We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Compliance with the national data opt-out
The deadline for health and care organisations to comply with national data opt-out policy is now 30 September 2021. It has been extended to enable health and care organisations to focus their resources on the coronavirus (COVID-19) outbreak. Use our compliance implementation guide to find out what you need to do within your organisation.
Page contents
Compliance with the national data opt-out policy
The deadline for health and care organisations to comply with national data opt-out policy is now 30 September 2021. The deadline has been extended again, to enable health and care organisations to focus their resources on the coronavirus (COVID-19) outbreak. Read the letter sent from NHS Digital and NHSX to health and care.
This requirement is supported by Information Standard: DCB3058: Compliance with National Data Opt-outs.
To comply with national data opt-out policy, you need to put procedures in place to review uses or disclosures of confidential patient information against the operational policy guidance.
See our guidance overview of the national data opt-out policy to help you understand how it works and which data uses, or disclosures, are in scope.
If current uses or disclosures should have national data opt-outs applied, you need to:
- implement the technical solution to enable you to check lists of NHS numbers against those with national data opt-outs registered
- have a process in place, when you get the results back, to ensure that you only use or disclose information for the returned list of NHS numbers, as any with national data opt-outs registered will have been removed
If you have no uses or disclosures which need to have national data opt-outs applied, you must still put procedures in place to assess future uses or disclosures against the national data opt-out operational policy guidance, and can choose to either:
- implement the technical solution in readiness, or
- be ready to implement it if needed for future data uses or disclosures
Once compliant, confidential patient information must not be used or disclosed before it has been assessed and national data opt-outs applied when necessary.
The Check for National Data Opt-outs service - technical solution
National data opt-outs are held on the NHS Spine against an individual’s NHS number. If your use or disclosure of data needs to have national data opt-outs applied, you must remove records for patients with an opt-out registered from the data being used.
The Check for National Data Opt-outs service uses the messaging exchange for social care and health (MESH) to enable you to submit lists of NHS numbers and receive lists back with the NHS numbers removed for those patients that have opted out.
To help GP practices to become compliant with the national data opt-out, the principal GP system suppliers have been commissioned to develop and embed the service into their clinical systems. Further information will be made available as the GP system suppliers confirm their delivery plans. See further information for GP practices.
Compliance resources
Compliance implementation guide: provides a step-by-step guide to help organisations understand and plan the actions required to become compliant with national data opt-out policy.
Check for National Data Opt-outs service: guidance on how to install and configure MESH to enable lists of NHS numbers to be processed through the Check for National Data Opt-outs service, including a full test data pack.
Check for National Data Opt-outs licence agreement: notes the rights and conditions upon which your organisation may use the Check for National Data Opt-outs service provided by NHS Digital.
National Data Opt-out checker app: a simple tool you can use when submitting to national clinical audits, developed by University Hospitals Plymouth NHS Trust.
Recommended text for privacy notices: contains some suggested text to include in your organisation's patient privacy notice. (Word file - request in a different format.)
DPIA guidance: guidance for completing a data protection impact assessment on the data processing activity being taken to apply national data opt-outs. (Word file - request in a different format.)
Data Uses and Releases Compendium (27 April 2020): provides real examples of data disclosures and the assessment as to whether national data opt-outs apply or not. (Pdf file - request in a different format.)
Declaring compliance
NHS organisations have responsibility for making sure that they comply with the national data opt-out. NHS Digital is not responsible for monitoring organisations’ compliance. Organisations prove their compliance by publishing their privacy notice and submitting their Data Security and Protection Toolkit assessment. This is mandatory for all NHS organisations.
There is also an Information Standard: DCB3058: Compliance with National Data Opt-outs requiring compliance with the national data opt-out standard.
Last edited: 11 February 2021 6:48 pm