4. Which organisations does the opt-out apply to?

The national data opt-out applies to data that originates within the health and adult social care system in England. The following organisations are considered to be part of the health and adult social care system in England and must consider whether they are required to apply the national data opt-out:

• Department of Health and Social Care and other national bodies e.g. NHS England
• NHS and Local Authorities providing health and adult social care services in England; and
• other organisations or persons who provide health or adult social care services in England under arrangements agreed with any organisation covered in the above 2 bullet points

This definition is aligned to the Health and Social Care Act Section 250 which defines the organisations required to have regard to published information standards. Such organisations need to assess whether any of their data disclosures require the opt-out to be applied – some organisations may not have any data uses that are in scope.

4.1.1 Specific inclusions

For the avoidance of doubt confidential patient information generated or processed in the following organisations and services must consider national data opt-outs when processing data for purposes beyond individual care in line with the wider policy:

• health service providers including NHS foundation trusts and trusts, mental health and community trusts, ambulance trusts, primary care providers including GPs, dentists, ophthalmic services and pharmacists
• private providers including Any Qualified Providers (AQPs) who provide health and adult social care services which are funded or under contract with a public body, for example NHS England, CCG or local authority)
• Defence Medical Services (DMS)
• Healthcare services provided across the secure and detained estate (e.g. prison healthcare)
• public health including local authority public health functions and public health providers, for example school nursing
• adult social care services including care that is arranged or provided by local authorities and adult social care providers (i.e. where this is regulated by the Care Quality Commission (CQC)) (see below for Children’s Social Care)
• any organisation acting under a contract to a health and social care organisation, for example the Healthcare Quality Improvement Partnership (HQIP) delivering surveys under contract to NHS England, and
• any other organisation whichhandles and discloses health and adult social care information as a data controller including commissioners, for example Clinical Commissioning Groups (CCGs) or national bodies, for example Department of Health and Social Care, NHS Digital, NHS England, Public Health England (PHE), Health Education England, National Institute for Health and Care Excellence, Medicines and Healthcare Products Regulatory Agency, Care Quality Commission (CQC), NHS Improvement, , NHS Business Services Authority (NHS BSA), NHS Shared Business Services (NHS SBS), NHS Resolution, NHS Blood and Transplant, Human Fertilisation and Embryology Authority, Human Tissue Authority, Health Research Authority, NHS Counter Fraud Authority and Healthcare Safety Investigation Branch.

4.1.2: Specific exclusions

The following organisations and services are not part of the health and adult social care system in England.  National data opt-outs, therefore, do not apply to information relating to individuals originating within the following organisations:

• providers of health, public health or adult social care services outside of England
• providers of Children’s services (including children’s social care, education services and schools) which are regulated by Ofsted or otherwise within the policy responsibility of Department for Education (DfE) (N.B. child health services provided through organisations regulated by CQC do remain in scope)
• ‘health’ related data which originates and is shared by organisations completely outside of the health and adult social care system in England e.g.
  • assessments for disability or other benefits purposes carried out independently of the health and adult social care system (typically by the Department for Work and Pensions - DWP)
  • coroners’ reports (coroners fall under the remit of Home Office)
  • health assessment carried out by the Courts/legal service
  • Her Majesty’s Revenue & Customs
  • health assessments undertaken privately for pension providers or insurance companies (these are also undertaken with consent from the individual)
  • universities, and
  • Office for National Statistics (ONS) / General Registrar’s Office (GRO)
  • occupational health assessments

The national data opt-out does not apply to organisations that do not generate health and adult social care data but do have data lawfully disclosed to them for individual care purposes only (for example, charities which provide day care services for patients).

Research organisations such as universities may receive confidential patient information and the health and adult social care organisation releasing the data may be required to apply national data opt-outs depending on the legal basis for the data disclosure is Section 251 support. However, the national data opt-out will not apply to any health-related data that is generated solely within such organisations for research purposes e.g. tests undertaken by research staff as part of a clinical trial.

These research organisations would not usually be required to apply national data opt-outs to any data disclosure. However, a possible exception where they may be required to do so would be via a condition within a Data Sharing Agreement (DSA), for example if health and adult social care information may be onwardly disclosed using section 251 support.

National data opt-outs may apply to data originating from such organisations when the data disclosure is by data controllers within the health and adult social care system in England.  For example where tests undertaken privately are then added to a patient’s GP record.

The national data opt-out applies to data relating to publicly funded or arranged care only (for example, a local authority may still arrange a patient’s care even though it is provided by a private provider and the patient is fully or partially funding the care themselves). By extension, the national data opt-out does not apply to data related to private patients at private providers or to patients at a charitable provider unless (as previously noted) the care is being funded or has been arranged by a public body such as a local authority. This is summarised as:

In scope

• all NHS organisations (including private patients treated within such organisations)
• adult social care which is funded or arranged by a public body (typically a local authority)
• NHS arranged care within private providers (e.g. Nuffield, BMI Healthcare)
• any release of data by NHS Digital which relates to private patients including that which is collected by a request under S259 of the Health and Social Care Act 2012 (HSCA)

Out of scope

• privately (non-NHS) funded patients within private providers unless the care is funded or arranged by a public body
• care which is not provided or arranged by a public body, that is privately arranged/privately funded care

It is of note that in adult social care, providers typically have a range of patients receiving both publicly funded and arranged care and privately funded and arranged care in the same care setting (typically a care home). The funding arrangements for individual patients may also change several times over short time periods. Providers who fit such a model may choose to voluntarily extend the national data opt-out to cover all their patients in order to make implementation within their setting more straightforward.  This voluntary extension of the model would need to be made clear to their patients via privacy notices and other information provided.

Data controllers, whether solely or jointly with another organisation, are responsible for ensuring that national data opt-outs are applied in line with this policy.

In some cases this will require data controllers to instruct any organisations acting as a data processors under their instruction to apply the national data opt-out.

In line with wider legal requirements data processors must comply with instructions from the data controller in relation to the national data opt-out.

Data controllers must apply national data opt-outs whenever confidential patient information is to be disclosed outside of their data controllership boundary in line with the wider policy (see figure 1 below) and is relying on section 251 support. Data controllers may also need to apply national data opt-outs for internal uses of the data where the purpose changes from individual care and the disclosure is relying on S.251 support to be lawful.

Further information on the responsibilities of data controllers is provided by the IGA.

Figure 1: Application of national data opt-outs within both data controller and organisational boundaries