Once the lawful basis for the processing has been established then the application of the national data opt-out can be determined based on the authorisation for complying with the CLDC.
The table below summarises the commonly used bases and sets out when the opt-out applies. Options include the use of the legal gateways set out in the Control of Patient Information Regulations 2002 (made under Section 251 of the NHS Act 2006) which allow confidential patient information to be used without patient consent:
Legal basis in common law |
Opt-out applies |
Comments |
Common Law Consent (Implied) |
No – out of scope for the national data opt-out |
For common law purposes the sharing of information for direct or individual care purposes is on the basis of implied consent. This is out of scope for the national data opt-out - which only applies to purposes beyond individual care.
N.B. This is included in this table for completeness and to emphasise that implied consent can only be used when the surrounding circumstances mean that a patient knows, or would reasonably expect, that their data will be shared. In other words there should be ‘no surprises’ for the individual about who has had access to information about them where implied consent is relied upon.
An individual will still be able to ask their doctor or other healthcare professional not to share a particular piece of information with others involved in providing their care and should be asked for their explicit consent before access to their whole record is given.
|
Common Law Consent (Explicit) |
No |
In this case an individual has given their consent for a specific use of their data, for example consenting to participate in a research study. This would fall within the general exemption from the national data opt-out (see 2.5 below). This rule applies even if the consent was given before the patient had set a national data opt-out. |
Mandatory legal requirement |
No |
Where there is a legal requirement for the data disclosure that specifically sets aside the common law duty of confidentiality then the national data opt-out will not apply. |
Section 251 Regulation 2 – for diagnosis and treatment of cancer
Regulation 5 – for the medical purposes set out in the schedule to the regulations |
Yes – in general but there are some specific exemptions |
Data disclosure has Section 251 support obtained under regulation 2 or 5. This applies unless the Confidentiality Advisory Group (CAG) have advised:
- that the national data opt-out is overridden in the public interest (NB: This would be in exceptional circumstances only) or
- a different opt-out can apply and the section 251 decision-maker (Secretary of State for Health and Social Care or Health Research Authority) has agreed to this. For example data disclosures to Public Health England (PHE) for the National Cancer Register or the National Congenital Anomaly and Rare Diseases Register.
NB: Where reference is made to Section 251 (S.251) support in the rest of this document it specifically applies to regulation 2 or 5 unless explicitly stated otherwise.
Please see Policy considerations for specific organisations or purposes for specific cases where this may not apply. |
Section 251 Regulation 3 – for communicable diseases and other risks to public health |
No |
Data disclosure under Regulation 3 of the Control of Patient Information Regulations 2002 is exempt from the national data opt-out. |
Hence when determining if national data opt-outs will apply this requires the following to be clearly established:
- purpose - it is for a purpose beyond individual care and
- the basis for the disclosure in common law
The national data opt-out applies where S.251 support is relied upon, unless there is a specific exemption in place.
Further guidance on lawful processing under GDPR has been published by the Information Commissioner's Office and should be read in conjunction with this operational policy guidance. Further information on patient confidentiality is available in Confidentiality: NHS Code of Practice published by DHSC and the Code of practice on confidential information published by NHS Digital.
The national data opt-out does not apply where a patient has given their explicit consent to a specific use of their data.
The use of consent for specific purposes is supported by the following excerpt from the NDG review:
“People should continue to be able to give their explicit consent separately if they wish, e.g. to be involved in research, as they do now. They should be able to do so regardless of whether they have opted out of their data being used for purposes beyond direct care. This should apply to patients’ decisions made both before and after the implementation of the new opt-out model”.
As the NDG specified there is no dependency on the timing of when a person gave their consent for a specific disclosure of their data. A person may give consent for a specific purpose either before or after setting a national data opt-out and this consent will constitute an exemption from the national data opt-out for that specific purpose.