The national data opt-out system for patients and the related DSPTK question

Published on: 18th April 2018 | Updated on: 3rd May 2022

This Community Pharmacy England webpage explains for pharmacy contractors what the national data opt-out system for patients is and how to complete the Data and Security Protection Toolkit (‘Toolkit’) question about the data opt-out system.

2022 update: In light of the ongoing COVID-19 pandemic the final deadline for the opt-out system was re-scheduled from March 31st 2020 to March 31st 2021 to 31st July 2022. However alignment with the opt-out system within the community pharmacy sector should have been completed well ahead of that time – see this webpage and the briefing.

See also Community Pharmacy England’s briefing: Community Pharmacy England Briefing 012.20 The national data opt-out system for patients and how to complete the DSPTK opt-out question.

What is the opt-out?

The opt-out system allows patients to directly express their opt-out preference about whether health and care organisations can process that patient’s personal identifiable information where the only reason (or basis) is:

  • Research or planning purposes, e.g. to find ways to improve treatments or using data use to improve the delivery of health services.

Patients will be able to find more information or express their opt-out preference by:

Contractors are advised to signpost patients that ask about opt-out to one of the patient-facing options above (e.g. the website mentioned: nhs.uk/yournhsdatamatters). Patients have been informed their opt-out preference will be honoured by health and care organisations from March 31st 2021. The opt-out system comes into force the same day as the deadline for assurances from health organisations about opt-out and more (via the Toolkit).

Other patient communications: A pack was posted to many pharmacies during summer 2018. It included a number of posters and handouts to give information to patients. Contractors may be able to order a limited number of additional copies of the NHS poster at no cost using the Department of Health and Social Care Publications order line at  www.orderline.dh.gov.uk (using that link, select ‘Your Data Matters to the NHS’ from the campaign box on the right) – whilst stocks last. Pharmacy teams were advised by us to make use of the materials provided and signpost patients. NHS Digital also have made available other patient resources including posters on their website.

The Community Pharmacy England privacy notice template (see cpe.org.uk/dstemplates or General Data Protection Regulation (GDPR) Workbook Template G Privacy Notice) already includes reference to the opt-out system: “[You may choose to opt out of the NHS using your data for planning and research purposes – please ask for details.]”. If you do not use this template, you can add this clause to your own privacy notice wording. A separate Toolkit question enables you to confirm you have a privacy notice. This table sets out what the opt-out system applies to and how pharmacy contractor reportedly process identifiable patient data using other reasons instead of only relying on planning/research – (meaning the opt-out system would typically have  little impact on pharmacy data processing).

Patient data processing categories (and whether these apply to the opt-out policy and whether pharmacy teams use such data flows)? Applies to opt-out? Expected pharmacy data flows? (patient data)
Planning and research is reason for data processing

  • Research / planning – e.g. finding ways to improve treatments and identify causes of and cures for illnesses, or planning to improve and enable the efficient and safe provision of health and care services

(identifying patients personally)

Applies to opt-out Pharmacy contractors report to CP ITG avoiding processing where planning/research is only basis

Individual’s care & treatment is reason for data processing

E.g. where data is shared between the health and care professionals in a pharmacy and in a GP practice

(identifying patients personally i.e. not fully anonymised)

exempt from opt-out Typical pharmacy data flow

Legal requirement / public interest / consent is reason for processing

E.g.  There is a mandatory legal requirement such as a court order, to protect the greater interests of the public or there is explicit consent

(identifying patients personally)

exempt from opt-out Typical pharmacy data flow

Data is processed but fully anonymised

The data shared is fully anonymised e.g. compliant with the Information Commissioners Office (ICO) Anonymisation: managing data protection risk code of practice

(identifying patients personally)

exempt from opt-out Typical pharmacy data flow

 

Answering the Toolkit question about compliance with the opt-out

You are recommended to use the Data Security and Protection Toolkit guidance materials including the ‘How to complete’ summary briefing to complete your Toolkit as soon as possible after the Community Pharmacy England 2020/21 guidance is published and ahead of the final Toolkit deadline (30th June 2020). Community Pharmacy England is working with NHS Digital’s Toolkit team to produce its guidance. The Toolkit includes a question about whether the pharmacy contractor is “compliant with the national data opt-out policy”.

Community Pharmacy England’s Toolkit question-by-question guidance explains that you may enter ‘Yes’ within the comments box, because you (and other pharmacy contractors) should be processing identifiable data for other reasons instead of relying only on planning/research. Contractors should reference the opt-out policy within their own privacy notices (which can be made available on websites and/or within leaflets for patients that request information). Within the Toolkit opt-out question you are advised to also click the ‘enter document’s location’ option and type ‘Privacy notice’ if yours references the opt-out. Patients have also been notified about the opt-out via NHS transparency notices. The images below demonstrate how you may complete. You can click ‘save’ to complete the question.

Suppliers

EPS and Community Pharmacy Contractual Framework (CPCF) system suppliers or system users may inform Community Pharmacy England about progress:

System System supplier Supplier confirmed to Community Pharmacy England alignment to opt-out policy and system? Supplier website privacy notice includes patient facing information referencing opt-out?
Analyst Positive Solutions tbc tbc
CoMPass / LS Lloydspharmacy Limited tbc tbc
Nexphase Cegedim Rx Yes tbc
Pharmacy Manager Cegedim Rx Yes tbc
PharmOutcomes Pinnacle Health LLP tbc tbc
ProScript systems EMIS tbc tbc
ProScript LINK AAH Pharmaceuticals tbc tbc
RxWeb Clanwilliam Health tbc tbc
Sonar Sonar tbc tbc
Titan Invatech Health tbc tbc

FAQs

Q. Why was the opt-out system introduced?

NHS Digital developed the data option system available as recommended in ‘Your Data, Better Security, Better Choice, Better Care’ and within the Government’s response to the National Data Guardian’s ‘Review of Data Security, Consent and opt-outs’. With the expansion of healthcare services being offered in the community, the National Data Guardian (NDG) recommends that healthcare data security standards continue to be reinforced.

Q. What are the arrangements for organisations if they may need to process identifiable patient data with only research/planning as the basis?

Organisations that wish to process identifiable data with only planning/research as the reason must work through the NHS Digital opt out documents and as needed access the opt-out system to assist their data processing. The Community Pharmacy IT Group considered the opt-out matter and determined that pharmacy contractors should continue to maintain exemplary governance arrangements and should therefore not begin to process identifiable data with only planning/research as the reason.

PMR suppliers and PMR’s aggregator companies must also complete the Toolkit each year and confirm alignment with opt-out policy within their Toolkit answers. It is recommended that PMR suppliers and aggregator companies also mention within their own public privacy notices they align with the opt-out policy. Pharmacy contractors that have PMR queries may direct these to their PMR supplier. NHS bodies such as NHS Digital will also confirm their ongoing alignment to opt-out policy e.g. via Toolkit submissions.

Further info

See the FAQs above. Also, if you have queries on this Community Pharmacy England webpage or you require more information please contact it@cpe.org.uk. To share and hear views about digital developments with like-minded pharmacy team members, join the CP Digital email group today.

 

 

Return to the IT section: Data security and information governance

Return to the Pharmacy IT hub or IT a-z index

Latest Digital & Technology news

View more Digital & Technology newsSee all