Patient Data Choices Toolkit

The Patient Data Choices Toolkit is a collaboration between the NHS and the Royal College of General Practitioners which aims to deliver a portfolio of resources to inform primary care teams on a new national data opt-out as recommended by the National Data Guardian' in her Review of Data Security, Consent and Opt-outs.

The resources have been created to inform primary care teams so that they are able to confidently and accurately advise patients and carers on their data sharing options and to support primary care teams to uphold the national data opt-out within their own practice.

Introduction

Summary

This toolkit provides English General Practices with the materials they need to understand the new national data opt-out.

Health and care organisations in England hold a wealth of patient information. This has significant potential for delivering benefits through uses such as research and planning. Such use requires that, as the National Data Guardian expresses “everyone who uses health and care services should be able to trust that their personal confidential data is protected". 

Following recommendations made by the National Data Guardian for health and care in England a new national data opt-out is available. It provides a secure and accessible way for the public to opt out of their confidential patient information being used for reasons other than their individual care and treatment subject to a number of exemptions. For a transitional period until the end of September 2018, GP practices may set a Type 2 opt out if requested and these will also be converted to the national data opt-out. From early October 2018, Type 2 opt out codes will be retired.

Confidential Patient Information is defined in the Operational Policy Guidance (see supporting information).

The national data opt-out, introduced from 25 May 2018, will apply across all of health and care by March 2020 in England. Practices will need to be able to: 

  • Inform patients appropriately about the use of data and the national data opt-out
  • Explain the differences between a national data opt-out and other opt-outs, e.g.  type 1 opt out, Summary Care Record, Local Care Records etc
  • Direct patients to where they can obtain further information or set a national data opt-out
  • Ensure that they are upholding the national data opt-out by March 2020

GP practices must continue to uphold type 1 opt-outs at least until March 2020.

Note: the information in this toolkit DOES NOT apply to the use of data to provide direct individual care (e.g. Summary Care Record, Enhanced Summary Care Record, Local Detailed Care Record Sharing for individual care). Local data sharing agreements for the provision of direct individual care are covered by separate opt-out mechanisms which are not included in this toolkit.

This toolkit will support practices to:

  • Inform patients of how their data is used
  • Support patients to understand the benefits of data use
  • Build patient understanding of  how health and care services and the organisations which manage them use their data
  • Help patients to understand their opt-out choices for their confidential patient information being used beyond their own individual care and the situations in which this opt-out will and will not apply
  • Explain to patients where they can obtain further information on how to register a national data opt-out should they so wish
  • Understand how the national data opt-out fits into wider data protection legislation and confidentiality frameworks

Each section includes:

  • Summary: giving the basic information
  • Detail: a more detailed review for those who wish to know more
  • Supporting information: a section of supporting information for those who wish to go deeper still

Supporting Information    

Key Points

  • All practice staff will need to be aware that there is a change in patients' opt-out options. They need to know where to direct patients for further information and to be aware of the need to ensure all documentation being supplied to patients is accurate and up to date
  • Existing privacy materials will need updating
  • Registration forms, existing leaflets, posters, website pages or other materials will need to be updated or replaced to include information about the national data opt-out and remove any information which is no longer valid (eg if they refer to Type 2 objections)
  • The national data opt-out will provide a secure and accessible way for the public to opt out of their confidential patient information being used for reasons other than their individual care and treatment except for certain circumstances (for a detailed discussion of the situations where the opt-out does not apply (see section Applying the national data opt-out)
  • Patients registered on PDS (and consequently with a NHS number allocated to them) will be able to set a national data opt-out
  • Young people can set their own opt-out from age 13. People with parental responsibility can set an opt-out for their children under 13 and those with a formal proxy relationship can set an opt-out choice on behalf of the person for whom they hold responsibility
  • NHS Digital will be the first organisation to uphold the national data opt out from this date
  • Not all organisations will be able to uphold the national data opt-out immediately, but by March 2020 it is expected that all health and care organisations including GP practices will be upholding the national data opt-out
  • The national data opt-out does NOT apply to information used for individual care (eg Summary Care Record, Local Detailed Care Record). These are generally covered by other opt-out arrangements
  • All type 2 objections will be converted to national data opt-outs from 25 May 2018 and any patient wanting to opt-out after this date should be directed to the national data opt-out
  • From 25 May 2018 there will be a transition period until the end of September, GP practices may set a Type 2 opt out if requested and these will also be converted to the national data opt-out. From early October, Type 2 opt out codes will be retired
  • Existing type 1 opt-outs will be honoured until 2020 and the National Data Guardian will be consulted before confirming their removal

Supporting Information

How Patients set a National Data Opt-out

Summary

  • People will be able to set an opt out online, through a supported telephone service (like the eReferral service) or by submitting a paper request
  • Children under 13 and those who lack capacity may not be able to set an opt-out themselves. In such cases individuals who have a formal, legal relationship to act on behalf of the patient (i.e. somebody who has parental responsibility, a legal power of attorney or court appointed deputy) will be able to set a proxy opt-out on their behalf. This is to enable equality of opportunity for everyone to be able to opt out and will also reduce the burden on GP practices
  • The national data opt-out choice is set by the individual and does not require any action by the person’s General Practice

Detail

Routes for setting an opt out - Online

The preferred route for people to set a national data opt-out preference will be that they do this through the nhs.uk website, where there is also information provided about the opt-out in order to support an individual to make an informed choice. This will require the individual to verify their identity using their name, date of birth, NHS number and a mobile phone number or email address which is registered with either their GP or on PDS.

If a person cannot confirm their identity this way online they can use the telephone service who may be able to guide them through the service or set a choice on their behalf. The website will be available 24 hours a day 7 days a week from 25 May 2018.

Routes for setting an opt out - Supported telephone service

People can set their national data opt-out choice using a telephone service on 0300 303 5678. When calling this line patients will need to confirm their identity by providing their NHS number, name and date of birth. If the patient does not know their NHS number the contact centre may ask for their postcode to confirm a match. The patient will also need to have an email or mobile phone number recorded on PDS to receive a verification passcode.

Calls to this number should cost no more than calls to a normal personal or business geographic landline number (numbers starting with 01 or 02), whether calling from a landline, or mobile phone.

The telephone service will be available 9am to 5pm, Monday to Friday, excluding English bank/ public holidays from 25 May 2018.

Routes for setting an opt out – Non-digital (Paper)

Patients can also obtain a form to fill in and post to register a national data opt-out preference. The form can be obtained via the website or the national telephone service. To use the non-digital route a patient can either use their NHS number, or two forms of identification one to confirm name and the other to confirm address. When a patient updates their choices through the non-digital paper route they will receive a letter confirming their choice.

Cannot be set via GP

The national data opt-out choice CANNOT be set by the GP or other member of the practice staff and is not stored or implemented through the use of codes in the GP system. National data opt-outs are held by NHS Digital on a central repository on the Spine. For a short transitional period until the end of September, GP practices may set a Type 2 opt out if requested and these will also be converted to the national data opt-out. From early October, Type 2 opt out codes will be retired.

Children and People with Lasting Power of Attorney

Patients can set their national data opt out choice from the age of 13 through any of the available routes. This age is based on the minimum age in data protection legislation and is not based on any assessment of competence. Any national data opt-out set by a parent or guardian prior to age 13 will remain in place unless and until the patient reviews and changes it.

For children under the age of 13 a national data opt-out  choice can be recorded by someone with parental responsibility. Once a young person passes the age of 13 the person with parental responsibility will no longer be able to set a choice. In exceptional circumstances, where a young person aged 13-18 is severely disabled and unable to set a choice then a person with parental responsibility will be allowed to set a preference until a Lasting Power of Attorney can be obtained.

Someone with legal authority to act on behalf of an individual e.g. Lasting Power of Attorney (LPA) or court appointed deputy can set a national data opt-out choice on behalf of that individual. For example a daughter with LPA could set a choice for her elderly parent with dementia. Those who wish to set national data opt-out on behalf of someone else will need to use the telephone service.

Tailored resources are available for young people and carers through the national data opt-out website

To set an opt-out on behalf of someone else people will need to supply their own name, address postcode and proof of their right to act on behalf of the individual for whom they are setting a choice. They will also need either the name and NHS number for the person for whom they are setting the choice, or name and two identification documents (one for name and one for address).

Supporting Information

Accessibility

Summary

  • It is important that there is equality of opportunity to register a national data opt-out and that everyone has access to suitable information on the national data opt-out and what it means and can make an informed choice
  • A full Equality Impact Assessment has been undertaken and there is a range of accessible resources available.

Detail  

The NHS has worked with the voluntary sector to produce a resource and alternative format handouts to support organisations working with members of the public, particularly those who require additional support. This guide provides the information needed by the voluntary sector to be able to support their communities and members to inform them about the use of confidential patient information and the national data opt-out. It also provides signposting details to further information. The link for this resource is included in the supporting information section.

The following alternative formats of the handout will be available (see supporting information for link): 

  • Easy read
  • Large print
  • Audio
  • Braille
  • British Sign Language and other languages

There will also tailored versions of the handout for:

  • Young People
  • Carers
  • Black and minority ethnic (BME)

The national data opt-out is primarily a digital service but other routes to setting an opt-out are available to make it accessible to all. Alternative routes include being supported via the helpline to set an opt-out online or setting an opt-out via a paper based form.

The helpline aims to be accessible to all by offering a translation service, use of the Next Generation Text Service and an email enquiry service.

All of these will be available from the link in the Supporting Information section.

Supporting Information

Background

Summary

  • In 2016 the National Data Guardian recommended a new simplified opt-out model  for the use of personal confidential information for purposes beyond individual care , which would replace the existing arrangements for type 1 and type 2 objections subject to a full consultation
  • Following a public consultation, the recommendations were accepted by the Department of Health and Social Care and a single national data opt-out is being implemented
  • Patients have been able to start setting the national data opt out from 25 May 2018; it is upheld by NHS Digital from this date and implementation across other health and care settings including GP Practices will be complete by 2020
  • The type 1 opt-out will remain at least until March 2020

Detail  

The National Data Guardian was commissioned to propose a new consent/opt out model for data sharing to enable people to make an informed decision about how their personal confidential data will be used.

The Review made a number of points and recommendations including:

  • People are protected by the law
  • Information is essential for high quality care
  • Information is essential for other beneficial purposes such as research, planning and commissioning
  • People have the right to opt out of their personal confidential information being used for these other purposes beyond their individual care: 1) Providing local services and running the NHS and social care; 2) Supporting research and improving treatment and care
  • The national data opt-out will be respected by all organisations that use health and care information by March 2020
  • Individuals will continue to be able to give their consent for defined uses such as a specific research project as they do now
  • The national data opt-out will not apply to information anonymised in compliance with the ICO code of practice
  • The national data opt-out will not apply to where there is mandatory legal requirement for the data to flow or an overriding public interest
  • There are a limited number of specific circumstances in which an individual’s decision to opt-out should not apply

Supporting Information

Use of Data

Summary

In addition to using data for individual care  the data gathered through health and care can be used to support planning and managing the NHS and research to improve care. It is important that individuals understand how their data can be used in this way, and how this may have long-term benefits across the population. It is also vital that individuals have trust in those using their data, and understand how their health and care data is used.

Detail  

Individual Care

We are all familiar with using the information in patient's records when treating them. This may be reading the notes, sending referral letters or sharing patient records electronically or through the use of local clinical audit by those providing this care. All of these uses are considered under the heading of “individual care”.

Planning and Research

In addition to data being used for individual care there is an important opportunity to use the data that we hold about our patients for other purposes related to the planning and commissioning of healthcare services and research to improve our ability to care for our patients. 

Using confidential patient information enables joining up of data from different sources and in many cases is required to: 

  • understand more about disease risks and causes
  • improve diagnosis
  • develop new treatments and prevent disease
  • plan and commission  NHS services
  • improve patient safety
  • evaluate government and NHS policy

Use of data under this heading must have a demonstrable benefit to the  delivery of health and care.

The Department of Health and Social Care’s clear policy position is that no confidential patient information should be used for marketing and insurance purposes unless a patient gives their explicit consent.

For a more detailed discussion of who uses the information and how see Understanding Patient Data “What you need to know” in supporting information section.

Trust

The National Data Guardian introduced her report “Everyone who uses health and care services should be able to trust that their personal confidential data is protected”. For us to practice medicine safely we need our patients to give us information, and so we must have their trust.

The Understanding Patient Data initiative, led by the Wellcome Trust has undertaken a major piece of work to provide the resources to “support conversations with the public, patients and healthcare professionals about how health and care data is used”(see supporting information).

This work has identified four factors in keeping data safe:

  • Removing identifying information where possible
  • An independent review process (of: why the data is needed,who is accessing the data, how the data will be protected)
  • Strict legal contract
  • Robust data security standards (see Understanding Patient Data “How is data kept safe” in supporting information section)

It is the responsibility of every organisation handling confidential patient information to ensure that they meet the standards of confidentiality and security that are required to be trustworthy. By March 2020 every organisation in health and care will be required to uphold the national data opt-out.

NHS Digital has controls in place to ensure that confidential patient information is held securely and appropriately. When data is used for purposes beyond individual care and treatment it is normally anonymised, which means that information that identifies an individual patient has been removed.

Sometimes, to understand and analyse the care and treatment patients are receiving and to undertake research, it is necessary to join data together. To join the data from different health and care organisations a single unique identifier is needed for each patient. This is the individual’s NHS number. Occasionally the NHS number may not be available or has been entered inaccurately so other facts about the patient, such as date of birth, may also be used. The more of a patient’s details that can be matched together the greater the certainty that the different sets of data relate to the same patient.

Where confidential patient information is required to allow data from different organisations to be linked it will only be collected where there is a clear legal basis. All such confidential patient information is handled subject to the Data Protection Act (currently DPA 1998, soon to be succeeded by new data protection legislation) and the Common Law Duty of Confidentiality (CLDC).

NHS Digital and the Confidentiality Advisory Group publish registers of all approved data releases (see supporting information).

Where a person does not want their confidential patient information used for planning and research they can choose to opt-out of this use, although there are a number of situations where this opt-out will not apply (see section “Applying the national data opt-out”).

Benefits of use of data beyond individual care

The NHS and those providing adult social care services hold a large amount of patient data, which can and does deliver significant benefits in both planning and commissioning of services and research. In her report on data security, consent and opt-outs, the National Data Guardian emphasised the importance of data. Sharing data across health and care services and the organisations responsible for managing them benefits both patients and those providing the services and the organisations responsible for managing the service. These benefits include: gaining an understanding of the care and treatment patients are receiving and how they are passing through services, measuring the impact of services, monitoring the impact of guidelines and standards. Examples include: the National audit of management of Hepatitis B in pregnancy and the National Perinatal Mortality Review.

The National Diabetes Audit helps GP Practices identify priorities for improvement for patient with diabetes. The last audit found that patients under 65 were less likely to reach their treatment targets compared to older people. This has led to recommendations that new approaches should be developed for patients under 65. With the evidence provided by the National Clinical Audit we are able to improve care for all patients with diabetes.

Benefits of data sharing for research include the development of tools to support diagnosis and risk prediction, identifying appropriate treatments and guidelines and the identification of benefits and problems with treatments. Examples include the Clinical Practice Research Datalink (CPRD) study which identified improvements needed in the referral guidelines for suspected renal cancers to include patients aged over 40 with blood in the urine, and the development of the QRisk set of risk scores for cardiovascular disease which are now used universally to prevent cardiovascular events.

Supporting Information

What is the National Data Opt-out?

Summary

The national data opt-out enables patients to set or update their choice regarding how their confidential patient information is used for purposes of planning and research, except for certain circumstances.

The opt-out choice is set directly by the patient, either online or via a supported national telephone service without the involvement of the General Practice.

All type 2 objections will be converted to national data opt-outs from 25 May 2018 and any patient wanting to opt-out after this date should be directed to the national data opt-out.

Detail  

One question to make your choice

When setting a national data opt-out the patient will be asked the following question:

Your confidential patient information can be used for improving health, care and services, including:
*  planning to improve health and care services
*  research to find a cure for serious illnesses

I allow my data to be used for research and planning:

  • Yes
  • No

Applies across all of Health and Care

Once the person has set a preference it will apply across all health and care settings by 2020. Patients can change their mind at any time and change their setting.

When will it apply? 

Patients will be able to set their choice from 25 May 2018. NHS Digital will respect all choices set from this date, however, other health and care organisations may not have implemented the national data opt-out until 2020. Patients need to be aware that their national data opt-out choice may not be fully respected until this date.

GP practices should note that they will still have to uphold existing type 1 objections at least until March 2020.
 
Once an individual registers a national data opt-out, their confidential patient information may not be used the purposes of planning and research. Until a patient registers a national data opt-out their confidential patient information may be used for purposes of planning and research providing there is a legal basis to do so unless they have a type 1 objection in place in which case their GP data will not be used.

A national data opt-out will not apply retrospectively, meaning it does not need to be applied to data that has already been processed. At the point a particular dataset has been used or released, all patients who have opted out at that time will be removed. Data does not need to be recalled once released or otherwise processed. A patient may choose to change their opt-out decision at any time and their current choice will be respected at any given time, replacing any previous choices made. If a patient has previously opted-out, but then subsequently withdraws their opt-out, their confidential patient information (including any historic data) will become available for use beyond their individual care once again. This is true even where the data relates to a period where the patient had previously opted-out.

Further detail of the situations in which the national data opt-out will apply and  in which it will not apply are in the section “Applying the national data opt-out”.

Supporting Information

Preparing your practice for the National Data Opt-out

Summary

The new national data opt-out will involve changes for the practice:

  • New posters and handouts with information on obtaining supplies are being supplied by the NHS and should be displayed. Old ones e.g. previous privacy notices or material  relating to care data should be removed
  • The Type 2 objection will no longer apply, so all reference to this needs to be removed from patient literature. The practices privacy notices will also need to be updated to ensure they are applicable with the changed opt out arrangements
  • Anyone with a type 2 in place will have it automatically converted to a national data opt-out which will be respected by NHS Digital, so wishes will still be respected
  • The type 1 objection remains in place at least until March 2020 and all literature should reflect this
  • All practice staff will need to be aware that there is a change in patients’ opt out options. They need to know where to direct patients for further information and to be aware of the need to ensure all documentation being supplied to patients is accurate and up to date
  • As the digital channel uses email or telephone details for verification practices should maintain their efforts to keep this information current on their system and up to date with PDS

Further guidance will be coming for practices on upholding the national data opt-out.

Detail

Ensure all staff are aware of the national data opt-out  and understand their role

All practice staff will need to be aware that there is a change in patients’ opt out options. They need to know where to direct patients for further information and to be aware of the need to ensure all documentation being supplied to patients is accurate and up to date. As the type 1 objections remain in place and the national data opt-out which replaces the type 2 objection will be upheld immediately by NHS Digital patients can be reassured that there will be no change to the sharing status of their GP records at present.

Some members of the team will need more detailed understanding, for example, clinicians who may be asked for information by their patients. Those members of the team with specific information governance roles will need to have a more detailed understanding of the changes so that they can ensure that the practice is compliant and can support and advise colleagues of their responsibilities.

Review all existing documentation and website content related to data choices

Practices will have a variety of pieces of documentation to support their fair processing obligations. These may include: notices given to new patients when they register, registration forms with options to select a variety of data choices, including requests for type 1 and type 2 (national) objections.

All documentation should be reviewed and updated to include information about the national data opt-out and the type 1 opt-out and remove any references to the type 2 opt-out. Old copies will need to be removed from circulation.

Update your privacy notice

In addition to other updates in line with the Data Protection Legislation  the practice privacy notice will need to be updated to reflect:

  • The new national data opt-out (see template statement in support resources)
  • The requirements of GDPR including all relevant rights

Supporting Information

Transition from the existing Type 1 and Type 2 objections

Summary

  • From 25 May 2018 all Type 2 objections will be automatically converted to the new National Data Opt Out and any patient wanting to opt-out after this date should be directed to the national data opt-out. Initially this will mean that NHS Digital continues to uphold the already expressed choice, as other organisations uphold the opt-out this choice will be applied in a wider set of situations
  • Patients who have registered a Type 2 objection will be directly notified by letter from NHS Digital with an information leaflet and national contact telephone number for any questions
  • For a short transitional period until the end of September, GP practices may set a Type 2 opt out if requested and these will also be converted to the national data opt-out.  From early October, Type 2 opt out codes will be retired
  • Existing type 1 opt-outs will be honoured until 2020 and the National Data Guardian will be consulted before confirming their removal

Further guidance will be coming for practices on upholding the national data opt-out.

Detail

Type 1 objections

The Type 1 objection ‘Dissent from secondary use of general practitioner patient identifiable data’ prevents any identifiable information leaving the GP record for purposes other than individual care.

These objections are coded in the GP record and will continue to be upheld until at least  March 2020. Before a decision is taken to revoke these objections, there will be a consultation with the National Data Guardian. Patients can therefore continue to register a Type 1 objection if they so wish and should be kept aware of this.

Type 2 objections

The Type 2 objection ‘Dissent from disclosure of personal confidential data by Health and Social Care Information Centre’ is being replaced by the new National Data Opt Out. On 25 May 2018 any existing Type 2 objection will be automatically converted to a national data opt-out.

After 25 May 2018 there will be a transition period during which any type 2 objections that get coded will be collected on a monthly basis and converted to a national data opt-out. It is important that all staff are aware that Type 2 objection codes must not be added after the end of this transition period. Any existing processes in the practice for adding these codes must be reviewed and amended.

Supporting Information

What the National Data Opt-out applies to

Summary

  • The national data opt-out will apply to any confidential patient information generated or processed by a Health or Adult Social care organisation within England under the NHS Act, as defined by the Department of Health and Social Care, subject to regulation by CQC or any other Health or Care related professional body
  • It will also apply to confidential patient information held by other organisations relating to care provided or co-ordinated by a public body
  • It will apply to all confidential patient information held by NHS Digital from 25 May 2018 and to all data held by all applicable organisations by March 2020

Further guidance will be coming for practices on upholding the national data opt-out.

Detail

England

The national data opt-out will apply to confidential patient information generated and processed in England, this will include any data collected in England which is flowing out of England, including where it is flowing to another home nation. For a definition of confidential patient information see the section “Applying the national data opt-out”.

The national data opt-out will not apply to information flowing from outside England, including from the other home nations directly to a research or planning body. However, when information from another home nation comes into an English health or adult social care organisation (eg GP surgery) to which the national data opt-out applies then the information will become subject to the national data opt-out.

For example, if a patient with an English GP is treated in hospital in Wales the information held by the hospital in Wales will be treated in compliance with Welsh policy, and the opt-out will not apply. Any information held by the English GP which has been received from the hospital will be subject to the opt-out by March 2020.

Health and Social Care Data

The national data opt-out applies to confidential patient information generated and processed by health and care organisations in England. This includes:

  • Health and social care organisations that are defined within section 251 of the NHS Act 2006 (this includes General Practice)
  • Health and social care organisations that come under policy set by the Department of Health and Social Care
  • Health and social care organisations whose health and care services are regulated by the Care Quality Commission
  • Health and social care organisations regulated by another health or care related professional body eg the General Pharmaceutical Council

For these organisations the national data opt-out will apply even where the care is privately funded (eg a private patient in an NHS hospital). The national data opt-out will also apply to data from other organisations where the care is co-ordinated by the public body (usually a Local Authority) or funded publicly (eg NHS funded care in a private hospital).


Privately Funded Care in the Private Sector

The national data opt-out will not apply where privately funded health care takes place in an independent setting (eg a private operation in a private hospital). The national data opt-out will not apply to children’s services (including children’s social care) as these organisations are regulated by Ofsted. N.B. child health services provided in support of this and through organisations regulated by CQC will remain in scope.

Supporting Information

Applying the National Data Opt-out

Summary

The national data opt-out applies to confidential patent information being used for purposes other than individual care except for certain circumstances. Applying the national data opt-out depends on the lawful basis for the use of the data not the organisations requesting or using it. If the basis for use is regulation 2 or 5 of the Control of Patient Information Regulations made under S251 of the National Health Service Act 2006 then the national data opt-out will apply.

The opt-out will apply unless:

  • the patient has consented to a specific data use (e.g. consent to a specific research project)
  • where the data is required by law (e.g data provision under s259 of the Health and Social Care Act)
  • where it is in the public interest for the opt-out not to apply (e.g. where a patient has given information indicating they pose a serious risk to others)
  • certain other specific exemptions (see supporting information)

The national data opt-out does not apply to data anonymised in compliance with the ICO code of practice on anonymisation.

Applying the national data opt-out depends on the lawful basis for the use of the data not the organisations requesting or using it. If the basis for use is regulation 2 or 5 of the Control of Patient Information Regulations made under S251 of the National Health Service Act 2006 then the national data opt-out will apply.

Detail

When the National Data Opt-out Applies

Planning and Research Purposes

The national data opt-out applies to the use of confidential patient information for purposes other than individual care e.g. where data is used for planning and research purposes. 
In particular, it has been made clear that such confidential patient information will never be used for insurance or marketing purposes without explicit patient consent regardless of whether they have an opt-out in place or not (Individual care is defined below).

Confidential Patient Information (CPI)

The national data opt-out will only apply to the use of confidential patient information. This is defined in section 251 of the National Health Service Act 2006.  Broadly it is information that meets the following 3 requirements: 

  • identifiable or likely identifiable e.g. from other data likely to be in the possession of the data recipient; (see example below)
  • given in circumstances where the individual is owed an obligation of confidence; and
  • conveys some information about the physical or mental health or condition of an individual, a diagnosis of their condition; and/or their care or treatment

It should be noted that Section 251 has been updated to ensure that the definitions used expressly include local authority social care (i.e. care provided for, or arranged by, a local authority). In practice the CPI definition covers anything that could be described as “special category of personal data” under the DPA 2018 and indeed goes beyond this as it also covers information about the deceased.

Any information given by a patient to a GP practice that could be considered related to their health or treatment is confidential patient information.

Even if the data is not identifiable when you send it the recipient may be able to identify it with information they hold. For example if you send a list of patients with cancer with no identifiers, but including the dates and times of their hospital appointments then someone with access to the appointments list may be able to identify the confidential information by linking the information you have supplied with the appointments data.

Section 251 of the NHS Act

With the policy in place', the national data opt-out will apply where S251 support is relied upon (i.e. under regulation 2 or 5 of the Health Service (Control of Patient Information) Regulations 2002) as the legal basis for the disclosure so as a rule of thumb if GP practices are disclosing data where the legal basis is section 251 (Reg 2 or 5), the national data opt-out will apply. 

Under the Common Law Duty of Confidentiality (CLDC) there must be a legal basis for sharing CPI. Most often this will be consent, but there are times when obtaining consent is not practicable, and so there are processes to allow some lawful sharing of CPI.

One of these is the process under section 251 of the Health Service (Control of Patient Information) Regulations 2002. Under this process applications go to an independent review body the Confidentiality Advisory Group (CAG). This group provides independent oversight and advises the decision maker i.e. Health Research Authority (HRA) for research related applications, and the Secretary of State for non-research applications, as to whether an application should be approved. One of the standard conditions of S251 approvals is for patient opt-out to be allowed. Under exceptional circumstances CAG may advise that the opt-outs should not be upheld, but for the majority of cases where data is obtained under CAG approval then the opt-outs will be upheld.

Examples:

CAG-approved projects for research purposes: GP Reminders for Bowel Scope Screening non-Participants; Mortality outcome in the London COPD Cohort.

CAG-approved projects for non-research purposes: National COPD Audit; An evaluation of 12-month all-cause mortality in patients with hip fracture; Disclosure of commissioning data sets and GP data for risk stratification purposes to data processors working on behalf of GPs.

When the National Data Opt-out Does Not Apply

Individual Care

The national data opt-out does not apply to the use of data for individual care. This means that setting an Opt Out will not have an adverse effect on an individual. In particular it will have no impact on Summary Care Record or local Detailed Care Record services.

The National Data Guardian review considered local clinical audit part of individual care, so a practice does not need to uphold the national data opt-out when undertaking local clinical audit. The National Data Guardian review defined local clinical audit as follows:
The use of personal confidential data for local clinical audit is permissible within an organisation with the participation of a health and social care professional with a legitimate relationship to the patient through implied consent. For audit across organisations, the use of personal confidential data is permissible where there is approval under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002”.

Screening Programmes

The national data opt-out will not apply to disclosures of confidential patient information for the purpose of allowing participation in National Screening Programmes endorsed by the UK National Screening Committee. This includes the oversight and provision of population screening programmes.

Mandatory Legal Requirements

There are a number of mandatory legal requirements to release information without the need for patient consent. These include court orders (i.e. a judge requiring information), notification of infectious diseases, CQC requirements (e.g. access to records during a practice inspection) and section 259 of the Health and Social Care Act 2012 (e.g. collection of data for the National Diabetes Audit). For a longer list of the mandatory legal requirements the operational policy guidance referenced in the supporting information.

Public Interest

There are exceptional circumstances where it can be deemed that the public interest over-rides the CLDC. Any such case should always be considered on its individual merits, and it would be advisable to seek expert advice, for example from the BMA, indemnity organisation or the General Medical Council. A disclosure in the public interest would over-ride a national data opt-out.

Consent to Disclosure

A person may consent directly to any collection of data, e.g. a specific research programme. Where a patient has specifically consented then the national data opt-out will not apply to that specific data use, and that use only.

Specific Cases

The National Cancer Registration Service and the National Congenital Anomalies and Rare Diseases Registration Service already have an established separate opt-out system.  This will continue to be applied and the new national data opt-out will not apply the provision of information to these services. The national data opt-out will apply to any flows of confidential patient information from the registries. (see Operational Policy Guidance and National Disease Registration Service in supporting information).

Anonymised Data

The national data opt-out will not apply when the data being disclosed is anonymised in line with the ICO Code of Practice. To be considered anonymised the data being disclosed must conform to the Information Commissioner’s Office code of practice for Anonymisation (see resources section for more information).

Assuring Transformation 
The national data opt-out will not apply to confidential patient information about people with learning disabilities and/or autism who are in hospital for mental and/or behavioural healthcare reasons which is disclosed under the following approval:

  • Assuring Transformation: Enhanced Quality Assurance Process Data flow (CAG 8-02 (a-c)/2014)

These flows will continue to operate a separate opt-out mechanism that is currently time limited until March 2019. See Assuring Transformation in supporting information.

Upholding the Opt Out in practice

By March 2020, GP practices will be expected to uphold the national data opt-out. NHS Digital is working closely with GP system suppliers to implement this functionality. Further detailed guidance for this will be made available as it is developed.

Examples of applying the opt-out to flows from the practice

Supporting Information

[1] Regulation 2 covers disclosures for diagnosis and treatment of cancer and regulation 5 for general medical purposes.  NB disclosures under regulation 3 for communicable diseases and other risks to public health are exempt from the national data opt-out.

How does the National Data Opt-out fit with Data Protection Legislation?

Summary

In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.  The ICO is running a campaign called Your Data Matters from May 2018 and the NHS will be making it clear how Data Matters to the NHS.

The national data opt-out sits alongside the General Data Protection Regulation (GDPR), the Data Protection Act (DPA) and the Common Law Duty of Confidence (CLDC). It does not replace any of the provisions of these but compliments them. This is a complex area and is likely of interest mainly to Information Governance leads and Caldicott Guardians.

Detail

GDPR and the DPA

The General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) require  that processing data is fair, lawful and transparent.

GDPR specifies that this means the processing must meet one of the conditions specified in:

  • Article 6 (personal data). For GP practices this will be  6(1)(e) ‘...necessary for the performance of a task carried out in the public interest or in the exercise of official authority...’ and
  • Article 9 (health being a special category of data). For GP practices this will generally be 9(2)(h) ‘...medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems...’

NOTE: the requirements for GDPR-compliant consent mean that this is generally not an appropriate basis to use in Health and Care settings. For a detailed discussion of the issues regarding consent see Factsheet 1B and Factsheet 6 in the Supporting Information Section.

Common Law Duty of Confidentiality  (CLDC)

In addition for the disclosure of confidential patient information for purposes other than individual care practices must respect confidentiality under the CLDC. For this there must be either:

  • consent from the patient, but note this is a different standard of consent from GDPR-compliant and includes the concepts of explicit and implied consent or
  • a specific legal basis for the CLDC to be set aside (e.g. Section 251 (NHS Act 2006) support, or a mandatory legal requirement e.g. data provision notice from NHS Digital under section 259 of the Health and Social Care Act
  • disclosure in the public interest (see GMC Principles of Confidentiality in supporting information)

Regardless of whether a patient does or does not have an Opt Out in place the practice must still comply with the above provisions.

Duty of Transparency and Privacy Notices

With GDPR and in the DPA2018 the requirements for privacy notices are strengthened. This is about being clear with patients and the public about what data is collected and how it is processed.

The NHS has provided suggested text  to include in privacy notices to support the national data opt-out (see supporting information).

Practices need to review their Privacy Policy in line with GDPR. Patients can see the NHS Digital information on how they handle the data they hold at https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe

Supporting Information

Webinars

Patient Data Choices webinar 1: Understanding the National Data Opt-out

This webinar provides an overview of the national data opt-out and includes discussions on the key points and resources available to support GP teams.

Patient Data Choices webinar 2: Understanding the National Data Opt-out

This webinar includes a discussion of different scenarios where the national data opt-out will and will not apply.

Patient Data Choices webinar 3: Caldicott Guardians and Upholding the National Data Opt-out

This webinar includes a discussion of different scenarios where the national data opt-out will and will not apply.

This toolkit has been developed in partnership between the RCGP Clinical Innovation and Research Centre and NHS Digital.

Please send any feedback or suggestions to circ@rcgp.org.uk

The item has been added to your basket.

Continue shopping

Go to basket

This item is out of stock.

Continue shopping

The item is out of stock.

Yes Continue shopping

An error occured adding your item to the basket:

Continue shopping