In line with the recommendations made by the National Data Guardian in her ‘Review of Data Security, Consent and Opt-outs’, the national data opt-out was introduced for the health and social care system on 25 May 2018. This to give patients and the public more control over how their confidential patient information is used for research and planning purposes.
The Government response to the review set out that all health and adult social care organisations in England must comply with the national data opt-out policy by March 2022.
What is the national data opt-out?
It is a service that enables the public to register to opt out of their confidential patient information being used for purposes beyond their individual care and treatment. The public can change their national data opt-out choice at any time.
Who needs to comply with national data opt-out policy?
The national data opt-out applies to data for patients where their care is provided in England by a publicly funded organisation or the care has been arranged by a public body such as the NHS or a Local Authority. It does not apply to data related to private patients at private providers.
In summary the national data opt-out applies to:
- all NHS organisations (including private patients treated within such organisations),
- all Local Authorities providing publicly funded care,
- adult social care providers where the care provided is funded or arranged by a public body, and
- private or charitable healthcare providers providing NHS funded treatment or arranged care.
Which data disclosures do national data opt-outs apply to?
National data opt-outs apply to a disclosure when an organisation, eg a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation responsible for the data (the data controller) such as an NHS Trust.
The CAG approval is also known as a section 251 approval and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002. The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.
In practice, this means that the organisation responsible for the information (the data controller) can, if they wish, disclose the information to the data applicant, eg research body, without being in breach of the common law duty of confidentiality. To be clear it is only in these cases where opt-outs apply.
National data opt-outs do not apply where:
- information being disclosed is anonymised in accordance with the Information Commissioner’s Office’s anonymisation code of practice,
- the individual has given their consent for their information to be used for a particular purpose, eg a specific research study,
- there is an overriding public interest in the disclosure, ie the public interest in disclosing the data overrides the public interest in maintaining confidentiality, also referred to as the ‘public interest test’, and
- there is a legal requirement that sets aside the common law duty of confidentiality or the information is required by a court order.
In these scenarios above, section 251 approvals would not have been sought.
What will the Trust do?
The Trust will put processes in place to assess any current or future uses of confidential patient information prior to disclosure to consider and apply national data opt-outs where necessary in accordance with national data opt-out operational policy. These will be included in Trust policies and procedures and disseminated to staff. The Trust will also update its patient’s privacy notice with a national data opt-out compliance statement.
For more information about the wider use of confidential personal information and to register your choice to opt out visit www.nhs.uk/your-nhs-data-matters or call 0300 303 5678.