National Data Opt-Out required from 31 July

National Data Opt-Out required from 31 July

The mandatory implementation of the National Data Opt-Out is fast approaching – 31 July 2022. NHS Digital has confirmed that they do not intend to extend implementation of the deadline any further.

If you are a Care Quality Commission registered provider who is partially or wholly publicly funded, you must take action by 31 July 2022.

If you do not, you could be in breach of the Information Commissioner’s Office regulations in relation to processing data fairly and transparently. The national data opt-out will be a requirement of completing Standards Met in the Data Security and Protection Toolkit for 2022/23 onwards.

We have produced a short guide, including wording for you to use within your data processing policies and privacy notice, specifically for care providers. We strongly recommend that you read and act on this guidance now.

Here are the basics.

What is the National Data Opt-Out?

The national data opt-out gives everyone the ability to stop health and adult social care organisations from sharing their confidential patient information for reasons other than providing their individual care and treatment. The national data opt-out only applies where the data processing relies upon Regulation 5 of the Control of Patient Information Regulations 2002.

It applies to:

  • All CQC regulated care services
  • Confidential patient information where processing relies upon Regulation 5 of the Health Service (Control of Patient Information Regulations 2002. Confidential patient information:
    • identifies or could be used to identify a person;
    • is obtained or generated in circumstances leading to an obligation of confidence and
    • says something about their health,care, or treatment.

It does NOT apply to:

  • Confidential patient information used to provide individual care, or where the data processing is legally required or where the individual has consented to the processing.
  • Information that has been anonymised in line with the Information Commissioner’s Office’s Anonymisation Code of Practice. You can share anonymised data, and people do not have the power to opt out of this.
  • Information required to be reported via Capacity Tracker.

Actions for care providers

By 31 July 2022, you must:

  1. Check if you process confidential, identifiable patient information for purposes other than delivery of care
  2. Update your policies, procedures and privacy notices to reflect the National Data Opt-Out. You must do this even if you do not process identifiable data for research or planning purposes. Our guidance provides wording which you can use, depending on whether you do or do not use data in this way.
  3. If you do use identifiable, confidential patient information for planning or research purposes, you must check if any of your clients have opted out of sharing their data in this way. If they have, you must stop using their data. You can download and check this on the Messaging Exchange for Social Care and Health (MESH).

Further Support and Help

Photo by Dayne Topkin on Unsplash

Back to News