NHS Digital has been directed by the Department of Health to replace the type 2 opt-outs with a new national data opt-out programme.

The national data opt-out programme is due to create, test, consult and implement a national opt-out, both online and in person, across England’s health and care system.

The instructions were received via a letter to Sarah Wilkinson, chief executive of NHS Digital, from Lorraine Jackson at the Department of Health in August, and told NHS Digital to:

  • Collect patient opt-out data
  • Create a national repository for central storage of the opt-out data
  • Create a new national opt-out system that allows health and care organisations to access the opt-out information
  • Write to those who already have the Type 2 to inform them of the transition

The third Caldicott report, published July 2016, was written by Dame Fiona Caldicott, the national data guardian.

The government’s response, published a year later, endorsed Dame Caldicott’s recommendations to provide a national opt-out. It says that NHS Digital will begin to uphold the national opt-out from March 2018, and all health and care organisations

“Replacing the type 2 opt-out by a national data opt-out is a logical consequence of the government’s response to the NDG report”, Eerke Boiten, professor of cybersecurity at De Monfort University, told Digital Health News. However, he believes there may be issues with communicating the opt-out.

Boiten’s main concern with the paper is the lack of mention of the General Data Protection Regulation (GDPR).  “This has a serious consequence for an area where patients will not be offered any opt-out”, he said.

“The GDPR has very clear definitions of anonymization and pseudonymisation, as different concepts, and crucially, pseudonymised personal data remains personal data under the GDPR.”

“The traditional NHS practice, relying on pseudonymisation turning personal data into non-personal data under the DPA to share pseudonymised databases with lots of interested parties, will not stand up under the GDPR,” he warned.

The business case for the programme was approved 17 February by the Personalised Health and Care 2020 Technology and Data Investment Board.

Phil Booth, co-ordinator at privacy campaign group MedConfidential, told Digital Health News that the document “provides the legal basis for NHS D for implementing the Caldicott consent choice, the details are yet to be worked out”.

“The new system should be consensual, safe and transparent, and be it the department of health is moving in that direction.”

The senior responsible owner is Katie Farrington, director of primary care, digital and data at the Department of Health.