, and let them know whether opt-outs will be applied to their data disclosures.

The policy allows you to tell organisations that receive your data how many records have been removed from the set of data after applying national data opt-outs, so you can choose to supply this information with future data disclosures.

If organisations ask about the likely effects of national data opt-outs on the data they will be using or receiving, you can point them to national statistical data published by NHS Digital which provides more information on the numbers of opt-outs. The statistics are also broken down into further categories such as age, gender and geographical area.

Decide date to declare compliance

With all the above either in place or scheduled, you just need to finalise the actual date from which you will declare that your organisation now complies with the national data opt-out policy.

Make sure your agreed staff communications go out before the declared compliance date so that they know when the new procedures come into effect.

Arrange to provide any agreed patient communication materials either on the date from which you are stating compliance or soon after.

If you are providing communications to organisations that use your data or receive disclosures of data from you that will be affected by national data opt-outs, then make sure those communications are ready to be provided before the next data disclosure takes place.

When you have everything in place to support your proposed compliance date make sure you get approval within your organisation through whichever route you agreed at the outset. Make sure all stakeholders are content with the proposed date, and that all actions have been considered and are either in place or ready to be activated.

Declare compliance

With all the above complete, you can now declare your organisation’s compliance with national data opt-out policy.

This also means your organisation will be able to complete the compliance with the national data opt-out policy evidence item stated in the Data Security and Protection toolkit from 2019/20.