Month: January 2020

National Data Optout – No. 18

National Data Optout – No. 18

National data opt-out (NDO) in Primary Care

GP practices must comply with the national data opt-out policy by March 2020.

What is the national data opt-out?

Patients can choose not to share their identifiable data when it is not related to the provision of direct care by requesting a national data op-out. This has replaced the type 2 opt-out which used to be managed in primary care. Patients requesting a national data opt-out should now be directed to

Where a patient had a type 2 opt-out registered on or before 11 October 2018, this was automatically converted to a national data opt-out and if they were aged 13 or over they were sent a personal letter explaining the change and a handout with more information about the national data opt-out.

Patients can be reassured that their choices will continue to be respected. If they want to change their choice, they can use the national data opt-out service to do this.

Some patients will have a type 1 opt-out registered with their GP practice, which indicates they do not want their confidential patient information leaving the practice for research and planning purposes. These existing type 1 opt-outs will continue to be respected until 2020, when the Department of Health and Social Care will consult with the National Data Guardian on their removal.

What should my practice do to be compliant with NDO?

  • Ensure you have a record of all your existing data disclosures, as required under GDPR/DPA 2018. This will be one of the requirement in your Data Security and Protection Toolkit (DSPT) returns.
  • Assess those data disclosures against the national data opt-out policy to see if national data opt-outs should be applied and putting a process in place to consider any new data disclosure requests against the policy. Note: the national data opt-out applies to data disclosures that rely on section 251 approval, please see the “National Data Opt-out FAQs”

To help GP practices to become compliant and to apply national data opt-outs, the four principal GP IT system suppliers are implementing new functionality in the reporting and search modules within their clinical systems. The functionality will enable practices to easily remove the records of patients who have registered a national data opt-out from data disclosures when the practice decides the opt-out applies.

Specific considerations for NWL GP practices

In relation to NDO compliance you will have received, or will shortly receive correspondence from NWL CCGs which include:

The majority of practices in the NWL CCGs will not be processing PID for non-direct care processes. In making an assessment, the areas which you may wish to consider would be:

  1. Whole Systems Integrated Care (WSIC) data extractions
  2. Discover data extractions
  3. Research data extracted through the ResearchOne TPP based module
  4. Any other independent research data extractions.
  5. Old reports which are informing data extractions

In managing these we have provided generic DPIAs which can be used in relation to:

  1. WSIC data extraction
  2. Discover data extraction
  3.  TPP ResearchOne data extraction
  4. You must ensure any research data extractions not managed by TPP are excluding patients with NHS numbers where national data opt-outs have been applied (see Guidance and tools to achieve and declare compliance – below)
  5. Practices generating disclosures through existing older or bespoke reports (written before the new functionality) must ensure that their reports are edited to apply national data opt-outs. Likewise any new reports informing PID disclosure must apply national data opt-outs when created. If you are running external reports which you are unable to edit, you must contact the owner or publisher to apply national data opt-outs before data is disclosed.

The principle underpinning WSIC, Discovery and ResearchOne extractions is that any data used (for purposes other than direct care) is not identifiable and so the NDO does not apply in any of these examples. The DPIAs are attached for your information and to confirm this.

When your practice is compliant with the NDO you must declare this in your Fair Process Notification (FPN). You do not need to reprint your paper copies but should include a short statement (see below) in the published FPN which your website should point to.

“National Data Opt-Out

Our practice is compliant with the National Data Opt-out”

Practices should make sure staff are aware of the national data opt-out so they can support their patients and be aware of the patient support material (see below under Further Guidance)


FAQs on the National Data Opt Out

What type of data is involved?

The national data opt-out applies to the disclosure of confidential patient information for purposes beyond individual care across the health and adult social care system in England. It is applied to data that originates within the health and adult social care system in England by health and care organisations. It does not apply to data disclosed by providers of health and care services outside of England or to children’s social care services.

When the opt-out is applied, the entire record (or records) associated with that individual must be fully removed from the data being disclosed, whether that data is held electronically or on paper, regardless of whether it is structured or unstructured.

When does the national data opt-out apply and in what circumstances can it be overridden?

The national data opt-out is aligned with the common law duty of confidentiality (CLDC). It applies unless there is a mandatory legal requirement or an overriding public interest for the data to be shared. It is obviated by individual patient consent, or where the data is anonymised in line with the (ICO) Code of Practice.

 Who can opt-out?

Any person registered on the Personal Demographic Services (PDS) who has an NHS number can set a national data opt-out, using online and non-digital channels. The opt-out is registered against their NHS number on the Spine (a central repository supporting IT infrastructure in England for health and social care).

 What proportion of patient have opted-out?

Opt-out rates by region can be obtained through the national data opt-out publication

 When should my practice be compliant?

All health and care organisations should be compliant with the opt-out by March 2020.

What are my responsibilities at a practice level?

Practices  should have procedures in place to review uses or disclosures of confidential patient information against the national dat opt-out operational policy guidance. The following general guidance on the national data opt-out policy will help you understand how it works and whether data uses or disclosures are in scope

Note: To help GP practices to become compliant with the national data opt-out, the four principal GP system suppliers have been commissioned to develop and embed the service into their clinical systems. Further information will be made available as the GP system suppliers confirm their delivery plans. See further information for GP practices.

If your practices is disclosing PID data outside of their current clinical systems, these should have should have national data opt-outs applied and you should implement the technical solution  to enable you to check lists of NHS numbers against those with national data opt-outs registered.

When you get the results back, you should have a process in place to ensure that you only use or disclose information for the returned list of NHS numbers, as any with national data opt-outs registered will have been removed.

If you have no uses or disclosures which need to have national data opt-outs applied, you must still put procedures in place to assess future uses or disclosures against the national data opt-out operational policy guidance, and can choose to either:

  • implement the technical solution in readiness, or
  • be ready to implement it if needed for future data uses or disclosures

Once compliant, confidential patient information must not be used or disclosed before it has been assessed and national data opt-outs applied if necessary.


Guidance and tools to achieve and declare compliance

The compliance implementation guide provides a step-by-step guide to help understand and plan the actions required to become compliant with national data opt-out policy. To configure a MESH tool which allows submission of a group of NHS numbers and returns a list with the NHS numbers removed for those patients that have opted out. Check for national data opt-outs service

Further guidance