Appendix 2: Definitions

The following definition of individual (also called direct) care as set out in the NDG Review is used to underpin the national data opt-out

“A clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.”

The NDG review gave some further clarity on local clinical audit as follows:

“The use of personal confidential data for local clinical audit is permissible within an organisation with the participation of a health and social care professional with a legitimate relationship to the patient through implied consent. For audit across organisations, the use of personal confidential data is permissible where there is approval under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002”.

These policy definitions need to be considered in the context of the legal framework around sharing of a patient’s data for direct care, including the need for a lawful basis to process the data under the data protection legislation.  Under section 251B of the Health and Social Care Act 2012 (as amended by the Health and Social Care (Safety and Quality) Act 2015) all commissioners and providers of health and care are required to share a patient’s data with other relevant commissioners or providers where ‘it is likely to facilitate the provision to the individual’ of health or care in England.  This statutory duty is subject to the common law duty of confidence (CLDC), which will be complied with in circumstances where the patient knows or reasonably expects that their data will be shared in such circumstances, i.e. there is implied consent.  Section 251B and implied consent under CLDC will together provide the lawful basis to share in most cases of direct care. In these cases, and any cases of direct care based on explicit consent, the national data opt-out will not apply.

For completeness the Information Governance Review also defined what should be considered indirect care or purposes beyond individual care to be:

“Activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit.”

In this guidance, ‘data controller’ has the same meaning as ‘data controller’ or ‘controller’ in the Data Protection Act 2018 and the GDPR.  Article 4(7) GDPR defines ‘controller’ as follows:

“‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”

Again ‘data processor’ has the same meaning as ‘data processor’ or ‘processor’ in the Data Protection Act 2018 and GDPR.  Article 4(8) GDPR defines ‘processor’ as follows:

“‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”  

Section 251 of the National Health Service Act 2006 allows the Secretary of State for Health and Social Care to make regulations to authorise or require the processing of confidential patient information (CPI) for prescribed medical purposes and, in so doing, to set aside the common law duty of confidentiality. The only regulations made under this provision are the Health Service (Control of Patient Information) Regulations 2002 (SI 2002/ 1438) (“COPI Regulations”). These regulations enable the disclosure of confidential patient information without consent, and without there being a breach of the common law duty of confidentiality, as long as the requirements of the regulations are met. The person responsible for the information must still comply with all other relevant legal obligations including data protection legislation.  The COPI Regulations provide 3 legal gateways:

• Regulation 2 permits confidential patient information relating to patients referred for the diagnosis or treatment of cancer to be processed for the medical purposes set out in the regulation.
• Regulation 3 provides specific support for confidential patient information to be processed to diagnose, control or prevent, or recognise trends in, communicable diseases and other risks to public health.
• Regulation 5 provides support for confidential patient information to be processed for the medical purposes set out in the Schedule, which includes ‘the audit, monitoring and analysing of the provision made by the health service for patient care and treatment’.

Regulation 2 and 5 approvals from the Secretary of State or HRA are subject to advice from the Confidential Advisory Group (CAG), which is hosted by the Health Research Authority.  Regulation 3 authorisations are managed by Public Health England. Any person wishing to obtain approval under Regulation 2 or 5 must submit an application to CAG which provides independent expert advice to the relevant decision maker i.e. the Health Research Authority for research applications and the Secretary of State for Health and Social Care for non-research applications.  A standard condition of its advice is that the wished of patients who have withheld or withdrawn their consent  (i.e. opt-outs) to the use of this information are respected.  It has taken a policy position that it will advise that it is not in the public interest to over-ride an opt-out in anything other than the most exceptional circumstances.

The term “health and adult social care system” in this document is defined in section 4.1 and refers to organisations and associated processes that are part of health and adult social care. It does not refer to a specific information technology (IT) system or set of IT systems.

A number of different terms are used throughout health and adult social care to refer to the people for whom services are provided. In health, the term ‘patient’ is generally used while in adult social care, a variety of terms are used, including ‘service user’. However, a person setting an opt-out may not necessarily be either a ‘patient’ or a ‘service user’. For the purposes of this document, the term ‘member of the public’ and ‘person’ will be used to refer to an individual in the context of setting an opt-out and the term ‘patient’ will be used in the context of an organisation applying an opt-out.

The term ‘setting’ in the context of national data opt-outs is used to refer to the processes whereby a member of the public uses one of the available channels to set a national data opt-out. The term ‘applying’ is used to refer to the processes whereby organisations within health and adult social care apply the national data opt-out to any data disclosures.