National Opt-Out

National Data Opt-Out (NDO-O) was introduced along with the Data Protection Act 2018 and GDPR on 25 May 2018. This followed recommendations from the NDG that patients should be able to opt-out of their personal confidential data being used for purposes other than their direct medical care.

The NDG states that, “A patient should be able to state their preference once (online or in person), confident in the knowledge that this will be applied across the health and social care system.”

Further reading can be sought from the National Data OptOut Guidance document.

NDO-O only applies to general practices in England.

1.1 – Compliance and Understanding the National Data Opt-Out

NHS Digital provides information for GP practices regarding compliance with and understanding of the National Data Opt-Out. The main points are detailed in this chapter.

1.2 – Setting or Changing an Opt-Out choice

The NDO-O allows a patient to choose if they do not want their confidential patient information to be used for purposes beyond their individual care and treatment – for research and planning.

Anyone who has an NHS number and has registered for care or treatment with the NHS in England can set an opt out if they wish to, even if they do not currently live in England. A patient must register their choice to opt out only once, and that registration applies to all healthcare settings and organisations, not just general practice. An opt out choice can be changed at any time by the patient or their proxy.

Opt-outs can be notified using one of the following:

  • Online service – Patients registering need to know their NHS number or their postcode as registered at their GP organisation.
  • Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700
  • NHS App – for use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play
  • ‘Print and post’ registration form. It can take up to 14 days to process the form once it arrives at National Data Opt Out, Contact Centre, NHS Digital, HM Government, 7 and 8 Wellington Place, Leeds, LS1 9TZ
  • Getting a healthcare professional to assist patients in prison or other secure settings to register an opt-out choice. For patients detained in such settings Guidance is available on NHS Digital and a Proxy form is available to assist in registration.

1.3 – Patients who can set an opt-out choice on behalf or someone else

A third party can set an opt-out choice on behalf of a patient, by proxy, if:

  • They are the parent or legal guardian of the patient who is a child aged 12 or under
  • They have a formal legal relationship with the patient for example they have legal power of attorney or are a court appointed deputy

They can only do this using the ‘print and post’ service.

1.4 – Upholding the opt-out and declaring compliance

As the NDO-O policy applies to nearly all organisations, they need to uphold patient choices to opt out by removing the records of any patient before using or disclosing information other than for the purpose of that patient’s immediate healthcare.

The Data Security and Protection (DSP) Toolkit includes an item on compliance with the NDO-O. This requires organisations to self-declare their compliance (or otherwise) with the policy and provide a clear public statement to this effect.

Further reading can be sought in the Data Security and Protection Handbook.

1.5 – Compliance and Implementation Guide

The national data opt-out compliance and implementation guide takes users through the steps they need to follow to achieve compliance by the revised date of 31 July 2022.

Before doing so, it presents a checklist of the process and advises that users should consider:

  • How long it will take to be compliant (the advice and guidance of the organisation’s DPO will be invaluable in making this assessment)
  • Who should be involved in the implementation

The guide outlines the five steps that need to be taken to achieve compliance. However, as step 2, implementing a technical solution, will be carried out by clinical system suppliers on behalf of GP organisations, they do not need to implement step 3, i.e., set up the technical solution and use the Message Exchange for Social Care and Health (MESH) which accesses the Check for National Opt-Outs Service.

Step 1 Assess data disclosures and update procedures
Step 2 Decide whether to implement a technical solution. Note the four principal GP system suppliers have been commissioned to assist GP organisations to comply with the NDO-O by developing and embedding a technical solution in their systems.
Step 3 Set up the technical solution and use the Message Exchange for Social Care and Health (MESH) which accesses the Check for National Opt-Outs Service. Organisations only need to consider doing this if they hold and generate patient data reports using a system/software other than their clinical system.
Step 4 Implement new processes. This suggests that a Data Protection Impact Assessment (DPIA) should be completed using the format shown at the link which is based on the ICO template. It is strongly advised that completion of the DPIA is left to the organisation’s DPO.
Step 5 Plan communications and declare compliance. This step requires organisations to consider communications and to declare compliance:

  • Internally with all staff
  • Externally with patients including updating the organisation’s website and privacy notice using a suggested wording
  • With other organisations with which the organisation works who may be affected by the organisation becoming compliant with the NDO-O
  • Decide the date to declare compliance
  • Declare compliance

1.6 – Understanding if the data you use or disclose is in scope

This understanding is covered by a series of 10 questions that organisations need to ask themselves:

  1. Is the use or disclosure for individual care or research and planning?
  2. Is the use or disclosure confidential patient information?
  3. Does the organisation have explicit consent for the use or disclosure?
    Note that the NDO-O does not apply where explicit consent has been obtained from the patient for a specific purpose and that there are also three other main exemptions:
    – Communicable diseases and risks to public health, such as the COVID-19 pandemic
    – Overriding public interest
    – Information required by law or court order
  4. Is the disclosure for the purpose of the monitoring and control of communicable disease or other risks to public health? If it is, NDO-O does not apply
  5. Is the information being disclosed because of a legal requirement?
  6. Is the use or disclosure in the overriding public interest?
  7. Is the legal basis for the use of disclosure Section 251 approval?
  8. Is the use or disclosure to an arms-length body?
  9. Is the disclosure to NHS Digital?
  10. Is the use or disclosure to support payment and invoice validation?