What health and social care providers need to know about the upcoming data opt-out changes
Individuals have a right under the NHS Constitution to request that their personal confidential data is not used for any purpose “beyond [their] own care and treatment”. The national data opt-out, which was implemented at the same time as the (now UK) GDPR on 25 May 2018, provides individuals with a mechanism to exercise this right.
All health and social care organisations in England must be compliant with the national data opt-out by 31 July 2022.
What does the national data opt-out involve?
There are two ways in which individuals can opt-out of sharing their personal information:
- Type 1 opt-out prevents confidential patient information from being shared outside of their GP practice for purposes beyond their care. This means that information will not be shared with NHS Digital.
- The national data opt-out, which replaced the existing type 2 opt-out, prevents confidential patient information from being shared outside of NHS Digital for purposes beyond their care. This means that while information will be collected by NHS Digital, it will not be shared with third parties.
The processing of confidential patient information must be for medical purposes such as diagnosis, treatment or research (including preventative medicine and the management of health and adult social care services).
Anyone with an NHS number is able to set up an opt-out. When an individual chooses to do so, their NHS number is recorded on an IT platform called Spine, which supports the infrastructure of health and social care in England. This NHS number is then used as the identifier for the removal of the confidential information.
The data opt-out does not apply retrospectively and continues to apply after the individual has died, in accordance with the duty of confidence.
Which organisations does it apply to?
The national data opt-out applies to health services (GPs) and adult social care providers in England. However, it only applies where social care is provided, arranged or funded (in part or whole) by local authorities or the NHS.
What data will be covered?
Confidential patient information is data that will, or is likely to be used to, identify an individual, in circumstances where they are owed an obligation of confidence. It will usually be information about their physical or mental health.
However, there are a number of instances where the national data opt-out does not apply and confidential information can be disclosed, including:
- Where consent has been obtained for a specific purpose;
- Disclosure is required for the monitoring and control of communicable diseases and other risks to public health;
- There is an overriding public interest in the disclosure. For example, for statistical reasons;
- The information is required by law or court order; or
- The data is anonymised in line with the Information Commissioner’s Office’s Code of Practice on Anonymisation
What do you need to do?
All care providers should have existing policies and procedures in place about data protection. Providers should be able to update these to capture and comply with opt-out requests.
Ask yourself:
- Do we handle confidential information?
- Do we make disclosures that will require the application of the national data opt-out?
If yes, you will need to implement technical solutions to enable you to check NHS numbers against the opt-out register on Spine (see below). This could be an extension of what you already have in place for complying with the UK GDPR.
Practical tips:
- The NHS has set up a service to check opt-outs and help organisations to comply. This service, which uses the Message Exchange for Social Care and Health (also called ‘MESH’), enables organisations to check NHS numbers against the list on Spine.
- Some IT suppliers for GPs have already announced that they will embed the above service into their systems to support compliance. We recommend that you check whether your systems will automatically have access to this.
- Organisations should complete a Data Protection Impact Assessment (DPIA) to identify whether any additional risks will be introduced by the changes introduced by the national data opt-out.
- Everyone who will have access to confidential patient data in your organisation should be made aware of these new procedures. Providers should document how they have upskilled their staff.
- Declare your compliance by submitting your Data Security and Protection Toolkit assessment for 2022/2023. The deadline for the Toolkit has not yet been confirmed.
Providers are responsible for making sure that they comply. Failure to do so could lead to claims for breach of confidence and data protection legislation. This could, in turn, cause regulatory and insurance issues.
If you have any enquiries about data protection procedures at your service, please contact our Health and Social Care team on 0800 923 2073