Skip to main content

Understanding the national data opt-out

Overview of the national data opt-out policy, to help you understand how opt-outs work and which data uses or disclosures are in scope.

For a detailed view of the national data opt-out policy see the National data-opt-out operational policy guidance document.

Setting or changing an opt-out choice

The national data opt-out allows a patient to choose if they do not want their confidential patient information to be used for purposes beyond their individual care and treatment - for research and planning. Patients, or people acting for them by proxy, have control over setting or changing their own opt-out choice, and can change their mind at any time. In most cases health and care staff won't be involved - but it's helpful to understand how the process works so you can tell patients where to find out more about their choices.

Read more about how patients can opt out, including special arrangements for people in secure settings.

Find a range of resources you can use to inform patients about their opt-out choice.

How opt-outs are recorded

When a patient sets an opt-out choice, it is recorded against their NHS number on the Spine. It will remain unless the patient changes their mind, even after they have died.

Read more about how NHS Digital records and manages opt-out choices.

Who must comply with the policy

When a patient has set a national data opt-out, organisations covered by the opt-out policy must make sure the patient's opt-out choice is respected. 

The national data opt-out covers confidential patient information collected about care in England. This includes:

  • publicly-funded, commissioned or coordinated health and adult social care
  • private care given in NHS settings

All organisations providing or coordinating publicly-funded health or adult social care in England will need to comply with the opt-out, even if the organisation’s headquarters are outside England. This includes private, voluntary sector and independent organisations and adult social care. Children's social care services are not within scope of the policy.

Read more about which health and care settings and types of care are included.

Understand if the data you use or disclose is in scope

You must have a legal basis for using or disclosing data. This is unchanged by the national data opt-out. Any use or disclosure of confidential patient information for research and planning must be for the purpose of improving or benefitting heath and care. Information must never be disclosed for marketing or insurance purposes without explicit consent. 

Which data disclosures do national data opt-outs apply to?

National data opt-outs apply to a disclosure when an organisation, for example a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation responsible for the data (the data controller) such as an NHS Trust.

 

The CAG approval is also known as a section 251 approval and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002. The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.

 

In practice, this means that the organisation responsible for the information (the data controller) can, if they wish, disclose the information to the data applicant, for example a research body, without being in breach of the common law duty of confidentiality. To be clear - it is only in these cases where opt-outs apply.

 

Read more information about CAG and the section 251 approvals process on the Health Research Authority (HRA) website.

If the national data opt-out policy applies to your organisation, you need to become compliant, by following our compliance implementation guide. The guidance below helps you with step 1, assessing your current and ongoing data disclosures to work out whether they are within scope of the national data opt-out policy. (The national data opt-out does not apply retrospectively so, for instance, data disclosed before the patient set an opt-out should not be recalled to have the national data opt-out applied.)

1. Is the use or disclosure for individual care or research and planning?

The national data opt-out policy does not apply where information is being used or shared for an individual patient's care. It only applies to use or disclosure of data for purposes beyond individual care such as research and planning.

Find out more about individual care and research and planning purposes.

2. Is the use or disclosure confidential patient information?

Data is recorded whenever a patient has contact or interaction with the health and care system. The opt-out only applies to confidential patient information (CPI) - data that includes both:

  • information that identifies or could be used to identify the patient
  • information about their health, care or treatment

The national data opt-out does not apply to information that is anonymised in line with the Information Commissioner’s Office (ICO) Code of Practice (CoP) on Anonymisation or is aggregate or count type data. 

Read more about confidential patient information and anonymised data.

If the use or disclosure is CPI, you need to determine how the common law duty of confidentiality is being met.

3. Do you have explicit consent for the use or disclosure?

If a patient has agreed to a specific use of data, after being fully informed, then the national data opt-out does not apply. Even patients who have registered a national data opt-out can agree to take part in a specific research project or clinical trial, by giving their explicit consent.

Read more in 6.1: Consent and 7.4: Consent for consent for more details on consent and finding participants for research projects, in the operational policy guidance document.

4. Is the disclosure for the purpose of monitoring and control of communicable disease or other risks to public health?

The national data opt-out does not apply to disclosure of confidential patient information if it is being used to protect public health, for example to:

  • diagnose communicable diseases
  • control or prevent their spread
  • deliver and monitor vaccination programmes
  • manage risks of infection from food or water supplies or the environment

Read a full explanation of the lawful basis of such disclosures in 6.2: Communicable diseases and risks to public health in the operational policy guidance document.

5. Is the information being disclosed because of a legal requirement?

When there is a legal requirement to disclose information that sets aside the common law duty of confidentiality, the national data opt-out policy does not apply.

Find out more about legally mandated data disclosures.

6. Is the use or disclosure in the overriding public interest?

There are a small number of exceptional circumstances where clinicians, Caldicott Guardians and managers can decide to share information based on public interest, and in these cases the national data opt-out does not apply. These kinds of decisions about disclosures are made on a case-by-case basis and carefully consider the circumstances involved.

Data controllers should have their own arrangements in place to apply the public interest test where necessary.

See 6.3 Overriding public interest in the operational policy guidance document.

7. Is Section 251 approval being relied upon the legal basis for the use or disclosure Section 251 approval?

The Confidentiality Advisory Group (CAG) considers applications for the use of confidential patient information without consent under the following regulations of Control of Patient Information Regulations 2002 , Section 251 of the NHS Act 2006:

  • Regulation 2 – for diagnosis and treatment of cancer
  • Regulation 5 – for general medical and research purpose

Both regulations are also subject to regulation 7, which sets out that the data must not be processed further than for the permitted purpose.

If the data use or disclosure has Section 251 support obtained under regulation 2 or 5, it is in scope of the policy, and national data opt-outs must be applied before the disclosure takes place.

This applies unless CAG have determined, in limited and exceptional circumstances, that the standard condition to support opt-outs has been waived, or that another specific opt-out will apply to the approval.

See 2.4: Legal framework and lawful basis in the national data opt-out policy guidance document for more information on the legal bases for data sharing.

Read more about the laws covering the use of patient data and protections in place.

8. Has the use or disclosure been granted a specific exemption?

Specific exemptions to the national data opt-out policy have been made for disclosure of data for:

Some of these collections are covered by their own specific opt-out mechanisms. Click each one for more details of exceptions, within the operational policy guidance document.

9. Is the disclosure to NHS Digital?

There are also specific policy considerations for NHS Digital, as the national safe haven of health and care data with specific powers under the Health and Social Care Act 2012. National data opt-outs do not apply where NHS Digital indicate data should be provided to them under s259 of the Health and Social Care Act 2012.

10. Is the use or disclosure to support payment and invoice validation?

Anonymised data should normally be used for when sharing data to support contracted activity, making it outside the scope of the national data opt-out policy. The national data opt-out does not apply to disclosure of confidential patient information for invoice validation for contracted and non-contracted activities to Controlled Environments for Finance (CEfFs). All data disclosures to CEfFs are supported by a section 251 approval and have been granted an exemption from national data opt-outs by the Confidentiality Advisory Group.

See 7.1: Payments and invoice validation in the national data opt-out policy guidance for more detailed information.

Declaring compliance

If you have worked out that the national data opt-out policy applies to your change of use or disclosure of data, you need to apply national data opt-outs by removing the records of anyone who has an opt-out registered before you use or disclose the information. 

Where a patient has a national data opt-out in place alongside any other form of opt-out(s) the other opt-out(s) must still be applied in accordance with the policy for each specific opt-out.

See 8: Applying the national data opt-out in the national data opt-out operational policy guidance for more information.

Even if you have no current uses or disclosures that fall into scope, in order to declare compliance you still need to amend your procedures to consider the national data opt-out policy for future uses and disclosures.

Follow our compliance implementation guide to find out how to set up the Check for national data opt-outs service, and to achieve and declare compliance.

The National Data Opt-Out - full policy

Refer to the National data-opt-out operational policy guidance document for complete policy guidance.

Last edited: 31 October 2019 3:07 pm