2: What are national data opt-outs?

Background to the national data opt-out policy.

The National Data Guardian’s Review of Data Security, Consent and Opt-Outs (NDG Review) proposed that:

The NDG’s review carefully considered the scope of the model including its limitation to purposes beyond individual care only and for it to be an opt-out rather than consent model:

The review also acknowledged that:

The national data opt-out provides a single central mechanism which gives effect to this right.

The Government undertook a public consultation before publishing its response to the NDG review which accepted all the recommendations made by the National Data Guardian.

The national data opt-out is a policy opt-out that must be considered and applied alongside existing data protection legislation, other laws and best practice. These include data protection legislation and the Common Law Duty of Confidentiality (CLDC), Human Rights Act 1998, and all relevant Codes of Practice such as the DHSC and NHS Digital codes of confidentiality and best practice guidance, for example the seven Caldicott principles.

Data protection legislation (DPA 2018 and GDPR) requires data controllers to ensure that all processing of personal data is in line with the principles including being fair, lawful and transparent. This includes ensuring compliance with the CLDC.

To remain lawful data controllers must ensure:

• an Article 6 condition is satisfied (for personal data); and
• an Article 9 condition is satisfied (as health data is a special category of data)
• and compliance with the common law requirements (CLDC), for example there is consent or some other statutory authorisation for the data use such as S.251 of the NHS Act 2006

These underpinning legal requirements are required now, remain in place and the introduction of the opt-out does not alter or amend this. This policy is based on the assumption that organisations already have effective processes and procedures in place to ensure that their data processing is lawful and appropriate. 

Data controllers need to be clear first on the purpose for the disclosure - is it:

• for individual care – in which case the opt-out does not apply OR
• another purpose beyond individual care and the opt-out may apply. This will depend upon how the common law requirement on confidentiality (CLDC) is being satisfied

A lawful basis is needed for data protection legislation including the CLDC.  Data protection legislation requires the lawful basis for any processing to be communicated clearly to individuals through appropriate channels and materials in line with the duty of transparency.

Once the lawful basis for the processing has been established then the application of the national data opt-out can be determined based on the authorisation for complying with the CLDC. 

The table below summarises the commonly used bases and sets out when the opt-out applies.  Options include the use of the legal gateways set out in the Control of Patient Information Regulations 2002 (made under Section 251 of the NHS Act 2006) which allow confidential patient information to be used without patient consent:

Hence when determining if national data opt-outs will apply this requires the following to be clearly established:

• purpose - it is for a purpose beyond individual care and
• the basis for the disclosure in common law

The national data opt-out applies where S.251 support is relied upon, unless there is a specific exemption in place.

Further guidance on lawful processing under GDPR has been published by the Information Commissioner's Office and should be read in conjunction with this operational policy guidance.  Further information on patient confidentiality is available in Confidentiality: NHS Code of Practice published by DHSC and the Code of practice on confidential information published by NHS Digital.

The national data opt-out does not apply where a patient has given their explicit consent to a specific use of their data.

The use of consent for specific purposes is supported by the following excerpt from the NDG review:

“People should continue to be able to give their explicit consent separately if they wish, e.g. to be involved in research, as they do now. They should be able to do so regardless of whether they have opted out of their data being used for purposes beyond direct care. This should apply to patients’ decisions made both before and after the implementation of the new opt-out model”.

As the NDG specified there is no dependency on the timing of when a person gave their consent for a specific disclosure of their data. A person may give consent for a specific purpose either before or after setting a national data opt-out and this consent will constitute an exemption from the national data opt-out for that specific purpose.

The data covered by the national data opt-out.

CPI is defined in sections 251 (10) and (11) of the National Health Service Act 2006. Broadly it is information that meets all of the following 3 requirements: 

1. identifiable or likely identifiable (for example from other data likely to be in the possession of the data recipient); and
2. given in circumstances where the individual is owed an obligation of confidence; and
3. conveys some information about the physical or mental health or condition of an individual, a diagnosis of their condition; and/or their care or treatment.

It should be noted that Section 251 (also known as S.251) has been updated to ensure that the definitions used expressly include local authority social care (i.e. care provided for, or arranged by, a local authority).  The term confidential patient information (CPI) also covers data which falls within the “special categories of personal data” under article 9 GDPR and indeed goes beyond this as it also covers information about the deceased as the GDPR only applies to living individuals. Further information on assessing what is CPI for the purposes of applying the national data opt-out is provided in Appendix 6: Confidential Patient Information (CPI) definition.

The national data opt-out does not apply to information that is anonymised in line with the Information Commissioner’s Office (ICO) Code of Practice (CoP) on Anonymisation or is aggregate or count type data.  It should be noted that the ICO Code of Practice covers a range of anonymised data including aggregate data for publication to the world at large through to de-identified data for limited access.  De-identified data for limited access requires a suite of additional organisational and technical control measures to ensure that the risk of re-identification is remote, for example access controls, purpose limitation, staff confidentiality agreements, contractual controls etc.

For clarity the national data opt-out does not apply to workforce or staff data.  NB: Staff data may be removed as a result of the opt-out being applied but only where it is relevant to a patient’s care (for example, a consultant’s name may be linked to an episode of care).  Staff data, and any other personal data which is not confidential patient information, would still be subject to data protection legislation and the rights provided under this, including article 21 (right to object) in GDPR, but sits outside of the scope of the national data opt-out. Information provided by occupational health services would be considered to be relevant to an individual’s care and potentially in scope of the national data opt-out.

The national data opt-out is defined based on purpose and applies to any disclosure of data for purposes beyond individual care.  More specifically:

• the national data opt-out would always need to be considered to be applied (in line with this policy) at the organisational or data controller boundary
• the national data opt-out may also need to be considered to be applied internally at the point of change of purpose – specifically where S.251 support is relied upon as the legal basis for allowing the disclosure of confidential patient information

Purposes beyond individual care are defined as anything that does not meet the definition of individual care (see Appendix 2: Definitions).  It would include purposes such as planning for the provision of local services, managing and running NHS and adult social care services, commissioning, invoice validation, national clinical audits and research.  For completeness the definition of indirect care is also included in the appendix which will assist organisations in making the decision about whether a particular use falls outside of the definition of individual care.

The NDG review made it clear that there are some elements of individual care which rely on the processing of data nationally, for example the electronic transfer of prescriptions, screening, immunisation programmes and the Summary Care Record. “The Review heard no evidence to suggest that there should be a change to effective local or national arrangements for sharing information.” These purposes are considered to be for individual care and are not subject to the national data opt-out.

The national data opt-out relates to information about an individual’s health and adult social care provided in England.

It does not apply to information about an individual’s health or care which is generated or processed outside of England including in home countries of the UK, that is Wales, Scotland, Northern Ireland, or the Isle of Man or Channel Islands.

Opt-outs offered in other home countries and crown dependencies for example in Scotland (the Spire Opt-out), do not apply in England – but they may be applied prior to receipt of any data in England.  (Opt-outs implemented within other countries, such as the Spire Opt-out in Scotland, are for a specific purpose and applicable only within the laws and regulations of that country and therefore must not be inferred as being the equivalent of a national data opt-out within England.)

National data opt-outs continue to apply until the individual proactively changes their opt-out preference, including where the individual subsequently moves away from England. For example an individual moving from England to Wales who has a national data opt-out but does not remove it when they move – their opt-out remains in place and is applied in line with this policy.

The policy for applying national data opt-outs to data flows outside of England are outlined in Cross border data flows.

Prior to the launch of the national data opt-out individuals could set two types of general opt-outs, via their GP practice:

• a type 1 opt-out prevents information that identifies individuals being shared outside of their GP practice, for secondary uses.  
• a type 2 opt-out prevented confidential patient information from being shared outside of NHS Digital for purposes beyond individual care.

Type 1 opt-outs continue to be honoured until September 2020 at the earliest when the Department of Health and Social Care (DHSC) will consult with the NDG before confirming their removal.

Type 2 opt-outs have been replaced by the national data opt-out and are no longer valid.  All type 2 opt-outs recorded in GP practices up to and including 11 October 2018 have been migrated to become national data opt-outs.  NHS Digital has written to inform people who previously registered a type 2 opt-out of this change.  More information on the conversion of type 2 opt-outs can be found on the NHS Digital website.

Other national and local opt-outs for specific purposes (for example summary care record opt-out) remain in place and should continue to be applied, when appropriate, alongside the national data opt-out.

There are specific arrangements for the opt-outs that apply to data flows to Public Health England (PHE) for the two national disease registries and screening programmes that they operate.  These are set out in Flows to Public Health England National Disease Registers and Population screening programmes. Other specific arrangements are in place for Assuring Transformation and for National patient experience surveys.

NHS Digital and a number of other organisations are applying the national data opt-out to any in scope data releases and are compliant with this policy.  All relevant organisations are required to be compliant with the national data opt-out by March 2020.

A national data opt-out continues to be maintained and applied for an individual after they have died. Health and adult social care organisations are expected to continue to apply opt-outs for deceased patients and their opt-out will continue to be held on the Spine repository.