NHS Digital has been directed by the Department of Health to replace the type 2 opt-outs with a new national data opt-out programme.
The national data opt-out programme is due to create, test, consult and implement a national opt-out, both online and in person, across England’s health and care system.
The instructions were received via a letter to Sarah Wilkinson, chief executive of NHS Digital, from Lorraine Jackson at the Department of Health in August, and told NHS Digital to:
- Collect patient opt-out data
- Create a national repository for central storage of the opt-out data
- Create a new national opt-out system that allows health and care organisations to access the opt-out information
- Write to those who already have the Type 2 to inform them of the transition
The third Caldicott report, published July 2016, was written by Dame Fiona Caldicott, the national data guardian.
The government’s response, published a year later, endorsed Dame Caldicott’s recommendations to provide a national opt-out. It says that NHS Digital will begin to uphold the national opt-out from March 2018, and all health and care organisations
“Replacing the type 2 opt-out by a national data opt-out is a logical consequence of the government’s response to the NDG report”, Eerke Boiten, professor of cybersecurity at De Monfort University, told Digital Health News. However, he believes there may be issues with communicating the opt-out.
Boiten’s main concern with the paper is the lack of mention of the General Data Protection Regulation (GDPR). “This has a serious consequence for an area where patients will not be offered any opt-out”, he said.
“The GDPR has very clear definitions of anonymization and pseudonymisation, as different concepts, and crucially, pseudonymised personal data remains personal data under the GDPR.”
“The traditional NHS practice, relying on pseudonymisation turning personal data into non-personal data under the DPA to share pseudonymised databases with lots of interested parties, will not stand up under the GDPR,” he warned.
The business case for the programme was approved 17 February by the Personalised Health and Care 2020 Technology and Data Investment Board.
Phil Booth, co-ordinator at privacy campaign group MedConfidential, told Digital Health News that the document “provides the legal basis for NHS D for implementing the Caldicott consent choice, the details are yet to be worked out”.
“The new system should be consensual, safe and transparent, and be it the department of health is moving in that direction.”
The senior responsible owner is Katie Farrington, director of primary care, digital and data at the Department of Health.
13 October 2017 @ 21:10
I fully agree with you Peter, DATA empowers people to be in control of their lives, some may find this frightening and scary, I don’t. This is not an academic exercise, far from it ! We are in the C21, very different from the C20, people are far better educated and do not need to be “treated” like children. Future Generations luv apps, they rely on them, they give them choice, they are an efficient way of running THEIR lives and, yes, they level the playing field. What is needed now is a practical approach to the management of health data, not an academic approach.
13 October 2017 @ 20:51
Please can someone write a statement for the general public that explains in simple terms how the opt-outs reconcile with a) the management of sensitive personal data under the GDPR (UK Data Protection Act 2018) and b) the concept of the Common Law of Confidentiality and “implied consent”.
The NHS and Local Authorities will be required to by law to write Privacy Notices explaining the legitimising conditions for processing special category data (Health & Social Care). Under GDPR the NHS can do this without “explicit consent” yet their GP may be telling them they are processing data with “implied consent “and in the same breath also telling them they can withdraw consent for some of the aspects of processing by using their Caldicott opt-out.
This is not transparent it is confusing
30 September 2017 @ 04:34
Makes sense, in my personal and honest opinion the IT domain of health care should be moving to a business model where care providers become DATA collectors and not DATA controllers/managers. This approach would lead to significant improvements in efficiency and would mean it would be much easier to maintain the DATA for a PERSONs health journey (for physical health care activity, mental health care activity, social care activity) across different types and location of care setting i.e. it would support INTEGRATED care Models of care.