The national data opt-out system for patients and how to complete the DSPTK opt-out question

The national data opt-out system for patients and how to complete the DSPTK opt-out question

This PSNC webpage explains for pharmacy contractors what the national data opt-out system for patients is and how to complete the Data and Security Protection Toolkit (‘Toolkit’) question about the data opt-out system.

March 202o update: In light of the ongoing COVID-19 pandemic the final deadline for the opt-out system has been re-scheduled from March 31st 2020 to September 30th 2020. However alignment with the opt-out system may be done well ahead of that time – see this webpage and the briefing.

See also PSNC’s briefing: PSNC Briefing 012.20 The national data opt-out system for patients and how to complete the DSPTK opt-out question.

What is the opt-out?

The opt-out system allows patients to directly express their opt-out preference about whether health and care organisations can process that patient’s personal identifiable information where the only reason (or basis) is:

  • Research or planning purposes, e.g. to find ways to improve treatments or using data use to improve the delivery of health services.

Patients will be able to find more information or express their opt-out preference by:

Contractors are advised to signpost patients that ask about opt-out to one of the patient-facing options above (e.g. the website mentioned: nhs.uk/yournhsdatamatters). Patients have been informed their opt-out preference will be honoured by health and care organisations from September 30th 2020. The opt-out system comes into force the same day as the deadline for assurances from health organisations about opt-out and more (via the Toolkit).

Other patient communications: A pack was posted to many pharmacies during summer 2018. It included a number of posters and handouts to give information to patients. Contractors may be able to order a limited number of additional copies of the NHS poster at no cost using the Department of Health and Social Care Publications order line at  www.orderline.dh.gov.uk (using that link, select ‘Your Data Matters to the NHS’ from the campaign box on the right) – whilst stocks last. Pharmacy teams were advised by us to make use of the materials provided and signpost patients. NHS Digital also have made available other patient resources including posters on their website.

The PSNC privacy notice template (see psnc.org.uk/dstemplates or General Data Protection Regulation (GDPR) Workbook Template G Privacy Notice) already includes reference to the opt-out system: “[You may choose to opt out of the NHS using your data for planning and research purposes – please ask for details.]”. If you do not use this template, you can add this clause to your own privacy notice wording. A separate Toolkit question enables you to confirm you have a privacy notice. This table sets out what the opt-out system applies to and how pharmacy contractor reportedly process identifiable patient data using other reasons instead of only relying on planning/research – (meaning the opt-out system would typically have  little impact on pharmacy data processing).

Patient data processing categories (and whether these apply to the opt-out policy and whether pharmacy teams use such data flows)? Applies to opt-out? Expected pharmacy data flows? (patient data)
Planning and research is reason for data processing

  • Research / planning – e.g. finding ways to improve treatments and identify causes of and cures for illnesses, or planning to improve and enable the efficient and safe provision of health and care services

(identifying patients personally)

Applies to opt-out Pharmacy contractors report to CP ITG avoiding processing where planning/research is only basis

Individual’s care & treatment is reason for data processing

E.g. where data is shared between the health and care professionals in a pharmacy and in a GP practice

(identifying patients personally i.e. not fully anonymised)

exempt from opt-out Typical pharmacy data flow

Legal requirement / public interest / consent is reason for processing

E.g.  There is a mandatory legal requirement such as a court order, to protect the greater interests of the public or there is explicit consent

(identifying patients personally)

exempt from opt-out Typical pharmacy data flow

Data is processed but fully anonymised

The data shared is fully anonymised e.g. compliant with the Information Commissioners Office (ICO) Anonymisation: managing data protection risk code of practice

(identifying patients personally)

exempt from opt-out Typical pharmacy data flow

 

How can I answer the Toolkit question which asks whether I comply with the opt-out system?

You are recommended to use the Data Security and Protection Toolkit guidance materials including the ‘How to complete’ summary briefing to complete your Toolkit as soon as possible and ahead of the final Toolkit deadline (March 31st 2020). PSNC worked with NHS Digital’s Toolkit team to produce its guidance. The Toolkit includes a question about whether the pharmacy contractor is “compliant with the national data opt-out policy”.

PSNC’s Toolkit question-by-question guidance explains that you may enter ‘Yes’ within the comments box, because you (and other pharmacy contractors) should be processing identifiable data for other reasons instead of relying only on planning/research. Contractors should reference the opt-out policy within their own privacy notices (which can be made available on websites and/or within leaflets for patients that request information). Within the Toolkit opt-out question you are advised to also click the ‘enter document’s location’ option and type ‘Privacy notice’ if yours references the opt-out. Patients have also been notified about the opt-out via NHS transparency notices. The images below demonstrate how you may complete. You can click ‘save’ to complete the question.

 

Frequently asked questions

Q. Why was the opt-out system introduced?

NHS Digital developed the data option system available as recommended in ‘Your Data, Better Security, Better Choice, Better Care’ and within the Government’s response to the National Data Guardian’s ‘Review of Data Security, Consent and opt-outs’. With the expansion of healthcare services being offered in the community, the National Data Guardian (NDG) recommends that healthcare data security standards continue to be reinforced.

Q. What are the arrangements for organisations if they may need to process identifiable patient data with only research/planning as the basis?

Organisations that wish to process identifiable data with only planning/research as the reason must work through the NHS Digital opt out documents and as needed access the opt-out system to assist their data processing. The Community Pharmacy IT Group considered the opt-out matter and determined that pharmacy contractors should continue to maintain exemplary governance arrangements and should therefore not begin to process identifiable data with only planning/research as the reason.

PMR suppliers and PMR’s aggregator companies must also complete the Toolkit each year and confirm alignment with opt-out policy within their Toolkit answers. It is recommended that PMR suppliers and aggregator companies also mention within their own public privacy notices they align with the opt-out policy. Pharmacy contractors that have PMR queries may direct these to their PMR supplier. NHS bodies such as NHS Digital will also confirm their ongoing alignment to opt-out policy e.g. via Toolkit submissions.

Further information

See the FAQs above. Also, if you have queries on this PSNC webpage or you require more information please contact it@psnc.org.uk.

 

Return to Data security protection (IG) hub

Return to Pharmacy IT



Latest Contract & IT news

View more Contract & IT news >