Health data: the national data opt-out and the GDPR

Johan Ordish

24 April 2018

You might have heard of the new national data opt-out (NDO). You may have also heard of the General Data Protection Regulation (GDPR). Perhaps you’ve even heard both mentioned in the same breath. However, whilst it is true that they are both concerned with data, and both come into effect on the same day – 25 May 2018 – the NDO is not an effort to implement the GDPR into health and social care. Indeed, the exact relationship between the NDO and GDPR is hazy – and the source of considerable confusion.

What is the NDO?

Patients generate data. Much of this data is used for their direct medical care: to inform diagnosis, to dictate proper treatment, and so on. This data also has a number of secondary uses. It is indispensable for all sorts of medical and health system research, including into quality, safety and our understanding of what works for the NHS system as a whole. Despite the importance of such uses of data for the NHS, the choice to share data for secondary uses lies with the patient themselves. Currently, a patient may utilise a number of opt-outs to ensure that their data is not shared for secondary use. If patients wish to opt-out of giving data to, for example, the National Cancer or National Congenital Anomalies and Rare Diseases Registers, they must select this option separately. The NDO in part, is an effort to simplify this process, as encapsulated in the National Data Guardian’s Review of Data Security, Consent and Opt-Outs:

‘a patient should be able to state their preference once (online or in person), confident in the knowledge that this will be applied across the health and social care system’.

The NDO aims to achieve this by collapsing existing types of health data opt-outs into one overarching ‘super’ opt-out, the NDO. Currently there are two types of opt-out; type 1 relates to information that goes beyond a patient’s GP practice. If a patient effects a type 1 opt-out, their information will not automatically be shared beyond the needs of that patient’s direct clinical care. Bodies such as NHS Digital will not have access to that patient’s data to use for research.

Type 2 opt-outs concern patient information that goes beyond NHS Digital. If a patient choses a type 2 opt-out, NHS Digital will receive their data and potentially be able to use it for some purposes, but are not permitted to share that data with bodies they partner with, such as, universities and industry.

Not so simple after all

The NDO will make what is currently two opt-outs for sharing data for secondary use into one opt-out. There are two important features to note about this ‘simplification’.

First, the existing opt-outs and this new NDO only relate to a subset of patient information. The opt-outs do not affect information shared for a patient’s medical care. The opt-outs do not restrict use of patient information that has been anonymised or pseudonymised according to the Information Commissioner’s Anonymisation: managing data protection risk code of practice. Moreover, the opt-outs also do not block information shared following a mandatory legal requirement (e.g. a court order) or where an overriding public interest consideration applies (e.g. relating to potentially dangerous infectious diseases). Consequently, the data flow at stake is information for secondary use that identifies the patient and where a mandatory legal requirement or overriding public interest does not apply (see note at end).

Second, the NDO will not actually result in one opt-out for all health and social care systems. Rather, after 2020, the mass of opt-outs is reduced by one, but multiple other separate opt-outs will remain in operation. For example, the National Cancer and National Congenital Anomalies registers continue to be separate. Hence, the system retains much of its complexity and remains far from being one opt-out across health and social care data.

The NDO and the GDPR

How the NDO and the GDPR fit together is mostly a matter for speculation. However, the sparse guidance on how the two relate suggests that the GDPR could have one of two impacts. The less likely scenario is that the NDO contravenes the GDPR. More probably, the GDPR will render the NDO somewhat irrelevant.

Depending on how the NDO is applied, it may contravene the GDPR. The GDPR takes a very dim view of opt-out measures used to imply consent to uses of personal data. This is especially true of health data that counts as sensitive personal data under Article 9 of the Regulation. Under Article 9, one may process personal data only if one of nine specific exemptions (derogations) apply, or if the patient has given their explicit consent.

The NDO does not easily fit into this framework. The GDPR is crystal-clear: offering an opt-out choice does not count as evidence that consent has been given to the processing of sensitive personal data. Conversely, if any of the derogations apply, consent to data processing is unnecessary. This being the case, the NDO does not appear to help establish a legal basis to process health data. The only way it might be relevant is where a body, relying on the legitimate interests basis of Art 6(1)(f) GDPR, uses the NDO as evidence of having taken due account of an individuals rights. Interestingly, none of the official guidance currently mentions this possible link between the GDPR and the NDO, suggesting only a parallel relationship between the NDO and the GDPR by saying that the system operates alongside but is not replaced or changed by the GDPR.

The right to object

The NDO cannot be used as a legal basis to process health data. Could it perhaps be used as a way to give effect to the right to object? The short answer is no. Articles 12 and 21 GDPR establish that individuals have a right to object to the processing of their data when certain legal bases are relied upon. Ordinarily, this would raise an interesting point: would an opt-out system satisfy such a right to object? It seems not. NHS Digital have explicitly said that the NDO will be offered ‘alongside their legal right to object’; that is, the NDO is not a system meant to give effect to the right to object.

What is the point of the NDO?

This all begs the question: what is the point in creating a parallel system of opt-outs when they do not give effect to the stronger rights that exist in the GDPR? The second the NDO comes into effect, the GDPR does too, meaning that its impact is considerably curtailed from the outset.

To sum up the relationship between the new NDO and the GDPR: the NDO exists independently of the GDPR in an area that the GDPR already occupies. If the NDO is to be effective, its architects need to demonstrate why we would keep a parallel system of opt-outs, when the GDPR provides the patient with sturdier rights and carries the weight as well as supremacy of EU law.

This blog is intended to provide general information and understanding of the law. This blog should not be considered legal advice, nor used as a substitute for seeking qualified legal advice.

PHG Foundation plans to release guidance to clarify when a health/social care opt-out applies shortly.