Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Information for GP practices

What GP practices need to do to comply with the national data opt-out policy, and provide your patients with appropriate information.

Compliance with the national data opt-out

GP practices must comply with the national data opt-out policy by 31 July 2022. This deadline has been extended repeatedly from the original compliance deadline of 31 March 2020 to allow health and care organisations to focus on the response to the coronavirus (COVID-19) pandemic.

All practices must have procedures in place to identify whether they have data disclosures where the national data opt out applies, and if so, how they will remove the records of patients who have registered an opt-out. See understanding the national data opt-out to find out when to apply national data opt-outs. Use our compliance implementation guide to make sure your practice is compliant.

GP clinical system functionality

To help GP practices to become compliant and to apply national data opt-outs, the principal GP IT system suppliers are implementing new functionality in the reporting and search modules within their clinical systems. The functionality will enable practices to easily remove the records of patients who have registered a national data opt-out from data disclosures when the practice decides the opt-out applies. Your supplier will be updating you about this new functionality, and you should contact them if you have questions.

This new functionality should be available in your system’s reporting and search modules before the deadline. You should still follow the compliance implementation guide to make sure your practice is compliant by 31 July 2022.

Practices will need to ensure that any clinical system report (or search) used to generate that data disclosure is configured to remove national data opt-outs – using the new functionality when available.

If the disclosure is generated from a pre-existing report (one which was created prior to the new functionality being available), it’s the responsibility of the practice, as data controller, to ensure that the report is edited to apply national data opt-outs before it is next run.

If a new report is required, the practice must ensure that national data opt-outs are applied as appropriate when it is created.

If the report used to generate the disclosure is one that the practice does not ‘own’ and is unable to edit (for example, one created or published by another organisation or system supplier), the practice must contact the owner or publisher to ensure that national data opt-outs are applied before data is disclosed.

Supporting your patients - resources and guidance

Practices should make sure staff are aware of the national data opt-out so they can support their patients.

The Royal College of General Practitioners has published a Patient Data Choices toolkit for GPs and practice staff, and training materials in their RCGP e-learning module.

Some training providers also offer classroom and eLearning courses that include content on national data opt-out policy.

Resources are available for practice staff to share with patients if they have any questions. When patients ask about opting out:

  • refer them to the website
  • it's helpful to make sure they know their NHS number
  • ensure they have an up-to-date email address or mobile phone number in their GP practice record, as this will be used to verify their identity when they use the service

Practices should check:

  • existing posters, leaflet racks and screen display messages for materials that talk about data sharing and remove any which are no longer appropriate - for example, are there still copies of ‘Better information means better care’ leaflets or posters available that were used at the time of the public campaign?  ( was formally closed in 2016, with no data extractions having taken place)
  • the practice website (if you have one) for patient information about data sharing and opt-outs to check it is still relevant or whether anything will need to be updated to reflect the materials and information about the national data opt-out
  • any patient registration forms that include information on different data uses and opt-outs available
  • if there are any existing opt-out request forms in place and whether they are still accurate - for instance, do they offer the patient the ability to record an opt-out to prevent the sharing of data for purposes beyond individual care by NHS Digital (also referred to as a ‘type 2’ opt-out)

Communication with GP practices

Letter sent to all GP practices in May 2018, with more details about the national data opt-out and the transition from type 2 opt-outs.

Letter sent to all GP practices in October 2018, as a reminder that type 2 opt-outs are no longer valid.

Letter sent to all GP practices at the end of March 2019, with further reminder of action required on type 2 opt-outs.

Letter sent to all GP practices in September 2019, highlighting actions required for compliance.

Information governance queries in general practice

The Data Protection Officer (DPO) or Practice Manager in your GP practice may have more information about local escalation processes relating to information governance (IG) queries from patients. 

Useful IG links

General IG queries:

Enquiries about the General Data Protection Regulation (GDPR) and the Data Protection Act (2018):

Practices must no longer record ‘type 2’ opt-outs.

The national data opt-out has replaced type 2 opt-outs. GP practices must no longer use the type 2 opt-out codes to record a patient's opt-out choice as they are no longer collected or processed.

GP practices must amend policies, procedures and patient information to make sure that they are up to date, and that all staff know they must no longer record type 2 opt-outs on a patient’s medical record.

Guidance to prevent use of type 2 opt-out codes and identify if they have been used in error

Follow the guidance for the clinical system you use in your GP practice.

TPP SystmOne: guidance on invalid type 2 codes

EMIS Web: guidance on invalid type 2 codes

Vision: guidance on invalid type 2 codes

Microtest: guidance on invalid type 2 codes

Patients who previously had a type 2 opt-out

Where a patient had a type 2 opt-out registered on or before 11 October 2018, this was automatically converted to a national data opt-out and if they were aged 13 or over they were sent a personal letter explaining the change and a handout with more information about the national data opt-out.

Patients can be reassured that their choices will continue to be respected. If they want to change their choice, they can use the national data opt-out service to do this.

Patients who have a type 1 opt-out

Some patients will have a type 1 opt-out registered with their GP practice, which indicates they do not want their confidential patient information leaving the practice for research and planning purposes. These existing type 1 opt-outs will continue to be respected until the Department of Health and Social Care conducts a consultation with the National Data Guardian on their removal.

Last edited: 17 August 2022 2:21 pm