Compliance with the national data opt-out

The deadline for health and care organisations to comply with national data opt-out policy is 31 July 2022. The deadline was extended, to enable health and care organisations to focus their resources on the coronavirus (COVID-19) outbreak. Read the letter sent from NHS Transformation Directorate.

This requirement is supported by Information Standard: DCB3058: Compliance with National Data Opt-outs.

To comply with national data opt-out policy, you need to put procedures in place to review uses or disclosures of confidential patient information against the operational policy guidance.

See our guidance overview of the national data opt-out policy to  help you understand how it works and which data uses, or disclosures, are in scope.

If current uses or disclosures should have national data opt-outs applied, you need to:

• implement the technical solution  to enable you to check lists of NHS numbers against those with national data opt-outs registered
• have a process in place, when you get the results back, to ensure that you only use or disclose information for the returned list of NHS numbers, as any with national data opt-outs registered will have been removed

If you have no uses or disclosures which need to have national data opt-outs applied, you must still put procedures in place to assess future uses or disclosures against the national data opt-out operational policy guidance, and can choose to either:

• implement the technical solution in readiness, or
• be ready to implement it if needed for future data uses or disclosures

National data opt-outs are held on the NHS Spine against an individual’s NHS number. If your use or disclosure of data needs to have national data opt-outs applied, you must remove records for patients with an opt-out registered from the data being used.

The Check for National Data Opt-outs service uses the messaging exchange for social care and health (MESH) to enable you to submit lists of NHS numbers and receive lists back with the NHS numbers removed for those patients that have opted out.

To help GP practices to become compliant with the national data opt-out, the principal GP system suppliers have been commissioned to develop and embed the service into their clinical systems. Further information will be made available as the GP system suppliers confirm their delivery plans. See further information for GP practices.

Compliance implementation guide: provides a step-by-step guide to help organisations understand and plan the actions required to become compliant with national data opt-out policy.

Check for National Data Opt-outs service: guidance on how to install and configure MESH to enable lists of NHS numbers to be processed through the Check for National Data Opt-outs service, including a full test data pack.

Check for National Data Opt-outs licence agreement: notes the rights and conditions upon which your organisation may use the Check for National Data Opt-outs service provided by NHS Digital.

National Data Opt-out checker app: a simple tool you can use when submitting to national clinical audits, developed by University Hospitals Plymouth NHS Trust.

Recommended text for privacy notices [Archive Content]: contains some suggested text to include in your organisation's patient privacy notice. (Word file - request in a different format.)

DPIA guidance: guidance for completing a data protection impact assessment on the data processing activity being taken to apply national data opt-outs. (Word file - request in a different format.)

Data Uses and Releases Compendium (27 April 2020): provides real examples of data disclosures and the assessment as to whether national data opt-outs apply or not. (Pdf file - request in a different format.)

NHS organisations have responsibility for making sure that they comply with the national data opt-out. NHS Digital is not responsible for monitoring organisations’ compliance. Organisations prove their compliance by publishing their privacy notice and submitting their Data Security and Protection Toolkit assessment. This is mandatory for all NHS organisations.

There is also an Information Standard: DCB3058: Compliance with National Data Opt-outs requiring compliance with the national data opt-out standard.