Approval standards and guidelines: upholding objections under the national data opt-out
Updated 2 August 2024
Approval standard: upholding patient objections under the national data opt-out
When must this standard be met
This standard must be met for all applications to process patient confidential data, unless there is a valid exemption.
Standard
The National Data Opt-Out must be upheld by all health and adult social care organisations, including the UK Health Security Agency (UKHSA),in accordance with the DCB3058 Compliance with National Data Opt-outs Requirements Specification. Where processing will include confidential patient information (see Approval standards and guidelines: confidential patient information) and the opt-out must be respected, the application must describe how the opt-out will be managed and by whom.
It must:
- explain how, by whom and when the national opt-opt will be applied
- demonstrate how patients will be informed about the opt-out in any fair processing or privacy notice materials; the privacy notice must fulfil the requirements of Approval standards and guidelines: privacy notice
- demonstrate that the opt-out has been considered as part of the ethical assessment, risks and control measures in the application; such as how a smaller sample size will affect any calculations of statistical significance or the population’s representativeness
Where the applicant has a valid exemption to applying opt-out, the application must include the scope of the exemption. For applications reliant on a statutory exemption to the common law duty of confidentiality under the Health Service (Control of Patient Information) Regulations 2002, a copy of any official decision made by the Secretary of State must accompany the application.
Guidelines
The NHS Constitution states: ‘You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered’.
It pledges that when a patient’s confidential information must be used:
- Patients are given the chance to object wherever possible.
- Patients have the right to request that their confidential information is not used beyond their own care and treatment.
- To have objections considered, and where patients’ wishes cannot be followed, patients are told the reasons including the legal basis.
However, the NHS Constitution does not provide an absolute right to stop confidential information flowing, for example, if personal data is used to prevent the spread of infection of notifiable diseases and to prevent future outbreaks.
In support of this pledge, the national data opt-out was introduced on 25 May 2018 under a direction from the Secretary of State for Health. The opt-out enables patients to opt out from the use of their confidential patient information for research or planning purposes in line with the recommendations of the National Data Guardian in the Review of Data Security, Consent and Opt-Outs.
By 31 July 2022, all health and adult social care organisations are required to be compliant with the national data opt-out policy, where they are using confidential patient information for purposes beyond an individual’s care and treatment. This includes:
- Department of Health and Social Care and other national bodies (for example NHS England)
- NHS bodies and local authorities providing health and adult social care in England
- other organisations or persons providing health or adult social care in England under contracts agreed with the NHS and local authorities
The implementation of the national data opt-out does not change or remove any legal obligations on any organisation in relation to the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR). For further information, see the Approval standards and guidelines: lawful processing (UK GDPR). It is further expected that all organisations processing personal data must make separate provisions to enable patients to exercise their ‘right to object’, as simply upholding the national data opt-out does not remove the need to fulfil the rights of the data subject.
Cases where UKHSA will apply the national data opt-out
UKHSA will uphold the national data opt-out on all releases of confidential patient data for clinical audit, service evaluation, research and surveillance, unless:
- an exemption to upholding patient objections has been granted by the Secretary of State
- consent has been obtained from the individual for their data to be used for the specific purposes
- the data will be processed for the care and treatment of individual patients by registered and regulated health and social care professionals who have a legitimate relationship with the individual – this is referred to as ‘direct care’.
- the data being shared is de-personalised and meets the requirements of the Information Commissioner’s Office (ICO) Anonymisation Code of Practice or can be released under an Open Data Licence
Where processing of confidential patient information will rely on a statutory exemption to set aside the common law duty of confidentiality under the Health Service (Control of Patient Information) Regulations 2002, any personally identifiable data requested from UKHSA will be considered confidential patient information, even if the specific disclosure does not contain any health or care information (for example where an applicant is requesting contact details, without any clinical information about the person).
More information about the current rate of opt-outs across the population
Processes and systems in use to uphold the national data opt-out
To apply the national data opt-out, UKHSA accesses a secure technical service provided by NHS England, called the Message Exchange for Social Care and Health (MESH) service.
This service enables UKHSA to check if individuals have opted out against the NHS Spine – a central list of NHS numbers of people who have made the decision to opt out of their confidential patient information being used for certain processing.
Diagram 1 shows how UKHSA applies the national opt-out using the NHS England MESH service.
Diagram 1
This process broadly involves 5 steps:
- UKHSA selects a group of individuals of interest from a UKHSA data set and prepares a file with their NHS numbers.
- The file is securely sent by UKHSA to the MESH service.
- The MESH service automatically examines the NHS Spine to see whether any of the NHS numbers provided by UKHSA are linked to a person who has set their decision to opt out of having their confidential patient information used for purposes other than their own care.
- The MESH service returns to UKHSA a new list of NHS numbers, which excludes any individuals who registered an opt-out at the time that the MESH service was checked.
- This updated list is used by UKHSA to identify confidential patient data that can be shared for an approved project. Any data is made available to an authorised user, within 20 days of the opt-out being applied. If this deadline is exceeded, or there are multiple releases of data planned, the opt-out is applied again.
Resources
NHS England has published guidance for researchers on how the national data opt-out affects data released by NHS England.