The following definition of individual (also called direct) care as set out in the NDG Review is used to underpin the national data opt-out
“A clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.”
The NDG review gave some further clarity on local clinical audit as follows:
“The use of personal confidential data for local clinical audit is permissible within an organisation with the participation of a health and social care professional with a legitimate relationship to the patient through implied consent. For audit across organisations, the use of personal confidential data is permissible where there is approval under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002”.
These policy definitions need to be considered in the context of the legal framework around sharing of a patient’s data for direct care, including the need for a lawful basis to process the data under the data protection legislation. Under section 251B of the Health and Social Care Act 2012 (as amended by the Health and Social Care (Safety and Quality) Act 2015) all commissioners and providers of health and care are required to share a patient’s data with other relevant commissioners or providers where ‘it is likely to facilitate the provision to the individual’ of health or care in England. This statutory duty is subject to the common law duty of confidence (CLDC), which will be complied with in circumstances where the patient knows or reasonably expects that their data will be shared in such circumstances, i.e. there is implied consent. Section 251B and implied consent under CLDC will together provide the lawful basis to share in most cases of direct care. In these cases, and any cases of direct care based on explicit consent, the national data opt-out will not apply.
For completeness the Information Governance Review also defined what should be considered indirect care or purposes beyond individual care to be:
“Activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit.”