We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
10. Compliance with the national data opt-out
The national data opt-out is a policy set by the DHSC.
It gives effect to the right set out in the NHS Constitution to “request that your confidential information is not used beyond your own care and treatment”. The policy is intended to implement the recommendations of the NDG review and thereby help to increase public confidence and trust in the use of their health and care data.
A number of mechanisms have been put in place to ensure that organisations within health and adult social care comply with the national data opt-out policy as required. Principally this is a combination of information standards, statutory guidance, contractual levers, legal requirements and information for the public to increase visibility and transparency of compliance at a local level.
It should be noted that health and adult social care bodies are legally required to “have regard to” information standards (made under Section 250 of the Health and Social Care Act 2012) and statutory guidance (issued under Section 263 of the Health and Social Care Act 2012). Whilst these are not an absolute legal obligation - an organisation that does not comply with an information standard or statutory guidance may be leaving themselves open to legal challenge.
10.1: Code of Practice on Confidential Information
Any organisation that collects, analyses, publishes or disseminates confidential health and care information is legally required to “have regard to” the NHS Digital Code of Practice on Confidential Information under S.263 of the Health and Social Care Act 2012 (HSCA). The code of practice is published by NHS Digital and clearly defines the steps that organisations must, should and may take to ensure that confidential information is handled appropriately. This includes the application of national data opt-outs in line with this policy.
10.2: Data Security and Protection Toolkit
The Data Security and Protection (DSP) Toolkit (which replaced the Information Governance (IG) Toolkit) includes an evidence item on compliance with the national data opt-out. (The wording for the evidence item is subject to confirmation in the 2019/20 version of the toolkit.) This requires organisations to self-declare their compliance (or otherwise) with the policy and provide a clear public statement to this effect. It is of note that compliance may not require an organisation to actually apply national data opt-outs e.g. where an organisation only processes CPI for individual care. The DSP toolkit is an information standard.
10.3: Information standard on compliance with the national data opt-out
An information standard on compliance with the national data opt-out is in the process of being developed. This standard mandates organisations to comply with the national data opt-out policy and to use the technical service to check for national data opt-outs in line with technical specifications and instructions. It also specifies the compliance timeframe as part of the implementation guidance element of the standard.
NHS contracts and those based on the NHS standard contract include a requirement to comply with all information standards. Failure to do so may be considered a breach of contract.
10.5: Information Commissioner’s Office (ICO) position
Although the national data opt-out is a policy to allow patients some additional choice about how their confidential patient information is used the ICO have set out their position on how they may consider cases where the national data opt-out was not applied when it should have been. Specifically, failure to comply with the national data opt-out policy could be seen as a breach of the requirements for processing to be fair and transparent.
- National data opt-out operational policy guidance document
- 1: Introduction
- 2: What are national data opt-outs?
- 3. Setting an opt-out
- 4. Which organisations does the opt-out apply to?
- 5. When does a national data opt-out apply?
- 6. When does a national data opt-out not apply?
- 7. Policy considerations for specific organisations or purposes
- 8. Applying the national data opt-out
- 9. Analysis of national data opt-outs
10. Compliance with the national data opt-out
- 11. Further information
- Appendix 1: Abbreviations
- Appendix 2: Definitions
- Appendix 3: Rationale and supporting information
- Appendix 4:Changes to NHS number
- Appendix 5: Information required by law or court order
- Appendix 6: Confidential Patient Information (CPI) definition
- Appendix 7: External review of the national data opt-out policy