National data opt-out policy

In line with the recommendations made by the National Data Guardian in her ‘Review of Data Security, Consent and Opt-outs’, the national data opt-out was introduced for health and social care systems on 25 May 2018. This is intended to give patients and the public more control over how their confidential patient information is used for research and planning purposes.

The Government response to the review set out that all health and adult social care organisations in England must comply with the national data opt-out policy by July 2022.

What is the national data opt-out?

It is a service that enables the public to register to opt out of their confidential patient information being used for purposes beyond their individual care and treatment. The public can change their national data opt-out choice at any time.

Who needs to comply with national data opt-out policy?

The national data opt-out applies to data for patients where their care is provided in England by a publicly funded organisation or the care has been arranged by a public body such as the NHS or a Local Authority. It does not apply to data related to private patients at private providers.

In summary the national data opt-out applies to:

  • all NHS organisations (including private patients treated within such organisations),
  • all Local Authorities providing publicly funded care,
  • adult social care providers where the care provided is funded or arranged by a public body, and
  • private or charitable healthcare providers providing NHS funded treatment or arranged care.

Which data disclosures do national data opt-outs apply to?

National data opt-outs apply to a disclosure when an organisation, e.g. a research body, confirms they have approval from the Confidentiality Advisory Group (CAG)* for the disclosure of confidential patient information held by another organisation responsible for the data (the data controller) such as an NHS Trust.

The CAG approval is also known as a section 251 approval and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002. The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.

In practice, this means that the organisation responsible for the information (the data controller) can, if they wish, disclose the information to the data applicant, e.g. research body, without being in breach of the common law duty of confidentiality. To be clear it is only in these cases where opt-outs apply.

National data opt-outs do not apply where:

  • information being disclosed is anonymised in accordance with the Information Commissioner’s Office’s anonymisation code of practice,
  • the individual has given their consent for their information to be used for a particular purpose, e.g. a specific research study,
  • there is an overriding public interest in the disclosure, i.e. the public interest in disclosing the data overrides the public interest in maintaining confidentiality, also referred to as the ‘public interest test’, and
  • there is a legal requirement that sets aside the common law duty of confidentiality or the information is required by a court order.

In these scenarios above, section 251 approvals would not have been sought.

What has NHS Shared Business Services done?

NHS Shared Business Services provides support functions to NHS organisations across England. We do not routinely gather or hold significant volumes of clinical (patient) data, however we recognise that from time to time our business may come into contact with confidential patient information, linked to various services provided through the NHS.

In recognition, NHS Shared Business Services has assessed our current services and confirmed that we are compliant with the national data opt-out policy as requests for such data are managed by our NHS Clients and not NHS Shared Business Services directly.

Requests for any future uses of confidential patient information are routed to the NHS Shared Business Services Caldicott Guardian who will liaise directly with the relevant NHS Care body to manage onwards.

Who is the Caldicott Guardian for NHS Shared Business Services?

Juliet Norris is the Caldicott Guardian for NHS Shared Business Services and can be contacted at

Further information

For more information on being compliant with and applying national data opt-outs please contact the Privacy, Risk & Counter Fraud Service at who will be able to further support.

*The Confidentiality Advisory Group (CAG) is an independent body which provides expert advice on the use of confidential patient information.