Evalian NHS Primary Care Network blog

NHS National Data Opt-Out 

By Georgina Donovan - July 16th, 2019 Posted in Compliance, Data Protection, Information Security

In tandem with the impact of the Primary Care Network initiative, our previous blog on this can be found here, another pressing matter troubling health and care practitioners in England right now is the need to comply with the national data opt-out policy by March 2020. 

With a greater expectation to share special category data amongst health professionals and the introduction of new opt-out technical compliance comes the increased risk of personal data breaches.  

Patient Opt-Out – Addressing Data Sharing Concerns

Successfully managing the process of data subjects withdrawing their consent is not easy. Article 13 and 14 of the GDPR sets out the obligations of the controller for informing data subjects of their rights over their data. Between 2015 and 2018, about 150,000 Type 2 objections (individuals opting-out of NHS Digital sharing confidential patient information for research and auditing purposes) where not upheld. In a written statement to Parliament in July 2018, this error was attributed to a coding mistake blamed on a 3rd party supplier. This error was swiftly rectified. 

One of the outcomes of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs in June 2016 was the recommendation to give patients better rights over the use of their data. The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for national research or planning purposesPatients can view or change their medical data opt-out choice by using the online service at www.nhs.uk/your-nhs-data-matters. 

Driven by NHS Digital and Public Health England to roll out the national data opt-out policy across the NHS, all heath and care organisations will need to: 

  • implement the technical solution  to enable clinicians to check lists of NHS numbers against those with national data opt-outs registered, and 
  • have a process in place to ensure that only use or disclose information for the returned list of NHS numbers. 

Will these organisations have implemented the technical solution or be ready to implement by March 2020? NHS Digital has built a comprehensive information campaign to help health and care organisations achieve this aim. With about 10 months to go and with plenty of support it should be possible, however, as reported in the Social Market Foundation’s ‘National Health Servers Delivering digital health for all’: 

there are reasonable misgivings about the NHS’s ability to safeguard patient data, which can affect public attitudes to data. In 2017, the WannaCry ransomware affected around one in three NHS Trusts and 595 GP practices. Thousands of operations and appointments were cancelled Recent research suggested that one in five individuals (20%) are not confident in the ability of the NHS to protect their patient data. It’s clear that public perceptions and expectations of this new initiative will need careful management.  

With greater pressure on the NHS to deliver more for less, compliance with the National data Guardian’s recommendations will undoubtedly increase the risk of further data breaches. In a rush to meet these deadlines, it’s easy to lose sight of the fundamental principles of data protection by design and default, ensuring organisational and technical measures are effective with clearly defined accountability. 

How We Can Help 

We have experience of working with NHS trusts as well as health and social care providers. If you are struggling with your preparations to comply with the National data-opt-out policy, we can help.  

If you’d like to discuss your requirements or just get some initial feedback, please do contact us. 

ENQUIRE NOW