National Opt-Out Policy

Introduction

The national data opt out applies to the disclosure of confidential patient information for purposes beyond individual care across the health and adult social care system in England. This document provides operational guidance to understand the application of national data opt-out policy for practice purposes. A patient is able to set an opt-out via a number of channels that include online, digitally assisted and non-digital channels. Any patient with an NHS number is able to set a National Data opt-out. The opt-out is stored in a central repository against their NHS number on the NHS Spine and is not set or visible at practice level. The National Data opt-out will also continue after the patients’ death. HealthCare organisations are required to be compliant with the opt-out by March 2020 and declare their compliance on the Data Security and Protection (DSP) Toolkit. The opt-out applies regardless of how the data is stored – electronically or paper based.

 

What are National Data Opt-Outs?

The national data opt out implements the opt-out process proposed by the National Data Guardian’s Review of Data Security, Consent and Opt-Outs. The above review proposed the following: “There should be a new consent/opt-out model to allow people to opt-out of their personal confidential data being used for purposes beyond their direct care”. The NDG’s review carefully considered the scope of the model including its limitation to purposes beyond individual care only and for it to be an opt-out rather than consent model: “3.2.2: The Review was persuaded that the best balance between meeting these expectations and providing a choice to those who have concerns is achieved by providing an opt-out model. The review concluded that people should be made aware of the use of their data and the benefits; an opt-out model allows data to be used whilst allowing those who have concerns to opt out”. The review also acknowledged that “Whilst patients have a right under the NHS Constitution to request that their personal confidential data is not used beyond their direct care, there is currently no easy way for them to do that”. The national data optout provides a single central mechanism which gives effect to this right.

Applying The National Data Opt-out

Health and care organisations are required to apply national data opt-outs in line with the NHS National Data Opt-Out Policy. NHS Digital has developed a technical service which enables health and adult social care organisations to check if their patients have a national data opt-out in order to enable them to comply with the opt out. This service can be used in two ways:

  • Organisations can submit a list of NHS numbers that they need to disclose and the service looks these up against the central repository of national data optouts. It returns a “cleaned list” of those that do not have a national data opt-out i.e. it removes the NHS numbers for those with a national data opt-out. This is most suitable for one-off and infrequent disclosures of data.
  • Organisations can submit the NHS numbers for all patients with whom they have a legitimate relationship and then store temporarily the list of patients who do not have an opt-out at the current time and whose data they may be able to disclose. There are a number of policy rules around the storage and use of this “temporary cache” of data which are set out below. This is most suitable for large scale and frequent disclosures of data.

More information on accessing the service, guidance and the timetable for the implementation of the national data opt-out through to March 2020 is provided on the National Data Opt-out Programme webpages. Patients can apply the national data opt-out either online, post or phone. For more information see https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/.

 

What Data is Affected?

Broadly it is data that meets all of the following three conditions: a) identifiable or likely identifiable (for example from other data likely to be in the possession of the data recipient); AND b) given in circumstances where the individual is owed an obligation of confidence; AND c) conveys some information about the physical or mental health or condition of an individual, a diagnosis of their condition; and/or their care or treatment. The opt-out does not apply to data that has been anonymised in line with ICO guidance. It is also worth noting that the opt-out only applies to patient data. It covers any and all data that is disclosed for purposes beyond direct patient care.

Invoice Validation

Broadly, the opt-out does not apply to data used for invoice validation. Specifically, it does not apply to invoice validation for non-contracted activity. For contracted activity, anonymised data should be used. The opt-out does not apply where a patient has given their explicit consent for the use of their data for payment and invoice validation. Data opt-outs do not apply to data disclosed to NHS BSA for the payment of prescription charges, specifically where the data is disclosed under Regulation 18A of National Data Opt-out Operational Policy Guidance Document. The opt-out does apply to data disclosed for payment purposes which rely on section 251 support unless it relates to non-contracted activity or specific conditions have been approved by the Confidentiality Advisory Group (CAG).

 

Risk Stratification

The national data opt-out does not apply to data disclosures for risk stratification for case finding but does apply where support under Section 251 is relied upon to support the disclosure. For the purpose of the National Data Opt-Out, risk stratification has been split into two functions, Risk Stratification for case finding and Risk Stratification for planning. Therefore the policy lines that are relevant to risk stratification are as follows:

  • National data opt-outs do not apply to risk stratification for case finding, where carried out by a provider involved in an individual’s care, as this should be treated as individual care.
  • National data opt-outs do not apply where the data for risk stratification is anonymised in line with the ICO Code of Practice on Anonymisation.
  • National data opt-outs do apply to data disclosures for risk stratification which rely on Section 251 support unless the standard condition requiring patient optouts to be respected is waived.

 

What Data is Not Affected?

Consent

The national data opt out does not apply where explicit consent has been obtained from the patient for the specific purpose. This can include if a patient has previously opted out but wishes for that data to be processed for a specific purpose. The consent would override the national data opt-out and data could be processed for that specific purpose only. Other information that is applicable under the opt-out and is not covered by the explicit consent would still be subject to the opt-out if applied.

Communicable Disease and Risks to Public Health

The national data opt-out does not apply to the disclosure of confidential patient information required for the monitoring and control of communicable disease and other risks to public health. This includes any data disclosed where Regulation 3 of The Health Service Regulations 2002 provides the lawful basis for the common law duty of confidentiality to be lifted. See Section 251 on page 4.

Public Interest

The national data opt-out does not apply to the disclosure of confidential patient information where there is an overriding public interest in the disclosure, i.e. the public interest in disclosing the data overrides the public interest in maintaining confidentiality.

Direct Care

The national data opt-out does not apply to direct care as defined earlier in this Policy.

Reece Associates Application of the Opt-Out Policy

Reece Associates does not utilise patient information for anything other than their direct care. Patient relevant items sent off site (i.e., lab work) are anonymised, in order to prevent any contravention of this fact, although both lab work and referrals to other clinicians are considered as being facets of Direct Care. Should Reece Associates use of patient data change in the future, our Policy will be updated to reflect this, and our procedures will be brought in line with those used Nationally to adhere to this NHS-wide policy. In the event of any such change, we will publicise said change both internally within the Practice, and also via documentation on our website.

References

  • The National Data Opt-out operational Policy Guidance Document
  • General Data Protection Regulations (GDPR)
  • Data Protection Act 2018