National Data Opt-out Service Privacy Notice
The national data opt-out service allows you to register a national data opt-out. This prevents your confidential patient information from being used for reasons beyond your individual care and treatment.However, there are some circumstances where opt-outs do not apply. In these circumstances, your confidential patient information will still be used.
NHS Digital is the data controller for the data collected and processed to provide the national data opt-out service.
For the national data opt-out the following definitions are used:
- Confidential patient information is information which identifies you and says something about your health, care or treatment. You would expect this information to be kept private. Information that only identifies you, like your name and address, is not considered to be confidential patient information and may still be used. For example, to contact you if your GP practice is merging with another
- Purposes beyond your individual care and treatment include the use of your confidential patient information to plan and improve health and adult social care services in England. It also includes the use of your confidential patient information for research. This enables the NHS to develop cures for serious illnesses and plan better services for the future. You can opt-out of this, but health and care professionals may still use your confidential patient information to help with your treatment and care
- The national data opt-out applies to confidential patient information related to health and adult social care services in England which are publicly funded or arranged by a public body, for example a local authority. It does not apply to health and adult social care services that you receive outside of England or if you are a private patient.
This document sets out what personal data we collect and how we use your data to provide the national data opt-out service, including your rights and how to contact us. It does not cover how NHS Digital processes your data to provide any other services. This notice forms part of a range of materials. Links to further information are found below.
- Patient information - For information about the national data opt-out, how it works, exemptions when it does not apply and to manage your choice, please visit www.nhs.uk/your-nhs-data-matters.
- Policy and where opt-outs don’t apply - Health and care staff can see more information on the national data opt-out programme website. You can also find guidance on policy, information on when the national data opt-out will be applied across health and care and a full list of where an opt-out won’t apply.
What information do we collect about you?
If you wish to set a national data opt-out or to view or change your existing choice we first need to check who you are – we match the information you provide with information we already hold on our system. The information we need will depend on how you access the service.
Accessing the service
Online - We ask for your name, date of birth and NHS number. Once we find a match and verify this, using a passcode sent to your registered mobile phone or email address, we do not keep this information.
Assisted Online - We ask for your name, date of birth and NHS number. If you do not know your NHS number, we may ask you for your postcode to help us find a match. Once we find a match and verify this, using a passcode sent to your registered mobile phone or email address, we do not keep this information.
- Setting an opt-out for yourself - We ask for your name, address, postcode and NHS number. If you are unable to provide an NHS number, you will need to provide copies of two identification documents (one confirming your name and the other confirming your address).
- Setting an opt-out on behalf of another person - We ask for your name, address, postcode and proof that you can act on behalf of the other person such as a Lasting Power of Attorney. For the individual you are setting the opt-out for we ask for their name and NHS number. If you are unable to provide their NHS number, you will need to provide copies of two identification documents for this person (one confirming their name and the other confirming their address).
Once we find a match, the documents are disposed of as confidential waste. If original documents are sent in error, these will be returned to you securely.
What information do we store?
Once we have matched you to your individual record in our secure data store, your opt-out choice is stored against your NHS number. This is the minimum information that we need to provide this service.
We record and store audit data each time you use the service including:
- The date and time.
- Whether you used the online, assisted online or by post service.
- Whether the opt-out was for yourself or for another person, for example a parent/guardian for their child.
Your internet protocol (IP) address – a unique identifier for your computer or other access device – is also stored to help us monitor and protect the service from malicious use.
We also collect and retain some management information about the performance of the service itself such as time taken for each transaction or system availability. This information does not identify you personally and is used to monitor and improve the service provided.
You may be invited to provide feedback on the service. You can decide if you want to participate, this does not identify you personally and is only used to improve the service provided.
You are under no obligation to use this service. If you have not registered a national data opt-out your confidential patient information will continue to be used for health research and planning. You do not need to take any action if you are content for your information to be used in this way.
Where your data is stored
We store your data on secure cloud servers in the European Economic Area (EEA).
How do we use your data?
NHS Digital uses your personal data to:
- Identify who you are so that your data opt-out choice is correctly allocated to your record on our secure data store
- Make a record of your choice in our secure data store against your NHS number.
- Uphold your data opt-out choice on data releases that we make to others.
- Produce statistics on how many people have registered an opt-out, some analysis of their age and geographical spread and how this changes over time. This will be done in a way that does not identify you.
NHS Digital will apply your opt-out as soon as we can after we have received it, but it may take up to 21-days for your opt-out to take effect in all releases of data.
NHS Digital may contact you directly about your opt-out if there are significant changes to the service or if the national data opt-out is withdrawn.
What is our legal basis for processing this data?
NHS Digital has been instructed by the Department of Health and Social Care, through a document called a Direction, to provide this service. A Direction is a legally binding document. Directions are published on the NHS Digital website. This means that NHS Digital is processing your personal data to meet our legal obligation to provide this service. You can choose whether you want to use this service and can change your mind at any time.
How long will we keep this information?
Once set a national data opt-out is not time limited and does not change unless you take action to remove it. Your opt-out continues to apply after you have died. A national data opt-out set by a parent/guardian on behalf of a child remains in place until:
- the young person changes it once they reach the age of 13 or
- the parent/guardian changes it – this can only be done while the child is under 13
We will continue to uphold your data opt-out choice against your NHS number in our secure data store until instructed to stop running the service by the Department of Health and Social Care.
In line with our records management policy, we will retain the audit information for 8 years to enable us to monitor and report on the use of the service.
How you can access your data?
You can check and change your opt-out choice at any time. This can be done through the national data opt-out service or by calling the telephone helpline on 0300 303 5678. (Open: 9am to 5pm Monday to Friday - excluding bank holidays).
You will need to verify your identity every time you want to access or change your data opt-out choice.
As we only use your NHS number to record and uphold your opt-out, you are advised to check that your choice is still correctly recorded in the event that you are assigned a different NHS number.
Who do we share your data with?
If you decide to opt out, this will be respected and applied by NHS Digital from May 2018. That is NHS Digital will not share your confidential patient information for research or planning purposes (subject to the list of situations where an opt-out does not apply).
Your decision will be respected and upheld by all other health and care organisations providing care which is publicly funded, or arranged by a public body, by March 2020. For more details on when the national data opt-out will be applied across health and adult social care, please visit the national data opt-out website.
In order for other health and care organisations to respect your opt-out NHS Digital will provide access to the list of NHS numbers of those who have opted out. This data will only be used for the purposes of applying your opt-out.
How to contact us or to make a complaint
Please contact us if you have any questions about the information provided above or about the data we hold on you in relation to this service:
If you wish to raise a complaint concerning NHS Digital’s processing of your personal data, visit our feedback and complaints webpage or use the contact details above.
The NHS Digital Data Protection Officer can be contacted using the details below:
You have the right to raise a concern with the ICO at any time: Information Commissioner’s Office, Wycliffe House Water Lane, Wilmslow, SK9 5AF.