Implications for health and social care settings
In May 2018 strict rules about how an individual’s data can or cannot be used were strengthened, and, whilst the deadline for all health and social care settings to be compliant with the National Data Opt Out (NDOO) has been extended from March 31st 2022 to July 31st 2022, the need to act to be compliant is as necessary as ever.
Data covered by the NDOO includes confidential patient information about their health or social care – data that can identify them.
If you fail to comply with the national data opt-out this could be a breach of your obligations to process data fairly and transparently. It also a requirement of the Standards Met in the Data Security Protection Toolkit (DSPT) for 2022-2023 submissions.
NDOO applies when…
confidential information is being disclosed for use other than for the direct care of the individual. This means that data cannot be used for research or development purposes if the individual had taken a decision not to allow this. If a patient has “Opted Out” this must be respected.
NDOO does NOT apply to…
any confidential information that is held for direct care purposes such as transferring a patient from one care home to another where information must be disclosed for direct care to continue to care for them safely. Even if the individual has Opted Out, this does not come under the NDOO given the need to share this data for patient safety.
Implications for health and social care settings
All organisations providing publicly funded health or adult social care will need to comply with the NDOO, if this applies to you then you will need to download the Messaging Exchange for Social Care and Health (MESH).
This will enable you to follow the process and check if anyone you support has opted out. The NDOO is recorded against the individual’s NHS number and will remain there unless the individual changes their mind, the Opt Out applies even after death.
Health and Social Care Providers, nurses and care staff all have a duty and key role in helping individuals who use their services understand that they can Opt Out and to help them make informed choices about how their confidential information is used in research and planning.
As providers you will need to have policies, procedures and Data Privacy Impact Assessments (DPIA) in place and communicate how you are going to be processing the individual’s data via your privacy notices.
All care providers use confidential patient information, so the NDOO applies.
If you are part of or affiliated to research projects with universities then the opt out will also apply.
This may seem like a very onerous procedure, especially if you are a smaller provider but better to put robust policies and procedures in place now, rather than face a fine by the ICO. If we can support you with any aspect of the NDOO or data protection compliance or training please contact us and one of the team will be happy to discuss your requirements.