8. Applying the national data opt-out

Where a national data opt-out needs to be applied this means that the entire record, or records, associated with that individual must be fully removed from the extract or dataset used for this purpose.  It is not permitted to simply remove identifiers or otherwise de-identify part of the record (such that the data is still not anonymised in line with the ICO Code of Practice) due to the risks of re-identification associated with this approach.

It should be noted that source, or underlying records, held in systems may still be needed, for example for individual care purposes, and the opt-out does not require such records to be removed.  In most cases it is expected that datasets for purposes beyond individual care will be derived or extracted and the opt-out can then be applied without an impact on the source data.

If more than one file is to be released to another organisation without the opt-out having been upheld (as a result of the statements or exemptions in this policy) care must be taken to ensure that no common identifiers can be used to re-identify records of individuals.

For example, consider an organisation releasing multiple related files, the first of which is anonymised in line with the ICO Code of Practice and the second being data which is not confidential but contains patient identifiers. If an identifier appears in both datasets, this could be used to re-identify the individual. 

Where a national data opt-out has been set, it is recorded against an individual’s NHS number and the NHS number is used as the single identifier for applying the national data opt-out. The following policy lines apply to the use of NHS number for applying national data opt-outs:

• the NHS number is used as the single identifier to register and to apply an individual’s national data opt-out.  No other patient identifiers are used to identify patients and apply national data opt-outs.
• organisations are not required to ‘trace’ NHS numbers specifically for the purpose of applying the national data opt-out outside of that required for existing good practice.  That is in instances where the NHS number is missing or inaccurate within datasets or individual records. Where NHS numbers are easily attainable opt-outs should be applied as in the table below:

• organisations must not deliberately remove or omit the NHS number from data flows containing other confidential patient information in order to prevent the national data opt-out from being applied correctly in line with this policy.
• in some instances, patient identifiers including NHS number have been intentionally removed from records to prevent the individual from being identified, such as for patients with legally restricted conditions or in line with a consent model. (For example identifying individuals who have received IVF is restricted by the Human Fertilisation and Embryology Act 1990 as amended by the Human Fertilisation and Embryology (Disclosure of Information) Act 1992.) In these cases, no attempt should be made to re-identify the individual in order to apply the national data opt-out as this may be detrimental to the confidentiality and privacy of the individual and could breach legal restrictions.
• where there is a time lag between confidential patient information being entered on systems and the NHS number being available, organisations are encouraged to ensure that business processes that identify patient cohorts for submission to the 'Check for national data opt-outs' service should take this into account.

An Information Standard provides the specification for use of the NHS number by NHS bodies and by other organisations providing health and care services in England in partnership with the NHS. Section 251A of the Health and Social Care Act 2012, (as amended by the Health and Social Care (Safety and Quality) Act 2015) together with the regulations made under S.251A(1), (Health and Social Care Act 2012 (Consistent Identifier) Regulations 2015 (SI 2015/1439)) provide that the NHS number must be used by commissioners and providers as the consistent identifier when processing information about a patient for their direct care.

A national data opt-out is applied to confidential patient information at the point it is disclosed for purposes beyond individual care. The most up-to-date national data opt-out must be applied at this point.

A national data opt-out applies to all confidential patient information in relation to the individual in scope, including any historic patient records being disclosed for a specific purpose.

A national data opt-out does not apply retrospectively, meaning it does not need to be applied to data that has already been processed. At the point a particular dataset has been used or released, all patients who have opted out at that time should be removed. Data does not need to be recalled once released or otherwise processed.

A patient may choose to change their opt-out decision at any time and their current choice is respected at any given time, replacing any previous choices made. If a patient has previously opted out, but then subsequently withdraws their opt-out, their confidential patient information (including any historic data) will become available for use beyond their individual care once again. This is true even where the data relates to a period where the patient had previously opted out.

An individual is not able to set a preference that specifically applies to data over a defined period of time, although as described in the NDG Review they can choose to give explicit consent (under common law) for a particular use of their data. For example, a research project or clinical trial.

An organisation is expected to comply with the conditions set out in their data sharing agreements with regards to data retention/destruction and onward sharing of data for future uses. There is no specific requirement for an organisation to remove an individual’s record from data they have already received as a result of an individual’s opt-out preference being changed. However, data sharing agreements may include specific arrangements for the application of the most up-to-date national data opt-out prior to onward sharing if required by the data controller. 

Where the terms of the use of the data (i.e. the specific S.251 approval) covers onward sharing, data controllers should apply the most up to date national data opt-out at this point. For example, an organisation that falls within the definition of health and care organisations set out in Section 4 may receive data from a health and social care provider under S.251 support and the S.251 support also allows this data to be linked with Hospital Episode Statistics (HES) data from NHS Digital. The national data opt-out would be applied at the point that the original data is disclosed from the health and social care provider to the organisation but it should also be applied at the point of disclosure to NHS Digital and also by NHS Digital when the linked data is returned to the research organisation.

National data opt-outs may take up to 21 days from being registered with NHS Digital to being fully applied to all disclosures of data.

Patients setting a national data opt-out will be provided with clear information that it may take up to 21 days for their opt-out to be applied across all disclosures of data.  The service to check for national data opt-outs is updated every 24 hrs which gives local organisations who access the service directly 20 days to process and disclose the data.  Where a temporary cache of the data is held locally this must be updated at least every 7 days and in this case the organisation has 13 days to process and disclose the data.

Data received by organisations through the service to check for national data opt-outs is provided for the sole purpose of applying national data opt-outs in line with this policy. 

In line with the information provided to patients setting a national data opt-out the cleaned list provided to organisations is to enable compliance with the national data opt-out policy.  It must be stored securely and accessed on a need to know basis only.  Specifically, it must not be:

• used to explicitly identify patients with a national data opt-out
• added to, or stored, on a patient record
• used to explicitly provide clinicians or other care staff with a view of a patient’s national data opt-out preference other than where this is essential for the purpose of applying opt-outs.  For example, it should not be used to consider an individual’s suitability for research.   

Further details on the use of the data received through the service to check for national data opt-outs will be included in the Information Standard on Compliance with the National Data Opt-out and in the licence for the use of this data.