Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Part of National data opt-out operational policy guidance document

6. When does a national data opt-out not apply?

The following are exemptions from the national data opt-out.


The following are exemptions from the national data opt-out.

6.2: Communicable diseases and risks to public health

The national data opt-out does not apply to the disclosure of confidential patient information required for the monitoring and control of communicable disease and other risks to public health.

This includes any data disclosed where Regulation 3 of The Health Service (Control of Patient Information) Regulations 2002 provides the lawful basis for the common law duty of confidentiality to be lifted.  Public Health England oversees the use of this legal gateway on behalf of the Secretary of State for Health and Social Care.

Regulation 3 allows confidential patient information to be lawfully processed with a view to:

  • diagnosing communicable diseases and other risks to public health
  • recognising trends in such diseases and risks
  • controlling and preventing the spread of such diseases and risks
  • monitoring and managing:
    • outbreaks of communicable disease
    • incidents of exposure to communicable disease
    • the delivery, efficacy and safety of immunisation programmes
    • adverse reactions to vaccines and medicines
    • risks of infection acquired from food or the environment (including water supplies)
    • the giving of information to persons about the diagnosis of communicable disease and risks of acquiring such disease.

6.3: Overriding public interest

The national data opt-out does not apply to the disclosure of confidential patient information where there is an overriding public interest in the disclosure, i.e. the public interest in disclosing the data overrides the public interest in maintaining confidentiality.

This should be as a result of a positive public interest test having regard to the circumstances of the case.  Data controllers are expected to have their own arrangements in place to apply the public interest test as and when necessary.

Examples of disclosures which may be made in the public interest include:

  • reporting of gun and knife wounds in line with GMC guidance, and
  • patients' fitness to drive and reporting concerns to the DVLA or DVA in line with GMC guidance

Further information and guidance about public interest is available on the Information Governance Alliance (IGA) website.

6.4: Information required by law or court order

The national data opt-out does not apply to the disclosure of confidential patient information where the information is required by law or a court order.

Examples of disclosures required by law are summarised below.

  • the Care Quality Commission, which has powers of inspection and entry to require documents, information and records – a code of practice sets out how the CQC can use these powers (Health and Social Care Act 2008);
  • NHS Digital when using its section 259 powers to collect information when directed by the Secretary of State or NHS England (Health and Social Care Act 2012);
  • the NHS Counter Fraud Service, which has powers to prevent, detect and prosecute fraud in the NHS (National Health Service Act 2006);
  • investigations by regulators of professionals (e.g. Health and Care Professions Council, General Medical Council, or Nursing and Midwifery Council investigating a registered professional’s fitness to practise) (e.g. under the Medical Act 1983);
  • coroners’ investigations into the circumstances of a death, that is if the death occurred in a violent manner or in custody (Coroners and Justice Act 2009);
  • health professionals must report notifiable diseases, including food poisoning (The Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010);
  • the Chief Medical Officer must be notified of termination of pregnancy, giving a reference number, date of the birth and postcode of the woman concerned (Abortion Regulations 1991);
  • employers must report deaths, major injuries and accidents to the Health and Safety Executive (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013);
  • information must be provided to the police when requested to help identify a driver alleged to have committed a traffic offence (The Road Traffic Act 1988);
  • information must be provided to the police to help prevent an act of terrorism or prosecuting a terrorist (The Terrorism Act 2000 and Terrorism Prevention and Investigation Measures Act 2011);
  • information must be shared for child or vulnerable adult safeguarding purposes (e.g. s.47 Children Act 1989);
  • health professionals must report known cases of female genital mutilation to police (Female Genital Mutilation Act 2003)
  • judge or presiding officer of a civil or criminal court can require disclosure of confidential patient information through a court order
  • information required to be reported to HFEA for inclusion on the register of assisted reproduction and fertility treatments (Human Fertilisation and Embryology Act 1990
  • some disclosures of information to ONS (please see Data flows to ONS for official statistics for further information of the impact of the national data opt-out on such disclosures)
  • disclosure of information relating to transplant approvals and serious and adverse reactions notifications (Human Tissue Act 2004)
  • responsible bodies including health boards, trusts and regulatory bodies are required to co-operate on the handling of, and acting on, shared information relating to the management and use of controlled drugs. (The Controlled Drugs (Supervision of Management and Use) Regulations 2013)

This is not an exhaustive list, so information governance and/or legal advice should be sought where necessary.  Further details are available in Appendix 5: Information required by law or court order.

It should be emphasised that any legal requirement must set aside the common law duty of confidentiality. It should be noted that the exercise of a statutory function does not necessarily constitute a legal requirement for the disclosure of confidential patient information – organisations should always give due regard to the common law duty of confidentiality.

Last edited: 14 December 2022 8:37 am