National Data Opt-Out – update for practices

  • Latest news

Practice checklist:

  1. Staff are aware that the type 2 opt out codes have been retired and replaced by a national opt-out.
  2. Practice privacy notice (or Fair Processing Guidance) has been updated.
  3. Practice literature relating to type 2 opt-outs and care data has been removed.
  4. Staff with patient contact are able to signpost patients to the new patient webpage.
  5. Staff with patient contact can explain to patients the differences between a national data opt out and other opt outs e.g. type 1 opt out, Summary Care Record, Local Care Records etc.
  6. Information Governance lead/ Caldicott Guardian at the practice is aware of the types of data that the opt-out applies to.

The National Data opt-out allows patients to register the decision that they do not want their confidential patient information to be used for purposes beyond their individual care and treatment. This applies from the 25 May 2018, with patient’s options stored on a separate database on the spine.

Patient data plays an essential role in research and planning, including the use of coded data from practices by the Clinical Practice Research Datalink (CPRD) and QResearch which have changed clinical practice in Primary Care. However, as data controllers, practices need to make it clear to patients how their data is being used, particularly for purposes beyond direct clinical care and be clear about which data sharing they can opt out of.

The National Data opt-out sits alongside the General Data Protection Regulation (GDPR), the Data Protection Act and the Common Law Duty of Confidence and it does not replace any of the provisions of these but compliments them.

Type 1 opt out:

Dissent from secondary use of general practitioner patient identifiable data. This prevents information being shared outside a GP practice for purposes other than direct care and is noted in the GP record.

Type 2 opt out:

Dissent from disclosure of personal confidential data by Health and Adult Social Care Information Centre (now NHS Digital). This prevents any confidential patient information from leaving NHS Digital, for purposes beyond their direct care.

Type 2 opt outs were previously recorded in the GP patient recorded. From the 25 May 2018 these have been automatically converted to a national data opt-out. However, from 1 October 2018 type 2 opt outs will no longer be converted and patients have to record their opt-out through a central database. This does not require any recording on the patient’s record. The data-opt out does not apply retrospectively for data that has previously been shared. From March 2020 this opt out will be valid across all health and care organisations. Type 1 opt outs will be reviewed in March 2020.

How can patients record their choice to opt-out?

If patients have not previously recorded a type 2 opt out and wish to apply, they should go to nhs.uk/your-nhs-data-matters and record their choice. They will need their NHS number and a valid email address or telephone number which is on their GP record or on the Personal Demographics Service database to register their decision to opt out. Alternatively, they can call 0300 303 5678 to register their opt out by phone or request a paper copy of the form by phone or online.

When does the National Data opt-out apply?

Data shared for research and planning purposes, this includes

Data generated or processed in Health and Social Care:

  • Bodies regulated by CQC.
  • Defined in the NHS Act 2006.
  • Set out in Department of Health and Social Care policy.

Data generated or processed in England:

  • This includes information generated in England, but being requested in another home nation.
  • This does NOT include information generated and being requested in another home nation.

Relating to publicly funded or publicly co-ordinated care:

  • All NHS organisations (including private patient treated within such organisations).
  • Adult social care which is funded or co-ordinated by a public body.
  • NHS funded care within independent providers.
  • Any release of data by NHS Digital which related to private patients including that which is collected by a request under s259 of the Health and Social Care Act (2012).

When does it not apply?

  • Data shared for an individual’s care and treatment.
  • Legal requirement/ public interest/ consent (see below for associated legislation).
  • Where data is safely anonymised.

It does not apply to:

  • Privately (non-NHS) funded healthcare within independent providers unless the care is coordinated by a public body.
  • Social care which is not funded or coordinated by a publicly funded body.

There are additional scenarios in which the opt-out does not apply, NHS England has produced a comprehensive checklist for patients.

Note that patients can register a separate opt-out for the following services:

Associated legislation for Information Governance leads/ Caldicott Guardians

The Health Services (Control of Patient Information) Regulations provide some legal gateways that allow Confidential Patient Information to be disclosed without patient consent. The Confidentiality Advisory Group (CAG) is an independent body which provides expert advice on the use of confidential patient information – including providing advice to the Health Research Authority (HRA). It also provides advice to the Secretary of State for Health for non-research uses. This legislation covers the sharing of confidential data for the purposes of managing communicable disease risks and other risks to public health.

Health and Social Care Act (2012) section 254 and 259

Section 254 of the Health and Social Care Act enables the Secretary of State for Health and Social Care to direct NHS Digital on matters concerning the provision of health services or adult social care in England. Section 259 of the Health and Social Care Act enables NHS Digital with powers to require information to be provided to them by health and care organisations through ‘data provision notices’.

NHS Act 2006 section 251 approval provides a reliable basis in law to permit the disclosure and temporary use of identifiable NHS patient information for:

  • Those wishing to obtain identifiable NHS patient information without consent; or
  • Data controllers who are asked to supply identifiable patient information without consent.
  • This is managed by the Health Research Authority and is considered by the CAG.
  • The Data opt out does apply to this type of approval

The Health Research Authority has published Guidance for Data Protection Officers in relation to GDPR and how this applies to research.

The National Diabetes Audit 2017/2018: Prior to 2017, this data was collected under the NHS Act s251 to which the data opt out would apply. However, this data is now extracted under a data provision notice under s259 of the Health and Social Care Act although patients can opt out through a Type 1 opt out or a specific opt out. This is subject to review and we will pass on any changes we become aware of via our newsletter.

For further information:

The Royal College of General Practitioners has published a helpful Patient Data Choices toolkit for GPs and practice staff. They have also created an e-learning module on Patient Data Choices which takes 30 minutes to complete for 0.5 CPD points.

Enquiries about information governance (IG):

Enquires about the General Data Protection Regulation (GDPR) and the Data Protection Act (2018):

Enquiries about the national data opt-out:

Download the guidance document here.

Last updated : 21 Nov 2018

Back to all news