Toggle search
Toggle menu

National Data Opt-Out Policy

  1. 1. Introduction

    1. 1.1. This policy has been written to ensure the Council is compliant with obligations and statutory requirements under the National Data Opt-out Policy https://digital.nhs.uk/services/national-data-opt-out.
    2. 1.2. The National Data Opt-out was introduced on 25 May 2018, and allows a NHS patient to choose if they do not want their confidential, identifiable patient information being for research or planning purposes.
    3. 1.3. Patients, or people authorised to act for them, have control over setting or changing their own opt-out choice, and can change their mind at any time. Providing patients with this choice is in line with the recommendations made by the National Data Guardian during the Review of Data Security, Consent and Opt-outs.
    4. 1.4. By September 2020, all health and care organisations were required to be compliant with the National Data Opt-out Policy. NHS Digital and Public Health England are already compliant and are now requiring Local Authority partners, with whom they share patient information, to have a policy in place demonstrating compliance with the National Data Opt-out.

  2. 2. Background

    1. 2.1. The National Data Opt-out emerged from a review of data security carried out by the National Data Guardian on how individuals' data is used and shared by healthcare organisations. The Opt-out form part of a package of measures designed to improve patients' trust and confidence in how data is looked after by the health and social care system. The National Opt-out ties in with other work on data security and ensuring data is only used for the benefit of people's health and care.
    2. 2.2. The Opt-out allows each individual patient to control their specific personal information and choose the purposes for which their data can be shared.
    3. 2.3.The Opt-out allows patients to directly express a preference to opt out of using their personal identifiable information for:
      • Health Planning -for example data used to improve delivery of services
      • Health Research - for example finding ways to improve treatments
    4. 2.4.The NHS provides an online portal to enable patients who decide they do not want their personally identifiable data used for planning and research purposes to exercise their right under the Opt-out.
    5. 2.5. Patients are able to change their mind at any time and can cancel any Opt- out choice they had previously made.

  3. 3. Application of the Opt-out

    1. 3.1. The Opt-out relates to information about an individual's health and adult social care provided in England only. The Opt-out does not apply to information flowing from outside England (including from the other home nations) directly to a research or planning body.
    2. 3.2. The Opt-out applies to:
      • any confidential patient information generated or processed by a health or adult social care organisation within England
      • confidential patient information held by other organisations relating to care provided or coordinated by a public body
      • any disclosure of data for purposes beyond individual care
      • information about the deceased as the GDPR only applies to living individuals
    3. 3.3.  The Opt-out will apply unless:
      • the patient has consented to a specific data use
      • the data is required by law
      • where there is an overriding public interest for the disclosure
      • the data is anonymised in line with the ICO code of practice on anonymisation
      • a specific exemption has been granted.

  4. 4. Instances when the Opt-out will not apply

    1. 4.1. Risk to Public Health - The Opt-out does not apply if disclosing patient information is required for risks to public health, for example the monitoring and control of communicable diseases.
    2. 4.2. The Health Service (Control of Patient Information) Regulations 2002 provides for the lawful processing of confidential patient information for the following reasons:
      • diagnosis of communicable diseases and other risks to public health
      • recognising trends in such diseases and risks
      • controlling and preventing the spread of such diseases and risks
      • the monitoring and managing of:
      •  the delivery, efficacy and safety of immunisation programmes
      •  adverse reactions to vaccines and medicines
      •  risks of infection acquired from food or the environment (including water supplies)
      •  outbreaks of communicable disease
      •  incidents of exposure to communicable disease
      •  the giving of information to persons about the diagnosis of communicable disease and risks of acquiring such disease
    3. 4.3. Overriding Public Interest - the Opt-out does not apply where the disclosure of information is required due to an overriding public interest.
    4. 4.4. Required by Law or Court Order - the Opt-out does not apply where information is ordered to be disclosed by a Court of law or is set out in legislation, some examples of this are:
      • Coroners' investigating the circumstances of a violent death, or death in custody
      • health professionals reporting notifiable diseases, including food poisoning
      • child or vulnerable adult safeguarding purposes
      • NHS Counter Fraud Service requests in order to prevent, detect and prosecute NHS fraud
      • employers reporting deaths, major injuries and accidents to the Health and Safety Executive
      • prevention of terrorism or prosecuting a terrorist under Terrorism Acts

  5. 5. Implementation

    1. 5.1. This policy will initially be implemented through the Chief Executive and Executive Directors of the Council.
    2. 5.2. The Head of Customer Services, Health and Communities will be responsible for ensuring all staff in their Service and any associated council services receive information about this policy.
    3. 5.3. All staff receive data protection training and are required to complete a yearly refresher course covering the basic principles of the Data Protection Act and pass a test to show their understanding. Furthermore, the Council has data champions across the Council who have received additional training and will assist the Council with cascading information regarding data use/protection.
    4. 5.4. This policy will be added to the Council's policy register and will be reviewed on a biennial basis with the next review date being July 2025. Reviews will be subject to scrutiny and, from time to time, updates and re-issues will be circulated. However, the policy will be reviewed sooner if a weakness in the policy is highlighted, in the case of new risks, and/or changes in legislation.

  6. 6. Compliance

  7. 6.1. Managers are responsible for ensuring that staff are aware of the location of this policy. In addition, Managers are responsible for keeping staff up to date about any changes within the policy.
  8. All staff are obliged to adhere to this Policy.

  9. 7. Equality Impact Assessment

    1. 7.1. There are no Equality Impact issues with this policy.

  10. 8.  Health and Safety

  11. 8.1. There are no Health and Safety implications with this policy.

  12. 9. Reference Documents

    1. 9.1. This Policy should be read in conjunction with the following legislation, regulations and Council policies:

  13. 10. Distribution

    1. 10.1. This Policy will be available for all the Council's designated locations. Copies will also be available on the Council's Internet and Intranet web sites.

  14. 11. Review

    1. 11.1. This Policy will next be reviewed in July 2027.
Last modified on 29 October 2025

Share this page

Share on Facebook Share on Twitter Share by email