10. Compliance with the national data opt-out

It gives effect to the right set out in the NHS Constitution to “request that your confidential information is not used beyond your own care and treatment”. The policy is intended to implement the recommendations of the NDG review and thereby help to increase public confidence and trust in the use of their health and care data.

A number of mechanisms have been put in place to ensure that organisations within health and adult social care comply with the national data opt-out policy as required.  Principally this is a combination of information standards, statutory guidance, contractual levers, legal requirements and information for the public to increase visibility and transparency of compliance at a local level. 

It should be noted that health and adult social care bodies are legally required to “have regard to” information standards (made under Section 250 of the Health and Social Care Act 2012) and statutory guidance (issued under Section 263 of the Health and Social Care Act 2012).  Whilst these are not an absolute legal obligation - an organisation that does not comply with an information standard or statutory guidance may be leaving themselves open to legal challenge.

Any organisation that collects, analyses, publishes or disseminates confidential health and care information is legally required to “have regard to” the NHS Digital Code of Practice on Confidential Information under S.263 of the Health and Social Care Act 2012 (HSCA). The code of practice is published by NHS Digital and clearly defines the steps that organisations must, should and may take to ensure that confidential information is handled appropriately. This includes the application of national data opt-outs in line with this policy.

The Data Security and Protection (DSP) Toolkit (which replaced the Information Governance (IG) Toolkit) includes an evidence item on compliance with the national data opt-out. (The wording for the evidence item is subject to confirmation in the 2019/20 version of the toolkit.)  This requires organisations to self-declare their compliance (or otherwise) with the policy and provide a clear public statement to this effect. It is of note that compliance may not require an organisation to actually apply national data opt-outs e.g. where an organisation only processes CPI for individual care. The DSP toolkit is an information standard.

An information standard on compliance with the national data opt-out is in the process of being developed. This standard mandates organisations to comply with the national data opt-out policy and to use the technical service to check for national data opt-outs in line with technical specifications and instructions. It also specifies the compliance timeframe as part of the implementation guidance element of the standard.

NHS contracts and those based on the NHS standard contract include a requirement to comply with all information standards.  Failure to do so may be considered a breach of contract.

Although the national data opt-out is a policy to allow patients some additional choice about how their confidential patient information is used the ICO have set out their position on how they may consider cases where the national data opt-out was not applied when it should have been.  Specifically, failure to comply with the national data opt-out policy could be seen as a breach of the requirements for processing to be fair and transparent.