CH164-National Data Opt-Out Policy
{{org_field_logo}}
{{org_field_name}}
Registration Number: {{org_field_registration_no}}
National Data Opt-Out Policy
1. Purpose
The purpose of this policy is to outline how {{org_field_name}} complies with the NHS National Data Opt-Out Programme and ensures that individuals can make informed choices about how their confidential information is used for purposes beyond their direct care. This policy supports our legal obligations under the Data Protection Act 2018, UK GDPR, and Health and Social Care Act 2012, and aligns with CQC Regulation 17 (Good Governance) and Regulation 9 (Person-centred care) by ensuring data transparency, confidentiality, and respect for individual preferences.
2. Scope
This policy applies to all staff, including permanent employees, agency workers, contractors, and volunteers who have access to confidential personal information. It covers all uses and disclosures of confidential data for secondary purposes, such as planning, research, or service improvement, excluding direct care. It applies to both digital and paper-based data and governs how {{org_field_name}} accesses, processes, and shares information that may be subject to national data opt-out restrictions.
3. Related Policies
This policy should be read alongside:
- CH34 – Confidentiality and Data Protection (GDPR)-Service User Policy
- CH04 – Good Governance Policy
- CH07 – Person-Centred Care Policy
- CH35 – Duty of Candour Policy
4. Policy Details
4.1 Understanding the National Data Opt-Out
The National Data Opt-Out allows individuals to opt out of their confidential information being used for research and planning purposes. It is a national initiative managed by NHS Digital and applies to all health and adult social care organisations in England. {{org_field_name}} must respect individuals’ decisions to opt out and ensure that no confidential data is used or disclosed for secondary purposes if the opt-out is in place. The opt-out does not apply to uses for direct care, statutory requirements, or where there is a legal obligation to share information.
4.2 Organisational Responsibilities
The Data Protection Officer {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}} is responsible for ensuring compliance with the National Data Opt-Out programme. This includes verifying opt-out statuses where applicable, updating procedures, and monitoring usage of confidential information. The Registered Manager {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}} ensures staff are trained, audits are completed, and that any data shared complies with the programme requirements. The organisation completes an annual Data Security and Protection Toolkit submission confirming compliance.
4.3 Identifying When Opt-Out Applies
Staff must determine whether data usage qualifies as a secondary purpose, such as service evaluations, audits for improvement (not for direct care), or research projects. If the data is being used for planning, research, commissioning, or similar purposes, the National Data Opt-Out may apply. Before disclosing or using data for any such activity, the staff member must seek approval from the Data Protection Officer who will check the NHS Digital MESH system or use compliant software to remove data related to individuals who have opted out.
4.4 Respecting and Actioning Opt-Outs
Where an individual has exercised their right to opt out, {{org_field_name}} ensures that their data is excluded from any secondary purpose data processing. We do not rely on verbal assurances or assumptions. Staff are trained not to use such data unless it is for direct care or meets a legal exemption. We use automated tools where available, or manual checking processes to ensure that data processing is compliant.
4.5 Informing People We Support
During care planning and at regular review intervals, individuals are provided with information about how their data may be used. They are informed about the National Data Opt-Out and how to make their choice by visiting: https://www.nhs.uk/your-nhs-data-matters/. Staff provide support for individuals who need help understanding or accessing the opt-out process. The conversation and choice are recorded in the individual’s care file and flagged on their digital record if applicable. We ensure people are aware that opting out does not affect their care or treatment in any way.
4.6 Training and Staff Competency
All staff must complete data protection and confidentiality training, including specific guidance on the National Data Opt-Out. This is covered in induction and refreshed annually. Competency is assessed through supervision, audits, and scenario-based questions. Staff are reminded regularly through team meetings and compliance updates to remain vigilant about secondary use disclosures and to seek advice where unsure.
4.7 Auditing and Monitoring
The Data Protection Officer conducts quarterly audits to ensure that data sharing for secondary purposes complies with the national opt-out policy. These audits include reviewing data flows, checking compliance logs, and ensuring opt-out preferences are upheld. Any breach or risk is reported to the Registered Manager and actioned immediately. The audit results form part of our overall governance and are included in management reviews.
5. Policy Review
This policy is reviewed annually, or sooner if required due to updates in national guidance, changes in legislation, or findings from audits. The review is led by the Data Protection Officer in consultation with senior management and feedback from staff or individuals we support. Updates are communicated during team meetings, and policy changes are confirmed through documented staff read-and-understand sign-off.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.