1: Introduction

This document sets out the policy rules for all health and adult social care organisations to use when assessing whether the national data opt-out needs to be applied.   

The intended audience for this document comprises both individuals who are responsible for ensuring that the legal obligations of data protection and confidentiality are met and implemented and also those who are processing patient data within health and adult social care organisations. The former group may include the information governance lead, Caldicott Guardian, data protection officer, chief information officer, chief clinical information officer, senior information risk owner and others responsible for data protection and compliance. The latter group may include information analysts and data processing staff.  In essence this includes anyone who is responsible for the processing or handling of patient data and, therefore, may be required to apply the national data opt-out policy. 

This document may also be of interest to researchers, members of the public or healthcare professionals who have a particular interest in this subject although other more suitable materials are available on the national data opt-out pages.

This document is not intended to support members of the public in setting national data opt-outs or health and adult social care professionals in providing guidance or signposting to the public.  Other resources for this purpose are provided on the:

• national data opt-out service webpages - information to support the public to make an informed decision and to set a national data opt-out
• national data opt-out webpages – factsheets, guidance and resources for health and care professionals.

This document provides practical operational guidance based on the national data opt-out policy as set by the Department of Health and Social Care (DHSC).  NHS Digital is directed to produce and maintain this guidance.

This document is a comprehensive articulation of the policy rules relevant to considering and applying national data opt-outs.

This document does not provide detailed guidance relating to the interpretation of some of the underpinning concepts relied upon within this document, for example what is individual care or what is deemed to be anonymised data in line with the ICO Code of Practice.  However, it does signpost to existing guidance as appropriate. 

This guidance is reviewed regularly in order to ensure that it remains up to date as the national data opt-out is implemented across the health and care system.  It is a controlled document and users should always refer back to the version published online to ensure that they are using the most up to date version.

A full list of abbreviations is provided in Appendix 1: Abbreviations. Appendix 2: Definitions defines some of the key terms which are used in this document. For consistency and to aid understanding the following terminology is used throughout this document with the specific meaning as set out below:

• “individual care” this is often referred to as ‘direct care’ where legally the sharing of data is based on implied consent, i.e. where the patient knows or would reasonably expect their data to be shared for their care and treatment.  The definition of individual care is set out in Appendix 2: Definitions. For completeness the definition of indirect care is also included here.
•  “purposes beyond individual care” is used to refer to all other uses of data outside an individual’s care and treatment.  This is sometimes also referred to as “secondary uses”, “indirect care" or “other purposes”. 
•  “data disclosure” this is the term used to describe sharing of data in relation to the common law duty of confidentiality and is used to indicate the point at which the national data opt-out must be applied.
• “apply” and “applying” is used to describe the process whereby organisations respect national data opt-outs in any data disclosures, this may sometimes be referred to as “upholding”.
• “compliance” is used to refer to an organisation having assessed its data flows to determine whether they fall within the scope of national data opt-out policy (as defined by this document), and applying the national data opt-outs as necessary to any flows that are within scope.  An organisation may be in compliance even if it is not applying the national data opt-out where it does not have any data disclosures that need the opt-out to be applied.  For example where it is processing data for individual care only.
• “Common law duty of confidentiality” (CLDC) is used to refer to the common law regarding information that is subject to a duty of confidence. This is sometimes termed the “common law duty of confidence”.
• “patient” is used to refer to people in the context of an opt-out being applied to any “data disclosure”. In some parts of the health and care system the term “client” or “service user” may be equivalent.
• “data protection legislation” is used in this document as an umbrella term to cover the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR), and any regulations which relate to the DPA or GDPR.