The following sections outline the rationale behind some of the policy approach on setting an opt-out.
A3.1.1: Personal Demographics Service (PDS) record as the basis for being able to set an opt-out
The intention is that the national data opt-out should be available to anybody who has received care from the health and adult social care system in England and, therefore, has data about them in the system. The intention is that as many patients as possible who fall into this category are able to set an opt-out. Therefore, the decision was taken that the opt-out should be available to everybody who has a record on PDS. This potentially includes patients who are not resident in England but may have received care from the health and adult social care system in England.
A3.1.2: Formal proxy and opt-out setting
The decision was taken to allow formal proxies (individuals who have a formal, legal relationship to act on behalf of another) to set an opt-out by proxy. This is to allow as many people as possible to have an opt-out and not disadvantage key groups of people. In order to minimise any potential misuse of the system this has been restricted to someone who has formal legal powers to represent the other individual. For this reason, lasting powers of attorney (LPA) for both health and welfare and property and financial matters and court appointed deputies are able to act as a formal proxy.
A3.1.3: Minimum age to independently set an opt-out
There are a range of different ages at which children are expected to make decisions about their medical treatment and use and access to medical information. In some cases, where these decisions are made in a clinical setting, a health professional may be required to determine the competence of a child to make such a decision.
GDPR sets out specific requirements around privacy for Information Society Services - which has a specific definition and is normally for remuneration (this includes advertisement income). Online health services are likely to be outside this definition as they are not paid for services. But data protection law does set 13 as the age at which a child does not need parental consent for the processing of their personal data online, that is that they can consent themselves to such processing. The national data opt-out has aligned with this legal age and 13 has been set as the minimum age from which children can set their opt-out preference through any channel. The legal minimum age in data protection law is seen as the most directly applicable law or guidance for this policy decision. Below 13 an opt-out can be set by someone with parental responsibility. Any national data opt-out that has been set by a person with parental responsibility for a child under the age of 13 will remain in place after the child reaches the age of 13. This setting will only change if the child/young person proactively decides to change their national data opt-out setting when they reach the age of 13 or after that.