Data Opt-Out Privacy Notice

NHS Digital – Privacy Notice

The ‘Choose if data from your health records is shared for research and planning’ service allows you to choose whether or not your confidential patient information can be used for research and planning purposes. This prevents your confidential patient information from being used for purposes beyond your individual care and treatment.

This document explains the choice you have, what it will mean for you and where your choice does not apply. It tells you what information NHS Digital collects and how it is used to provide this

service, including your rights and how to contact us. This document forms part of a range of materials and information to help you make an informed choice about how your confidential patient information is used.

Where you have a choice

You have a choice on whether or not your confidential patient information can be used for purposes beyond your individual care and treatment. If you would like this to stop, you can opt out of this yourself or on behalf of someone else. If you want to allow your confidential patient information to continue to be used for research and planning and you have not previously opted out of this, you do not need to take any action. The choice you make applies to publicly funded care in England only.

Confidential patient information

This is information which identifies you and says something about your health, care or treatment. You would expect this information to be kept private. Information that only identifies you, like your name and address, is not considered to be confidential patient information and may still be used. For example, to contact you if your GP practice is merging with another. Information about your health or care that is anonymised so that you can no longer be identified is not considered to be confidential patient information.

Purposes beyond your individual care and treatment

This includes the use of your confidential patient information to plan and improve health and adult social care services. For example, deciding where to locate a new clinic or information used to compare the quality of care provided across the country. It also includes the use of your confidential patient information for research. For example, to develop new treatments for serious illnesses. The choice you make does not apply when your information is used to help with your own treatment and care.

Publicly funded care in England

The choice you make applies to confidential patient information related to health and adult social care services in England, which are publicly funded or have been arranged by a public body. For example, a local authority. It does not apply to health and adult social care services that you receive outside of England or if you are a private patient.

When your choice does not apply

There are some situations where your choice does not apply and your confidential patient information may still be used.

When required by law

Your confidential patient information may still be used when there is a legal requirement to provide it, such as a court order.

When you have given consent

Your confidential patient information may still be used when you have given your consent. Such as, for a medical research study.

When there is overriding public interest

Your confidential patient information may still be used in an emergency or in situations where there is an overriding benefit to others. For example, to help manage contagious diseases and stop them spreading, like meningitis. In these situations, the safety of others is most important.

When information that can identify you is removed

Information about your health care or treatment may still be used in research and planning if the information that can identify you is removed first.

When there is a specific exclusion

Your choice does not apply to a small number of specific exclusions, including:

  • when information is given to the Office for National Statistics for official statistics, like the Population Census
  • the National Cancer Patient Experience Survey (CPES) and CQC NHS Patient Survey Programme
  • data shared with Public Health England for the National Cancer Registration Service, the National Congenital Anomalies and Rare Diseases Registration Service and the oversight of population screening programmes
  • when data is used to make sure people with learning disabilities and/or autism receive the best care possible when in hospital for mental health or challenging behaviour issues (also known as assuring transformation)
  • the Children and Young People’s Cancer Patient Experience Survey (for the first 2 years of its implementation. This temporary exemption will then be reviewed)

You may be able to make a separate decision on whether or not your information can be used by some of the other services listed.

Please Note

The list of exclusions can change where a case has been made to the Department of Health and Social Care that the data collection is too significant to risk losing some patient data. For example, when the information may be required to inform key Government commitments and policies.

Every effort is made to ensure this list is updated in a timely manner when any new exclusion is agreed, or a previous exclusion is withdrawn.

Other exclusions where your choice will not be applied:

  • when data is used to make sure correct payment is made when there is no contract. For example, if a patient lives in Bromley but is treated in hospital in Devon, an invoice will be sent from Devon to the Integrated Care Board (ICB) in Bromley that holds the budget for the patient
  • when the confidential patient information does not contain your NHS number and if obtaining the number would involve disproportionate effort. This exclusion is likely to apply in limited circumstances as health organisations are legally obliged to use the NHS number. It may apply to historic data or to some adult social care services like home care.

When your choice will be applied

The choice you make will be respected and applied by NHS Digital and Public Health England first, before being rolled out gradually across all other national organisations. All other health and care organisations are required to comply by 30 September 2020 (delayed from March 2020 to allow organisations to focus on the COVID-19 outbreak.). Local health and care organisations are required to inform their patients once they have taken steps to comply with the national data opt-out policy. You may wish to check any privacy information provided locally.

From registering your decision, it can take up to 21 days before your choice is applied to data being used across all health and care organisations.

How your data is processed to register and apply your choice

NHS Digital is the data controller for the data collected and processed to provide the ‘Choose if data from your health records is shared for research and planning’ service. This section explains how we process your data, your rights and how to raise concerns if you are not happy.

Information we collect from you

If you wish to make a choice, or to view or change your existing choice, we first need to check who you are. We match the information you provide (for example name, date of birth, postcode and NHS number) with information we already hold on our system. The information we need will depend on how you access the service.

You can manage your choice by:

  • using the online service
  • using the assisted online service
  • post
  • using the NHS App

Accessing the service

Online & Assisted Online

We ask for your name, date of birth, postcode and/or NHS number. Once we find a match and verify this, using a passcode sent to your registered mobile phone or email address, we do not keep this information.

NHS App

Your identity is verified through the registration and login to the App itself. Only your NHS number is passed to the ‘Choose if data from your health records is shared for research and planning’ service.

By post – making a choice for yourself

We ask for your name, address, postcode and NHS number. If you are unable to provide an NHS number, you will need to provide copies of two identification documents (one confirming your name and the other confirming your address).

By post – making a choice on behalf of another adult

We ask for your name, address, postcode and proof that you can act on behalf of the other person, like a Lasting Power of Attorney. For the individual you are making a choice for, we ask for their name and NHS number. If you are unable to provide their NHS number, you will need to provide copies of two identification documents for this person (one confirming their name and the other confirming their address). Once we have completed the verification checks these documents are retained for 3 months before being disposed of as confidential waste. If original documents are sent in error, these will be returned to you securely.

By post – making a choice on behalf of a child

We ask for your name, address, postcode and for you to sign a declaration that you have parental responsibility for the children named on the form. For the children you are making a choice for, we ask for their name and NHS number. If you are unable to provide their NHS number, you will need to provide a copy of their passport or birth certificate. Once we have completed the verification checks these documents are retained for 3 months before being disposed of as confidential waste. If original documents are sent in error, these will be returned to you securely.

Information we store

Once we have matched you to your individual record in our secure data store, your choice is stored against your NHS number. This is the minimum amount of information that we need to provide this service.

We record and store audit data each time you use the service, including:

  • the date and time
  • whether you used the online, assisted online, postal or NHS App service
  • whether the choice you made was for yourself or for another person

Your internet protocol (IP) address is also stored to help us monitor and protect the service from malicious use. An IP address is a unique identifier for your computer or other access device. We also collect and retain some management information about the performance of the service itself, such as the time taken for each transaction or system availability. This information does not identify you personally and is used to monitor and improve the service provided.

You may be invited to provide feedback on the service. You can decide if you want to participate, this does not identify you personally and is only used to improve the service provided.

Where your data is stored

We store your data on secure cloud servers in the European Economic Area (EEA).

How we use your data

NHS Digital uses your personal data to:

  • identify who you are so that your choice is correctly allocated to your record on our secure data store
  • make a record of your choice against your NHS number in our secure data store apply your choice on data releases that we make to others
  • provide a service to enable other organisations to apply your choice
  • produce statistics on how many people have chosen to stop sharing their information, some analysis of their age and geographical spread and how this changes over time. This will be done in a way that does not identify you
  • NHS Digital may contact you directly about the choice you make if there are significant changes to the service or if it is withdrawn.

Our legal basis for processing this data

NHS Digital has been instructed by the Department of Health and Social Care, through a document called a Direction, to provide this service. A Direction is a legally binding document. Directions are published on the NHS Digital website. This means that NHS Digital is processing your personal data to meet our legal obligation to provide this service. You can choose whether you want to use this service and can change your mind at any time.

How long we keep this information for?

Once you make a choice, the decision you make is not time limited and does not change unless you take action to change it. Your choice continues to apply after you have died. We will continue to uphold the choice you make against your NHS number in our secure data store until instructed to stop running the service by the Department of Health and Social Care.

A choice made by a parent/guardian on behalf of a child remains in place until:

  • the young person changes it once they reach the age of 13
  • the parent/guardian changes it (only if the child is under 13)

In line with our records management policy, we retain the audit information for a minimum of 8 years to enable us to monitor and report on the use of the service. We retain the “by post” documentation for 3 months.

How to view and change your choice

You can check and change the choice you make at any time. This can be done through the ‘Choose if data from your health records is shared for research and planning’ service or by calling the telephone helpline on 0300 303 5678. (Open: 9am to 5pm Monday to Friday – excluding bank holidays).

You’ll need to confirm who you are every time you want to access or change your decision.

If you have been assigned a new NHS number because of a data quality incident or a change to identity, data linked to your previous NHS number might still be used for research and planning.

Contact us if you do not want your confidential patient information linked to your previous NHS number to be used for research and planning.

You do not need to contact us if you have previously set a national data opt-out against your previous NHS number.

Who we share your data with

In order for other health and care organisations to respect your choice, NHS Digital will provide access to the list of NHS numbers of those who have chosen not to allow their data to be used beyond their individual care and treatment. This data will only be used for the purposes of applying the choice you make.

Further information

Patient information

If you wish to make a choice, or to view or change your existing choice, visit the ‘Choose if data from your health records is shared for research and planning’ website. Alternatively, you can call us on 0300 303 5678.

Health and care staff information

Health and care staff can find more information on the national data opt-out website. This includes detailed guidance on policy, and resources for staff and patients.

Data collection and processing

More information about NHS Digital’s role to collect, process and protect health and care information and how we meet our legal obligations can be found on the NHS Digital website.

How to contact us

Please contact us if you have any questions about the information provided above or about the data we hold on you in relation to this service:

By phone

0300 303 5678

9am to 5pm, Monday to Friday excluding bank holidays

By email

enquiries@nhsdigital.nhs.uk

By post

National data opt-out
NHS Digital
1 Trevelyan Square
Boar Lane
Leeds
LS1 6AE

Make a complaint

If you wish to raise a complaint concerning NHS Digital’s processing of your personal data, visit our feedback and complaints webpage or contact us.

The NHS Digital Data Protection Officer can be contacted by telephone, email or post.

By phone

0300 303 5678

9am to 5pm, Monday to Friday excluding bank holidays

By email

enquiries@nhsdigital.nhs.uk

By post

National data opt-out
NHS Digital
1 Trevelyan Square
Boar Lane
Leeds
LS1 6AE

You have the right to raise a concern with the ICO at any time: Information Commissioner’s Office, Wycliffe House Water Lane, Wilmslow, SK9 5AF.

www.ico.org.uk