The national data opt-out applies to data that originates within the health and adult social care system in England. The following organisations are considered to be part of the health and adult social care system in England and must consider whether they are required to apply the national data opt-out:
- Department of Health and Social Care and other national bodies e.g. NHS England
- NHS and Local Authorities providing health and adult social care services in England; and
- other organisations or persons who provide health or adult social care services in England under arrangements agreed with any organisation covered in the above 2 bullet points
This definition is aligned to the Health and Social Care Act Section 250 which defines the organisations required to have regard to published information standards. Such organisations need to assess whether any of their data disclosures require the opt-out to be applied – some organisations may not have any data uses that are in scope.
4.1.1 Specific inclusions
For the avoidance of doubt confidential patient information generated or processed in the following organisations and services must consider national data opt-outs when processing data for purposes beyond individual care in line with the wider policy:
- health service providers including NHS foundation trusts and trusts, mental health and community trusts, ambulance trusts, primary care providers including GPs, dentists, ophthalmic services and pharmacists
- private providers including Any Qualified Providers (AQPs) who provide health and adult social care services which are funded or under contract with a public body, for example NHS England, CCG or local authority)
- Defence Medical Services (DMS)
- Healthcare services provided across the secure and detained estate (e.g. prison healthcare)
- public health including local authority public health functions and public health providers, for example school nursing
- adult social care services including care that is arranged or provided by local authorities and adult social care providers (i.e. where this is regulated by the Care Quality Commission (CQC)) (see below for Children’s Social Care)
- any organisation acting under a contract to a health and social care organisation, for example the Healthcare Quality Improvement Partnership (HQIP) delivering surveys under contract to NHS England, and
- any other organisation whichhandles and discloses health and adult social care information as a data controller including commissioners, for example Clinical Commissioning Groups (CCGs) or national bodies, for example Department of Health and Social Care, NHS Digital, NHS England, Public Health England (PHE), Health Education England, National Institute for Health and Care Excellence, Medicines and Healthcare Products Regulatory Agency, Care Quality Commission (CQC), NHS Improvement, , NHS Business Services Authority (NHS BSA), NHS Shared Business Services (NHS SBS), NHS Resolution, NHS Blood and Transplant, Human Fertilisation and Embryology Authority, Human Tissue Authority, Health Research Authority, NHS Counter Fraud Authority and Healthcare Safety Investigation Branch.
4.1.2: Specific exclusions
The following organisations and services are not part of the health and adult social care system in England. National data opt-outs, therefore, do not apply to information relating to individuals originating within the following organisations:
- providers of health, public health or adult social care services outside of England
- providers of Children’s services (including children’s social care, education services and schools) which are regulated by Ofsted or otherwise within the policy responsibility of Department for Education (DfE) (N.B. child health services provided through organisations regulated by CQC do remain in scope)
- ‘health’ related data which originates and is shared by organisations completely outside of the health and adult social care system in England e.g.
- assessments for disability or other benefits purposes carried out independently of the health and adult social care system (typically by the Department for Work and Pensions - DWP)
- coroners’ reports (coroners fall under the remit of Home Office)
- health assessment carried out by the Courts/legal service
- Her Majesty’s Revenue & Customs
- health assessments undertaken privately for pension providers or insurance companies (these are also undertaken with consent from the individual)
- universities, and
- Office for National Statistics (ONS) / General Registrar’s Office (GRO)
- occupational health assessments
The national data opt-out does not apply to organisations that do not generate health and adult social care data but do have data lawfully disclosed to them for individual care purposes only (for example, charities which provide day care services for patients).
Research organisations such as universities may receive confidential patient information and the health and adult social care organisation releasing the data may be required to apply national data opt-outs depending on the legal basis for the data disclosure is Section 251 support. However, the national data opt-out will not apply to any health-related data that is generated solely within such organisations for research purposes e.g. tests undertaken by research staff as part of a clinical trial.
These research organisations would not usually be required to apply national data opt-outs to any data disclosure. However, a possible exception where they may be required to do so would be via a condition within a Data Sharing Agreement (DSA), for example if health and adult social care information may be onwardly disclosed using section 251 support.
National data opt-outs may apply to data originating from such organisations when the data disclosure is by data controllers within the health and adult social care system in England. For example where tests undertaken privately are then added to a patient’s GP record.
