Summary
The national data opt-out applies to confidential patient information being used for purposes other than individual care except for certain exemptions which are set out below. Applying the national data opt-out depends on the lawful basis for the use of the data not the organisation requesting or using it. A data controller must be clear what the purpose and legal basis is for any disclosure.
In summary, the opt-out will apply unless:
- the patient has consented to a specific data use
- the data is required by law
- where there is an overriding public interest for the disclosure
- the data is anonymised in line with the ICO code of practice on anonymisation
- a specific exemption has been granted.
These are explored in more detail below with further information in the national data opt-out operational policy guidance (see resources section for more information).
Detail
When the national data opt-out applies
Purpose
The national data opt-out applies to the use of confidential patient information for purposes other than individual care, for example, where data is used for planning and research purposes.
Type of data
The national data opt-out applies to “confidential patient information” (CPI) as defined in the national data opt-out operational policy guidance document. In summary, this is information that meets the following three requirements:
- identifiable or likely identifiable e.g. from other data likely to be in the possession of the data recipient (see example below);
- given in circumstances where the individual is owed an obligation of confidence; and
- conveys some information about the physical or mental health or condition of an individual, a diagnosis of their condition; and/or their care or treatment
It should be noted that "care" specifically includes local authority social care (i.e. care provided for, or arranged by, a local authority). In practice the CPI definition covers anything that could be described as “special category of personal data” under the DPA 2018 and indeed goes beyond this as it also covers information about the deceased.
Confidential patient information cannot be defined by a specific data item (e.g. name or postcode) alone, as it needs to be considered more broadly to take account the nature of the information and the circumstances of the disclosure, including the reasonable expectations of a patient. The national data opt-out operational policy guidance provides information and examples to support health professionals to assess what is CPI. This guidance has been agreed for the purposes of applying the national data opt-out only.
The national data opt-out will not apply when the data being disclosed is anonymised in line with the ICO Code of Practice on Anonymisation (see supporting information).
The national data opt-out applies regardless of the data format i.e. it applies to electronic data and to paper records.
Section 251 of the NHS Act
Under the Common Law Duty of Confidentiality (CLDC) there must be a legal basis for sharing CPI. Most often this will be consent, but there are times when obtaining consent is not practicable, and so there are processes to allow lawful sharing of CPI without consent. This is using s251 support i.e. under regulation 2 or 5 of the Health Service (Control of Patient Information) Regulations 2002. In general, if the legal basis for disclosure from a GP practice is s251, then the national data opt-out will apply.
To obtain s251 approval applications are scrutinised by an independent review body, the Confidentiality Advisory Group (CAG). This group provides oversight and advises the decision maker i.e. Health Research Authority (HRA) for research related applications, and the Secretary of State for non-research applications, as to whether an application should be approved. One of the standard conditions of s251 approvals is for patient opt-outs to be allowed. Under exceptional circumstances CAG may advise that the opt-outs should not be upheld, but for the majority of cases where data is obtained under CAG approval then the national data opt-out will be applied.
Examples:
CAG-approved projects for research purposes: GP Reminders for Bowel Scope Screening non-Participants; Mortality outcome in the London COPD Cohort.
CAG-approved projects for non-research purposes: National COPD Audit; An evaluation of 12-month all-cause mortality in patients with hip fracture.
An example of a s251 approval where CAG have advised that opt-outs should not be applied are for invoice validation flows to Commissioning Support Units Controlled Environment for Finance on behalf of Clinical Commissioning Groups.
When the national data opt-out does not apply
Individual care
The national data opt-out does not apply to the use of data for individual care. This means that setting an opt-out will not have an adverse effect on an individual’s care. In particular it will have no impact on the Summary Care Record which has a separate opt-out or local shared care record services. Other examples of individual care, where the national data opt-out would not apply include:
- local clinical audit, i.e. an audit carried out within an organisation with the participation of a health and social care professional with a legitimate relationship to the patient. NB for audit across organisations, the use of CPI is permissible where there is approval under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002
- disclosures of confidential patient information to enable participation in, and oversight of, National Screening Programmes
- risk stratification for case finding when carried out by a provider involved in an individual’s care or by a data processor acting under contract with such a provider. NB where s251 is relied upon for the disclosure the national data opt-out will apply.
Mandatory Legal Requirements
The national data opt-out does not apply where there is a mandatory legal requirement to release information. These include court orders (i.e. a judge requiring information), notification of infectious diseases, CQC requirements (e.g. access to records during a practice inspection) and when NHS Digital uses its legal powers under s259 of the Health and Social Care Act 2012 (e.g. collection of data for the National Diabetes Audit). For further examples of mandatory legal requirements please see the operational policy guidance referenced in the supporting information.
Public Interest
There are exceptional circumstances where it can be deemed that the public interest overrides the CLDC and in such cases the national data opt-out does not apply. This would include the disclosure of confidential patient information required for the monitoring and control of communicable disease and other risks to public health and for public health emergencies.
This includes any data disclosed where Regulation 3 of The Health Service (Control of Patient Information) Regulations 2002 provides the lawful basis for the common law duty of confidentiality to be lifted.
The public interest test may also be applied locally and any such case should always be considered on its individual merits, and it would be advisable to seek expert advice (e.g. from the BMA, indemnity organisation or the General Medical Council). For example, reporting concerns about a patient’s fitness to drive to the DVLA.
Consent to Disclosure
A person may consent directly to any disclosure of data, for example, a specific research programme. Where a patient has specifically consented then the national data opt-out will not apply to that specific data use, and that use only.
In some scenarios researchers may need to access CPI to identify patients with a particular condition or characteristic in order to invite them to participate research, e.g. a clinical trial – so-called seeking “consent for consent”. Depending upon the mechanism used, the national data opt-out may or may not apply. This is summarised in the below.

Specific Exemptions
The national data opt-out operational policy guidance sets out a number of specific exemptions including:
- National Cancer Registration Service and the National Congenital Anomalies and Rare Diseases Registration Service – these will continue to operate their own opt-out system.
- Where data is disclosed to validate payments when there is no contract. For example, if a patient lives in Bromley but is treated in hospital in Devon, an invoice will be sent from Devon to the Clinical Commissioning Group (CCG) in Bromley that holds the budget for the patient.
- Where data is used to send out national patient experience surveys.
Upholding the opt-out in GP practices
By September 2020, GP practices will be expected to uphold the national data opt-out. NHS Digital is working closely with the principal GP clinical system suppliers to implement this functionality. Further detailed guidance for this will be made available as it is developed.
Examples of applying the opt-out to flows from the practice

Supporting Information