We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Compliance with the national data opt-out policy
The deadline for health and care organisations to comply with national data opt-out policy is currently 31 March 2021. The deadline has been extended to enable health and care organisations to focus their resources on the coronavirus (COVID-19) outbreak. Read the letter sent from NHS Digital and NHSX to health and care.
This requirement is supported by Information Standard: DCB3058: Compliance with National Data Opt-outs.
To comply with national data opt-out policy, you need to put procedures in place to review uses or disclosures of confidential patient information against the operational policy guidance.
See our guidance overview of the national data opt-out policy to help you understand how it works and which data uses, or disclosures, are in scope.
If current uses or disclosures should have national data opt-outs applied, you need to:
- implement the technical solution to enable you to check lists of NHS numbers against those with national data opt-outs registered
- have a process in place, when you get the results back, to ensure that you only use or disclose information for the returned list of NHS numbers, as any with national data opt-outs registered will have been removed
If you have no uses or disclosures which need to have national data opt-outs applied, you must still put procedures in place to assess future uses or disclosures against the national data opt-out operational policy guidance, and can choose to either:
- implement the technical solution in readiness, or
- be ready to implement it if needed for future data uses or disclosures
Once compliant, confidential patient information must not be used or disclosed before it has been assessed and national data opt-outs applied when necessary.
The Check for National Data Opt-outs service - technical solution
National data opt-outs are held on the NHS Spine against an individual’s NHS number. If your use or disclosure of data needs to have national data opt-outs applied, you must remove records for patients with an opt-out registered from the data being used.
The Check for National Data Opt-outs service uses the messaging exchange for social care and health (MESH) to enable you to submit lists of NHS numbers and receive lists back with the NHS numbers removed for those patients that have opted out.
To help GP practices to become compliant with the national data opt-out, the four principal GP system suppliers have been commissioned to develop and embed the service into their clinical systems. Further information will be made available as the GP system suppliers confirm their delivery plans. See further information for GP practices.
Compliance resources
Compliance implementation guide: provides a step-by-step guide to help organisations understand and plan the actions required to become compliant with national data opt-out policy.
Check for National Data Opt-outs service: guidance on how to install and configure MESH to enable lists of NHS numbers to be processed through the Check for National Data Opt-outs service, including a full test data pack.
Check for National Data Opt-outs licence agreement: notes the rights and conditions upon which your organisation may use the Check for National Data Opt-outs service provided by NHS Digital.
National Data Opt-out checker app: a simple tool you can use when submitting to national clinical audits, developed by University Hospitals Plymouth NHS Trust.
Recommended text for privacy notices: contains some suggested text to include in your organisation's patient privacy notice. (Word file - request in a different format.)
DPIA guidance: guidance for completing a data protection impact assessment on the data processing activity being taken to apply national data opt-outs. (Word file - request in a different format.)
Data Uses and Releases Compendium (27 April 2020): provides real examples of data disclosures and the assessment as to whether national data opt-outs apply or not. (Pdf file - request in a different format.)
Declaring compliance
NHS organisations have responsibility for making sure that they comply with the national data opt-out. NHS Digital is not responsible for monitoring organisations’ compliance. Organisations prove their compliance by publishing their privacy notice and submitting their Data Security and Protection Toolkit assessment. This is mandatory for all NHS organisations.
Although the deadline for complying with the national data opt-out policy has been extended to 31 March 2021, organisations will be asked to provide an update on their progress towards compliance in their DSP submission. The DSP toolkit submission deadline has been extended to 30 September 2020.
Information on which organisations have achieved ‘standards met’ on the DSP Toolkit will be published later in the year. There is also an Information Standard: DCB3058: Compliance with National Data Opt-outs requiring compliance with the national data opt-out standard, which requires organisations to conform with the policy by March 2021.
Last edited: 11 September 2020 2:24 pm