About the national data opt-out Published November 2017 (Review February 2018)
When does the national data opt-out apply? Data shared for planning and research purposes Data shared for an individuals care & treatment Legal requirement / public interest / consent Data is anonymised Research – finding ways to improve treatments and identify causes of and cures for illnesses Planning – to improve and enable the efficient and safe provision of health and care services E.g. where data is shared between the health and care professionals in a hospital and in a GP practice E.g. There is a mandatory legal requirement such as a court order, to protect the greater interests of the general public or there is explicit consent The data shared is determined to be compliant with the ICO Anonymisation: managing data protection risk code of practice This identifies you personally This identifies you personally This identifies you personally This does not identify you personally The national data opt-out will not apply when: personally identifiable data is used for the patients individual care and treatment the patient has given explicit consent for the use of their data for the purpose being considered this includes where the consent may have been given prior to the patient registering a national data opt-out data is being provided under a mandatory legal requirement that means a data controller must provide the data (such as where there is a court order or the Care Quality Commission have used their statutory powers to require information for inspection purposes) there is an overriding public interest (such as to support the investigation of serious crime and/or to prevent abuse or serious harm to others and this includes approvals made under regulation 3 of the Control of Patient Information Regulations 2002 ie communicable diseases and other public health risks) data is provided in an anonymised form such that it meets the Anonymisation: managing data protection risk code of practice – issued by the Information Commissioner’s Office data is to be provided for the National Cancer Registration Service data is to be provided for the National Congenital Anomalies & Rare Diseases Register (the 2 above both have their own separate opt-out mechanism) data is provided for the oversight and provision of population screening programmes patient registration information is shared with the Office for National Statistics for the production of official statistics
National data opt-out additional information Existing type 1 opt-outs will be respected until 2020, the Department of Health will consult with the National Data Guardian in March 2020 before their removal Transition of type 2 opt-outs to the new opt-out will be communicated to those patients who have set a type 2 opt-out The national data opt-out focuses on how patient data is being used rather than the type of organisation using the data The sharing of confidential personal information for purposes beyond an individual’s care and treatment is still subject to data protection and common law duty of confidentiality considerations - these are not changed by the national data opt-out Type 1 opt outs are recorded through GP practices and used when a patient asks that their personal identifiable data held in their GP record is not shared by the practice with any other organisation where the use would be for purposes beyond their individual care and treatment. A patients explicit consent for data to be shared would over ride this opt-out for the particular purpose the patient has consented too. Type 2 opt outs are recorded through GP practices and used when a patient asks that their personal identifiable data is not shared by NHS Digital with any other organisation where the use would be for purposes beyond their individual care and treatment, this applies to all data held by NHS Digital. A patients explicit consent for data to be shared would over ride this opt-out for the particular purpose the patient has consented too. The details of how type 2 opt-outs will be handled will be made available in communication materials for patients and health care professionals from around January 2018 and it is expected that those patients that have a type 2 opt-out recorded will be contacted directly at the time the national data opt-out is introduced. The national data opt-out is intended to stop personally identifiable data from being shared for specific purposes such as managing a service and is not intended to stop data being shared with specific types of organisations as long as there is an established legal basis for the data to be shared. It is important to recognise that if a patient does not have a national data opt-out recorded that does not provide a legal basis on which to share data. There must always be a legal basis for the sharing of data for purposes beyond an individuals care and treatment.
Delivering the national data opt-out The National Data Opt-out Programme has been established to develop and implement the opt-out Policy and Legislation Government Response Legal Advice Programme Governance Programme governance Programme Business Case Investment Justifications Technical Design and Delivery Patient-facing application National opt-out repository National look-up products National data-processing systems IG Toolkit National Stakeholder Engagement and Public Communications Stakeholder engagement plan Public comms materials Media handling Stakeholder engagement materials Policy Implementation Opt-out transition strategy User research Opt-out policies and guidance Local Implementation and Engagement Implementation approach Implementation products The National Data Opt-out programme has been established, to implement the review recommendations on the national data opt-out; with the responsibility for developing the services, materials and communications to enable the national data opt-out (for purposes beyond an individual’s care) to be implemented across the health and care sector within England. The programme is a collaboration between the Department of Health, NHS England and NHS Digital. The diagram shows the work streams within the programme and they are managed as follows: Dept. of Health has overall responsibility for national data opt-out policy and for taking legal advice in respect of the policy NHS England lead on national stakeholder engagement NHS Digital lead on all other activities including developing the underpinning policy guidance to support the national data opt-out policy set by Dept. of Health
National data opt-out setting service The service to set a national data opt-out will be available online providing a secure way for patients to express their preference(s) about sharing their data for reasons other than their individual care and treatment Patients will be able to access the opt-out online, using a smartphone, tablet or personal computer from March 2018 Patients who cannot or do not want to opt-out using an online service will be able to use an alternative such as calling a national telephone service Patients will have access to information to make an informed choice about whether or not to share their data for reasons other than their individual care A patient will be able to set their national data opt-out preference at any time and change their opt-out preference at any time. As part of the process of setting a national data opt-out through the online service or via a contact centre the patient will be given more information on the reasons for and benefits of data sharing to enable them to make an informed decision.
Applying the national data opt-out It will be the responsibility of each and every health and care provider, together with national and local bodies, to uphold a patients’ national data opt-out where applicable The requirement to uphold the national data opt-out will be phased in, beginning with NHS Digital, with the full roll out across the health and care system by 2020 The National Data Opt-out Programme will develop the: technical solutions(s) to enable organisations to access and apply patients’ opt-out settings to data before it is disseminated detailed policy to be clear when the national data opt-out will need to apply supporting guidance and materials for patients and organisations to understand the policy support service and instructions for implementing and using the technical solutions All health and care organisation which share personally identifiable data for purposes beyond an individuals care and treatment must as a Data Controller, whether sole, joint or in common have regard to the national data opt and apply the opt-out in accordance with the criteria that will be set out in detail in guidance and communication materials that will be made available. It is important to recognise that the need to apply the national data opt-out will not come into force from March 2018 and instead its application will be introduced over a period of time through to 2020. Future phases will be based on organisation type however these phases have not been set and proposals will be developed based on further understanding of the data sharing taking place between organisations and the capability and capacity for those organisation to implement the additional technical and procedural changes required to apply the national data opt-out.
2) Storing preference(s) … Patient-facing digital front-end Proposed solution 1) Setting preference(s) … 2) Storing preference(s) … Patient-facing digital front-end Spine repository Non digital front-end Opt out look-up service GP National Bodies National data disseminations Local data disseminations 3) Upholding preference(s) … Setting preference(s) Solutions will be made available to enable people who want to opt-out to do so, both digitally (online) and non-digitally through a national contact centre (telephone, email or letter) to process their request Objectives: To enable patients to easily record their opt-out preference To record that preference once and for that to be available to all health and care organisations to enable the preference to be applied Improve transparency on how data are used and the benefits to inform the patients decision before they set their preference Accessibility Will ensure that the service and systems can be used by the diverse set of users who will interact with them. User testing will involve users with a range of impairments to obtain feedback as the service and systems are developed 2. Storing Preferences The national data opt-out preference will be held in a single place on the Spine and organisations are not expected to create or hold local lists of those patients that have set an opt-out preference 3. Upholding preferences The technical solutions for organisations to be able to access the opt-out preference and match this to their own data before the data is to be shared are being assessed. It is intended that solutions will ensure ease of access to the Spine repository
Local & regional data sharing initiatives The national data opt-out will apply to all data shared for purposes beyond an individual’s care and treatment including where data are being shared as part of a local/regional data sharing initiative The majority of local data sharing initiatives are currently only sharing data for individual care and treatment, but the majority have communicated on opt-outs and that guidance should be reviewed to ensure that it is accurate and the public understand their new choices It’s recognised that local data sharing initiatives may want to move to using data for purposes beyond an individual’s care so the relationship between these and the national data opt-out needs to be clear to the public Guidance will be provided by the programme on how the national data opt-out fits with local data sharing opt-out/consent models The programme will work with local data sharing initiatives to make sure those rules are understood and the communications for both health and care professionals and patients are clear Local data sharing initiatives refers to schemes where a patients data are being shared between organisations involved in the care and treatment of that patient and where the data may also then be used for purposes beyond the individuals care and treatment. Details of all existing or planned ‘local data sharing initiatives’ are being captured so that further engagement with each can take place to help ensure there is a clear understanding and accuracy in any communication materials available to patients and health and care professionals as the national data opt-out policy is implemented.
Implement communications strategy Implementation Timetable (Oct 2017 – Mar 2020) Area Opt-out awareness raising Opt-out service testing Setting opt outs Applying opt-outs New Data Protection Legislation (GDPR) Overall data communications strategy Oct – Dec 2017 Jan – Mar 2018 Apr – Jun 2018 Jul 2018 – Mar 2019 Apr 2019 – Mar 2020 Awareness raising Build opt-out service Test opt-out service 03/18 Opt-outs can start being set from this date 03/18 Opt-outs upheld by NHS Digital Upholding of opt-outs phased in for all other health and care organisations 05/18 New data protection legislation comes into effect Develop strategy Implement communications strategy Changes will be communicated about existing Type 2 preferences from January 2018 . Note this does not mean writing to those patients in January 2018. Members of the public will be able to start setting national data opt-outs from March 2018. The Department of Health will work with NHS England and NHS Digital to support all health and social care organisations to uphold the national data opt-out by 2020. The national data opt-out will be referenced within communications on data use and sharing rather than the communications being focused on the national data opt-out alone. A separate piece of work has been commissioned to develop a wider data sharing and benefits communications strategy.
More information National Data Guardian review https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs Government response Your Data, Better Security, Better Choice, Better Care National Data Opt-out Programme web pages & to join our mailing list https://digital.nhs.uk/national-data-opt-out Understanding Patient Data - Wellcome Trust https://understandingpatientdata.org.uk To be kept informed of further developments about the national data opt-out including news of any events taking place and any new or updated materials being made available please subscribe to our mailing list via the contact form on our web pages.