Compliance with the national data opt-out
GP practices must comply with the national data opt-out policy by 31 March 2020.
All practices must have procedures in place to identify whether they have data disclosures where the national data opt out applies, and if so, how they will remove the records of patients who have registered an opt-out. See understanding the national data opt-out to find out when to apply national data opt-outs. Use our compliance implementation guide to make sure your practice is compliant.
GP clinical system functionality
To help GP practices to become compliant and to apply national data opt-outs, the four principal GP IT system suppliers are implementing new functionality in the reporting and search modules within their clinical systems. The functionality will enable practices to easily remove the records of patients who have registered a national data opt-out from data disclosures when the practice decides the opt-out applies. Your supplier will be updating you about this new functionality, and you should contact them if you have questions.
Vision and Microtest system users
The new functionality may not be available before the 31 March 2020 deadline. You should follow all steps of the compliance implementation guide and use the Check for national data opt-outs service which is part of the Message Exchange for Social Care and Health (MESH), to make sure your practice is compliant by 31 March 2020.
TPP and EMIS system users
You should have new functionality in your system’s reporting and search modules before the deadline. (TPP SystmOne is expected to go live in February, and EMIS Web in March.) This will enable you to remove the records of patients who have registered a national data opt-out from any data disclosures you have identified as being in scope. You should still follow the compliance implementation guide to make sure your practice is compliant by 31 March 2020.
Practices will need to ensure that any clinical system report (or search) used to generate that data disclosure is configured to remove national data opt-outs – using the new functionality when available.
If the disclosure is generated from a pre-existing report (one which was created prior to the new functionality being available), it’s the responsibility of the practice, as data controller, to ensure that the report is edited to apply national data opt-outs before it is next run.
If a new report is required, the practice must ensure that national data opt-outs are applied as appropriate when it is created.
If the report used to generate the disclosure is one that the practice does not ‘own’ and is unable to edit (for example, one created or published by another organisation or system supplier), the practice must contact the owner or publisher to ensure that national data opt-outs are applied before data is disclosed.
Supporting your patients - resources and guidance
Practices should make sure staff are aware of the national data opt-out so they can support their patients.
Some training providers also offer classroom and eLearning courses that include content on national data opt-out policy.
Resources are available for practice staff to share with patients if they have any questions. When patients ask about opting out:
- refer them to the website nhs.uk/your-nhs-data-matters
- it's helpful to make sure they know their NHS number
- ensure they have an up-to-date email address or mobile phone number in their GP practice record, as this will be used to verify their identity when they use the service
Practices should check:
- existing posters, leaflet racks and screen display messages for materials that talk about data sharing and remove any which are no longer appropriate - for example, are there still copies of ‘Better information means better care’ leaflets or posters available that were used at the time of the care.data public campaign? (Care.data was formally closed in 2016, with no data extractions having taken place)
- the practice website (if you have one) for patient information about data sharing and opt-outs to check it is still relevant or whether anything will need to be updated to reflect the materials and information about the national data opt-out
- any patient registration forms that include information on different data uses and opt-outs available
- if there are any existing opt-out request forms in place and whether they are still accurate - for instance, do they offer the patient the ability to record an opt-out to prevent the sharing of data for purposes beyond individual care by NHS Digital (also referred to as a ‘type 2’ opt-out)
Communication with GP practices
Letter sent to all GP practices in May 2018, with more details about the national data opt-out and the transition from type 2 opt-outs.
Letter sent to all GP practices at the end of March 2019, with further reminder of action required on type 2 opt-outs.
Letter sent to all GP practices in September 2019, highlighting actions required for compliance by March 2020.
Information governance queries in general practice
The Data Protection Officer (DPO) or Practice Manager in your GP practice may have more information about local escalation processes relating to information governance (IG) queries from patients.
Useful IG links
General IG queries:
- Information Governance Alliance (IGA) website
- England.firstname.lastname@example.org Data Sharing and Privacy Unit, NHS England
Enquiries about the General Data Protection Regulation (GDPR) and the Data Protection Act (2018):
- Information Commissioners Office (ICO) website
- 0303 123 1113 - ICO helpline number
Practices must no longer record ‘type 2’ opt-outs.
The national data opt-out has replaced type 2 opt-outs. GP practices must no longer use the type 2 opt-out codes to record a patient's opt-out choice as they are no longer collected or processed.
GP practices must amend policies, procedures and patient information to make sure that they are up to date, and that all staff know they must no longer record type 2 opt-outs on a patient’s medical record.
Guidance to prevent use of type 2 opt-out codes and identify if they have been used in error
Follow the guidance for the clinical system you use in your GP practice.
Patients who previously had a type 2 opt-out
Where a patient had a type 2 opt-out registered on or before 11 October 2018, this was automatically converted to a national data opt-out and if they were aged 13 or over they were sent a personal letter explaining the change and a handout with more information about the national data opt-out.
Patients can be reassured that their choices will continue to be respected. If they want to change their choice, they can use the national data opt-out service to do this.
Patients who have a type 1 opt-out
Some patients will have a type 1 opt-out registered with their GP practice, which indicates they do not want their confidential patient information leaving the practice for research and planning purposes. These existing type 1 opt-outs will continue to be respected until 2020, when the Department of Health and Social Care will consult with the National Data Guardian on their removal.