National Data Opt-Out: the basics

A quick guide for adult social care providers in England

Introduction

This guidance is for Care Quality Commission (CQC) registered adult social care providers operating in England. It explains what you need to do to comply with the national data opt-out policy. The deadline for compliance is 31 July 2022.

Please sign up to our newsletter to keep up to date with the latest information. You can also follow us on Twitter at @DigiSocialCare.

What is the National Data Opt-Out?

The national data opt-out gives everyone the ability to stop health and adult social care organisations from sharing their confidential patient information for reasons other than providing their individual care and treatment. The national data opt-out only applies where the data processing relies upon Regulation 5 of the Control of Patient Information Regulations 2002.

Individuals can view or change their national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters or by calling 0300 303 5678 (Monday to Friday, 9am to 5pm)

All health and social care organisations in England must be compliant with this policy by 31 July 2022.

The national data opt-out was introduced on 25 May 2018 in line with the National Data Guardian’s recommendations in her review of Data Security, Consent and Opt-Outs. It is supported by the DCB3058 Standard.

Who does this apply to?

The national data opt-out applies to CQC-registered adult social care providers in England. This includes organisations operating in England even if your headquarters is outside of England.

If you are not a CQC-registered organisation, then you do not need to comply with the opt-out. You may still wish to support your service users with opting out.

The national data opt-out only applies where a service user is receiving social care that is provided, arranged or funded (in part or whole) by Local Authorities or the NHS in England. If your organisation does not support people receiving such care you can choose to extend the national data opt-out to cover all your service users.

What data is covered?

The national data opt-out applies to confidential patient information where processing relies upon Regulation 5 of the Health Service (Control of Patient Information Regulations 2002. Confidential patient information:

  • identifies or could be used to identify a person;
  • is obtained or generated in circumstances leading to an obligation of confidence and
  • says something about their health, care, or treatment.

We are using the term “confidential patient information” as this is a specific legal term. Confidential patient information applies to information about someone’s health or social care that can identify them.

If the information has been anonymised in line with the Information Commissioner’s Office’s Anonymisation Code of Practice, the national data opt-out does not apply. You can share anonymised data, and people do not have the power to opt out of this.

When does the national data opt-out apply?

The national data opt-out does not apply to confidential patient information used to provide individual care, or where the data processing is legally required or where the individual has consented to the processing.

The national data opt-out only applies when Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (“Regulation 5 support”) is relied on as a legal basis to process confidential patient information where the processing would otherwise be a breach of confidentiality. Regulation 5 support refers to a legal basis given by the Secretary of State for Health and Care (non-research purposes) or the Health Research Authority (research purposes), following advice from the Confidentiality Advisory Group.  This legal basis enables the common law duty of confidentiality to be temporarily lifted so that specified confidential patient information can be processed for certain purposes without the data provider or recipient being in breach of the common law duty of confidentiality. This involves submitting an application form to the Confidentiality Advisory Group to consider. It is likely that this will only apply if you are participating in research with a University. Care organisations should speak to academic partners if you are participating in this type of research. The Health Research Authority have specific guidance on social care research.

Activities relying upon Regulation 5 support where it has been agreed the National Data Opt-Out will not apply can be viewed on the HRA website via the Register of supported applications.

The Secretary of State for Health and Care has agreed to waive the requirement to apply national data opt-outs to data required for invoice validation purposes.  Furthermore, any payment flows that do not rely upon Regulation 5 support are not currently in scope of the national data opt-out.

All data you provide to the Capacity Tracker as set out in the Department of Health and Social Care’s “Admission and care of residents in a care home during COVID-19” are not in scope of the national data opt-out.

Actions for all CQC-registered adult social care services

To complete by 31 July 2022.

  1. Identify which, if any, data flows rely upon Regulation 5 of the COPI Regulations 2002 as it is these flows where the national data opt-out may need to be applied. All activities supported under Regulation 5 have a reference number and their status is located in the publicly available Register of supported applications. Unless the Register specifies the activity has been exempted from the national data opt-out then the default position is that the national data opt-out or local objection mechanism does apply.
  2. All care providers use confidential patient information for individual care and should have policies, procedures, and a privacy notice that details how data is processed. There are templates available.
    1. You can insert the following clause into your data protection policy:

National Data Opt-Out:

Insert Organisation Name reviews all of our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies.

 If any data processing falls within scope of the National Data Opt-Out we use MESH to check if any of our service users have opted out of their data being used for this purpose.

 Once you have checked your data processing, if you are sure that national data opt-out does not apply you can insert the following clause into your privacy policy

At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/.

  1. If you also use confidential patient information for research or planning purposes and this processing relies upon Regulation 5 of the COPI Regulations 2002 the opt-out does apply. See below for more information.
Additional actions for care providers using confidential patient information for research or planning purposes under Regulation 5 of the COPI Regulations 2002.

If the national data opt-out applies to any of your data flows, you will need to download the Messaging Exchange for Social Care and Health (MESH) so that you can check if any of the people you support have opted-out.

If they have opted out, then their confidential patient information cannot be used for research or planning purposes where tier data is flowing under Regulation 5 support.

So far, we are not aware of any care providers who have implemented this solution. If this is something you need to do and you would like assistance, please contact us for support.

What happens if I do not comply with the national data opt-out policy?

Specific to flows of data under Regulation 5 of the COPI Regulations, it is a standard condition of this support that all dissent is respected as part of the legal basis in place to avoid a breach of the common law duty of confidentiality. Unless a specific request has been approved for the activity to seek a waiver from this standard condition of support, or a specific request to be exempted from the national data opt-out has been agreed, then not respecting patient dissent could lead to a breach of confidentiality, which could also lead to a breach of the lawfulness, fairness and transparency obligations of data protection legislation

The Information Commissioner’s Office is the regulator for personal data and data protection legislation in England. If you fail to comply with the national data opt-out this could be a breach of your obligations to process data fairly and transparently.

The national data opt-out will be a requirement of completing Standards Met in the Data Security and Protection Toolkit for 2022/23 onwards. (Note: it is not a requirement for 2021/22 DSPT submissions.) You can access guidance on how to complete the toolkit on the Digital Social Care website.

Further Support and Help
This guidance has been reviewed by the Department of Health and Social Care. Updated 30th March 2022