The National Data Opt Out
www.nationaldataoptout.info

This non-commercial website was written by Dr Neil Bhatia, General Practitioner (GP)
Records Access Lead, Caldicott Guardian, Information Governance Lead, Data Privacy Officer, Data Protection Officer, Data Autonomy Advocate.

Twitter: @docneilb

This is a personal website and in no way affiliated with any GP surgery, Clinical Commissioning Group, or any other organisation.

Visit www.nhsdatasharing.info to find out about the very many ways by which information from your electronic GP record is, or can be, made available to others.

This site tells you about The National Data Opt Out - how you can exert some control over how your medical records are used for purposes beyond your medical care (so called secondary uses).

The National Data Opt Out awareness campaign is also known as "Your NHS data matters"

Once you know what can happen, or is already happening, to your personal information, then you can make an informed choice as to whether to allow such data sharing to happen or continue - in other words, whether to opt-out or not, or remain opted out.

So you can share data on your terms.

It tells you about the Type 1 ("9Nu0") opt-out (or objection) - an electronic flag added to your GP record, at your request, that blocks the use of your personal confidential information in various ways.

It tells you what it does, and what it does not do; where it works, and where it has no effect.

The Type 1 opt-out will stop your GP records from being extracted and uploaded under care.data2 (GPDPR).

And it tells you about the National Data Opt Out, which replaced the GP Type 2 opt-out from October 2018.

The National Data Opt Out will not stop your GP records from being extracted and uploaded under care.data2 (GPDPR).

It tells you how you can limit the ways that NHS Digital can disseminate personal confidential information that it holds about you, obtained from your GP/hospital/social care/mental health and other such records, to third parties within and outside of the NHS (including certain commercial organisations).

You can find out about all of the NHS Databases, and other NHS data sharing schemes, including care.data2/GPDPR, via www.nhsdatasharing.info

Rest assured - the National Data Opt Out will not prohibit your medical information being shared, or provided to NHS Digital, for COVID-19 purposes.

The Type 1 opt-out and the National Data Opt out:

• Will in no way affect any medical care you need for COVID-19
• Will in no way affect your eligibility for, or your ability to receive, your COVID-19 vaccinations
• Will in no way affect your ability to hold, or show, a "COVID-19 vaccination passport"
• Will in no way affect your ability to contribute to research about COVID-19, if you are asked for your explicit permission first

You need a Type 1 opt-out to prohibit the extraction and uploading of your GP information to NHS Digital for care.data2 / GPDPR.

The National Data Opt Out alone will not stop that extraction and processing.

The NHS App only allows you to set your National Data Opt Out.
You cannot express a Type 1 opt-out, to your GP surgery, via the NHS App.
You need to contact your surgery directly.

This chart explains it.

There were 3,264,327 national data opt-outs as at 1 September 2021, an increase of 58,304 compared to 1 August 2021.

How do I find out what I have already opted out of, or am opted out of?

You can find out what you have already opted out - both primary and secondary uses of your information - of by simply asking your GP surgery.

Your GP surgery cannot tell you your National Data Opt Out status, however.

Alternatively, and easier/quicker for your GP surgery, you can just opt out of the schemes (such as a Type 1 opt-out) that you wish to - right now.

It doesn't matter if you opt out of any - or all - of them more than once.

Primary uses of your medical record are uses of data for the main purpose for which they were originally collected.

For your GP record, this means making that information available, to healthcare professionals that you are seeing, for your direct medical care.

That means accessing, or using information from, your GP record when you need to see a healthcare professional because you are ill or (especially at your GP surgery) to keep you well.

You can download a simple factsheet about data sharing between healthcare professionals here.

The National Data Opt Out plays no part in controlling how your medical records are shared for primary, direct medical care purposes.

You can also find information on the NDOO:

• In this detailed factsheet, which contains the information on this website


• In NHS Digital's brief factsheet


• In the National Data Opt-out Operational Policy Guidance Document (currently v 4.0)


• On the NDOO website


• from medConfidential

NHS Digital launched the National Data Opt Out on 25th May 2018, to coincide with the EU GDPR.

What is the National Data Opt Out (NDOO)?

The NDOO is a mechanism by which individuals in England can control, to a limited degree, certain aspects of their confidential medical information and, in particular, what NHS Digital can do with it once in their possession.

It's about controlling your medical records.

The NDOO does not apply to the disclosure of completely anonymised or aggregate information, or open data. That is, information that cannot identify an individual.

The NDOO does not apply to pseudonymised data requests that go through the NHS Digital DARS process ("so that a Data Sharing Framework Contract and Data Sharing Agreement are in place").

The NDOO only applies to clearly identifiable, personal confidential information, for example by containing your name, DOB, address, NHS number etc. The NSOO applies regardless of the format of the data, and this includes structured (e.g. CSV, XML) and unstructured electronic data (e.g. PDFs, scans, images) and paper records.

The NDOO can also apply to data that is disclosed via other means - such as people viewing confidential patient information on computer screens.

And the NDOO only applies to uses of your confidential medical information for secondary purposes, that is unrelated to, and beyond, the direct medical care that GP surgeries and other healthcare organisations provide you with when you are unwell, or to keep you well.

NHS Digital and Public Health England are applying the national data opt-out to any in scope data releases and are compliant with this policy. Other relevant organisations are required to be compliant with the national data opt-out by 30th September 2021.

The NDOO is a policy opt-out that must be considered and applied alongside existing data protection legislation, other laws, and best practice - including the Common Law of Confidentilaity, the Human Rights Act 1998, the Data Protection Act 2018, and GDPR.

What are "secondary purposes", or "beyond my direct medical care"?

Secondary purposes is also known as "purposes beyond individual care", or "indirect care", or "other purposes".

Secondary purposes are more - much more - than simple "Research and Planning"

Secondary purposes include:

• Healthcare planning
• Audit
• Population analytics
• "Risk stratification"
• Research
• Invoice reconciliation
• Commercial, and
• Even political uses

Almost always, you are not asked for your permission before your information is used in this way.

Almost always, you have no control over who your information is given to, or for what reason.

Very often, you are completely unaware that the processing of your information in this way is even happening.

The NDOO simply replaces the Type 2 (9Nu4) opt-out that has been in force for some years, and which you were able to express, together with the Type 1 (9Nu0) objection, via your GP surgery.

It is, therefore, nothing new.

If I set, or keep, my NDOO status at "do not allow", what will this mean?

Setting your NDOO status to "do not allow" means:

• Confidential medical information obtained by NHS Digital from GP surgeries, hospital trusts, mental health providers and social care, will not be released/disseminated/sold by them in a format that can identify you


• In due course, the NDOO will prohibit certain data extractions from your GP record, where this involves confidential medical information, and where your permission or consent would not be sought before your data was released (so-called section 251 approval)


• The NDOO will, eventually, prevent confidential medical information leaving the National Cancer Registry, certain other disease registries, the Clinical Practice Research Datalink (CPRD); and


• In due course, the NDOO will prevent confidential medical information leaving all hospitals and other healthcare providers for purposes beyond your medical care

The deadline for health and care organisations to comply with national data opt-out policy is currently the end of September 2021. The deadline was extended to enable health and care organisations to focus their resources on the coronavirus (COVID-19) outbreak.

There is no 31st September deadline for opting out of sharing your data. You can opt out at any time.

The NDOO applies to data that originates within the health and adult social care system in England.

That includes :

• health service providers including NHS foundation trusts and trusts, mental health and community trusts, ambulance trusts, primary care providers including GPs, dentists, optometry services and pharmacists
• private providers including Any Qualified Providers (AQPs) who provide health and adult social care services which are funded or under contract with a public body, for example NHS England, Clinical Commissioning Group (CCG) or local authorities
• Defence Medical Services (DMS)
• Healthcare services provided across the secure and detained estate (e.g. prison healthcare)
• public health including local authority public health functions and public health providers, for example school nursing
• adult social care services including care that is arranged or provided by local authorities and adult social care providers (i.e. where this is regulated by the Care Quality Commission (CQC)
• any organisation acting under a contract to a health and social care organisation, for example the Healthcare Quality Improvement Partnership (HQIP) delivering surveys under contract to NHS England
• any other organisation which handles and discloses health and adult social care information as a data controller including commissioners, for example CCGs or national bodies, the Department of Health and Social Care, NHS Digital, NHS England, Public Health England (PHE), Health Education England, National Institute for Health and Care Excellence (NICE), Medicines and Healthcare Products Regulatory Agency (MHRA), Care Quality Commission (CQC), NHS Improvement (NHSI), NHS Business Services Authority (NHS BSA), NHS Shared Business Services (NHS SBS), NHS Resolution, NHS Blood and Transplant, Human Fertilisation and Embryology Authority (HFEA), Human Tissue Authority, Health Research Authority (HRA), NHS Counter Fraud Authority and Healthcare Safety Investigation Branch

But that excludes :

• providers of health, public health or adult social care services outside of England
• providers of Children's services (including children's social care, education services and schools) which are regulated by Ofsted or otherwise within the policy responsibility of Department for Education (DfE) (N.B. child health services provided through organisations regulated by CQC do remain in scope)
• 'health' related data which originates and is shared by organisations completely outside of the health and adult social care system in England, e.g.
• assessments for disability or other benefits purposes carried out independently of the health and adult social care system (typically by the Department for Work and Pensions - DWP)
• coroners' reports (coroners fall under the remit of Home Office)
• health assessment carried out by the Courts/legal service
• Her Majesty's Revenue & Customs
• health assessments undertaken privately for pension providers or insurance companies
• universities
• Office for National Statistics (ONS) / General Registrar's Office (GRO)
• occupational health assessments
• organisations that do not generate health and adult social care data but do have data is lawfully disclosed to them for individual care purposes only (for example, charities which provide day care services for patients)

But be aware of this: the National Data Opt Out is not guaranteed.

"However, CAG can, in exceptional circumstances, approve an application that has robust justification for opt-outs to be overridden, for example 100% inclusion is statistically required. In such rare situations CAG can deem that there is an overriding public interest for the research to go ahead without opt-outs being upheld."

GDPR: Lawful basis, research consent and confidentiality, Medical Research Council

Which organisations does NHS Digital give my confidential personal information to?

Have a look here to get an idea.

The list is huge.

What will the NDOO/Type 1 objections NOT do?

• They will in no way affect the sharing of information for the purposes of your medical care and treatment, e.g. where information is shared between a GP surgery and a hospital
  It will not stop your GP using the Electronic Referral Service (eRS), the Electronic Prescription Service (EPS), or GP2GP transfers of medical records


• They will in no way affect the sharing of information for the purposes of medical care and treatment related to COVID-19. It will not stop you from having the COVID-19 vaccination, nor delay you from having it.


• They will in no way affect the National Summary Care Record (SCR)
  You can opt-out of the SCR via your GP surgery (see www.nhsdatasharing.info )


• They will (or should) in no way affect any local shared care record project or scheme, such as the Hampshire Health Record, the Great North care Record, the Bolton Care Record etc. (except if such schemes additionally process your uploaded information for secondary purposes)
  You can opt-out of your local shared care record scheme via your GP surgery (see www.nhsdatasharing.info )


• They will in no way prevent you from registering for secure online access to your GP record (Patient Online)


• They will in no way prevent you from using the NHS App (or any other, similar, online services app), or any of the features it provides, including secure online access to your electronic GP record


• They will in no way prevent you from registering for secure online access to some aspects of your hospital records, where available
  (e.g. My Medical Record, Patient Portal, Patient View or Patients Know Best)


• They will in no way affect situations where your GP surgery, or other healthcare organisation, is legally required to share your information (such as a court order or when mandated under section 259 of the Health and Social Care Act (such as the National Diabetes Audit) - but see later)


• They will in no way affect you being invited, when appropriate, for any of the National Screening Programmes, such as cervical/breast/bowel/abdominal aortic aneurysm/diabetic eye screening
  You can opt-out of these separately, if you wish


• They will in no way stop information being provided to the National Disease/Cancer Registries (run by Public Health England)
  You can opt-out of this separately, if you wish


• They will in no way stop information being provided to the National Cancer Patient Experience Survey (CPES) and the CQC NHS Patient Survey Programme


• They will in no way stop information being provided to the Office for National Statistics (ONS) solely for the production of official statistics


• They will in no way affect situations where your GP surgery, or any other healthcare organisation, shares data in an anonymised or aggregate (numbers only) format, in other words where that data cannot identify you (such as the Quality and Outcomes Framework or QSurveillance), or as "open data"

The NDOO will not stop:

• Commercial sales of hospital data (HES) by NHS Digital


• Lifelong, linked, individual-level medical histories being disseminated by NHS Digital


• Onwards release of data by non-NHS bodies (once they have been provided with your information by NHS Digital)


• Data disclosure under Regulation 3 of the COPI 2002 regulations (for comunicable diseases and other risks to public health) - such as disclosures necessary for the management of COVID-19


• Data disclosure about an individual's health or care which is generated or processed outside of England including in home countries of the UK, that is Wales, Scotland, Northern Ireland, and the crown dependencies of the Isle of Man and Channel Islands


• Data disclosure of confidential patient information where there is an overriding public interest in the disclosure, i.e. the public interest in disclosing the data overrides the public interest in maintaining confidentiality.
  Examples would include reporting of gun and knife wounds in line with GMC guidance, and patient's fitness to drive and reporting concerns to the DVLA in line with GMC guidance.

• Data disclosure of confidential patient information where the information is required by law or a court order (see page 24 of the NDOO Operational Guidance)


• Pseudonymised data requests that go through the NHS Digital DARS process ("so that a Data Sharing Framework Contract and Data Sharing Agreement are in place")


• Disclosures of your clearly identifiable information where the Confidentiality Advisory Group of the HRA have been persuaded to override the NDOO

A Type 1 opt-out (see later) will go some way to preventing some (but not all) of these.

Once your data has been copied or released it cannot be recovered.

What about Research?

The NDOO/Type 1 objections will in no way prevent you from taking part in accredited medical research, at your GP surgery/local hospital/other health organisation, where you have given your explicit consent to be involved (i.e. you have been asked first for permission).

They will in no way prevent you from:

• Giving blood


• Joining the NHS Organ Donor Register


• Signing up to the Anthony Nolan register to donate your blood stem cells or bone marrow


• Donating your DNA for medical research - with your permission


• "Donating your Data" for medical research - with your permission


• Contributing to UK Biobank - with your permission


• Joining the 100K Genomes project - with your permission


• Taking part in clinical drug trials


• Joining dementia research


• "Crowdsource" cancer research via apps and games


• Donating your body to medical science after your death


• Donating your brain or spinal cord to medical science after your death


• Making a living donation (e.g. kidney, liver or bone)


• Donating your hair (to make a wig for children and young adults)


• Donating money (in a tax-efficient way) to a medical charity


• Being contacted by your GP to invite you to take part in any research


• Granting researchers access to your medical records, or information extracted from your medical records, if you have been asked for your permission first

If you are interested in contributing to medical research, with your explicit permission, then have a look at Be a Part of Research.

The National Data Opt Out doesn't stop you contributing to any research where you are asked first.

It only stops the use of your confidential medical information where you are not asked before your data is taken and used.

And then, not always.

That means that the NDOO applies to the use of confidential patient information approved under:

• Regulation 2 of COPI 2002 (diagnosis or treatment of cancer)
• Regulation 3 of COPI 2002 (COVID-19 purposes)
• Regulation 5 of COPI 2002 (general medical purposes)

"For the research community the national data opt-out has no impact where a patient has consented to participate in a research study and has agreed for their data to be used in that study. Nor will it affect studies that use anonymised data."

Health Research Authority, National Data Opt Out briefing

Will the NDOO stop my confidential GP information being uploaded to NHS Digital in the first place?

NO.

NHS Digital does not rely upon section 251 approval (any more) for data gathering, preferring instead to make such data collections compulsory under section 259 of the Health and Social Care Act.

One such example of a mandatory s259 extraction is the National Diabetes Audit. The NDOO does not prohibit this (but the Type 1 opt-out does).

However, the existing secondary uses, Type 1 (9Nu0), opt-out that many people have in force on their GP record will prohibit data (confidential and, in some cases, de-identified) from being extracted and uploaded from your GP record to NHS Digital in the first place. Such as for care.data2/GPDPR.

In addition, the Type 1 opt-out will also prohibit section 251 approved data extractions, for example for "risk stratification", as well as the mandatory section 259 extractions.

Finally, the Type 1 opt-out will prohibit the extraction and uploading of your personal confidential data to NHS Digital, for COVID-19 related secondary purposes (GPES Data for Pandemic Planning and Research). The National Data Opt Out alone will not do this.

Detailed information about the Type 1 opt-outs can be found in this factsheet.

So how do I maximally limit secondary uses of my medical records, beyond my direct medical care?

① Set your NDOO status to "do not allow", see later for how to do this

AND

② Make sure you have a secondary uses, Type 1 (9Nu0) objection in force on your GP record - do this via your GP surgery

AND

③ Consider contacting your local hospital trust, mental health provider, or social care organisation (local council) that you use (or have used) and express "the right to object" to the dissemination of confidential information about you for secondary purposes (including to NHS Digital), where it is not legally mandated.
You have the right to object where your data might be processed in this way and the organisation concerned is relying on Article 6(1)(e) - Official Authority - as the legal basis under GDPR.

What about preventing NHS Digital releasing, disseminating, or selling anonymised and pseudonymised data about me?

You cannot - directly. And you have no control over why they are doing this, for what purpose(s), and to which organisation they are giving or selling your information to.

But you can limit how much information NHS Digital gathers about you from healthcare organisations, by maximally limiting the secondary uses of your medical records, as described above.

The less NHS Digital has about you, the less NHS Digital can disseminate about you.

And, yes, NHS Digital does receive a fee from organisations to provide your data to them (you can decide whether that is selling data, or not).

So how do I set, check, or update my National Data Opt Out status?

If you had previously requested a Type 2 objection to be in force, via your GP surgery, then this will have automatically set your NDOO status to "do not allow". You should received a letter from NHS Digital, confirming this. Any children aged 13yrs or over will have received their own letter as well.

It is no longer possible to directly view, set or change your NDOO status at your GP surgery.

Anyone aged 13yrs or over can set their NDOO status via the official NDOO website.

You can also set your NDOO status via the NHS App.

Anyone aged 12yrs or younger, or acting on behalf of another individual (i.e. as a formal proxy, e.g. with lasting power of attorney or as a court appointed deputy), cannot do this online but will have to ring 0300 303 5678, or by printing off a form and posting it. This is known as the non-digital channel.

Individuals in the secure and detained estate (e.g. prisons) are able to set a NDOO through the healthcare professionals working in these settings.

Individuals who have agreed with their GP for their records to be marked as sensitive will be offered the choice to set a NDOO through the established processes to set (or remove) a sensitive fla.

A NDOO cannot be set for a deceased patient unless they have explicitly stated this in a last will or testament. This can only be done via the non-digital channel.
A NDOO continues to be maintained and applied for an individual after they have died.

So how do I register a Type 1 objection at my GP surgery?

Fill in this form, and give it in to, post it to, fax it to, or email it to your GP surgery.

A similar form can be found via medConfidential.

You can also express a Type 1 objection verbally - in person or by telephone, to your GP surgery.

You can opt back in, or change your National Data Opt Out status, at any time in the future.

Feel free to send me constructive comments about this site.

Neil.Bhatia@nhs.net

PGP public key: 9651 BDC9 46B5 7768 3B3F AF79 8FE1 DACC FEFA 344F

S/MIME public key: 61EA AD3A 8356 258B 4390 4362 AE0C 8DCA 3ACC 50CA

Privacy Policy

This website is hosted by 1&1 UK.

This website does not accept or host any advertising.

This is a non-commercial website and receives no external source of funding from any organisation.

This website does not use cookies.

This website does not collect or process personal data.

This website does not use Google Analytics.

All links from this website are provided for information and convenience only.

This is a personal website and in no way affiliated with any GP surgery or Clinical Commissioning Group.