Who must comply with the national data opt-out policy

The opt-out covers confidential patient information collected when care in England is provided. This includes:

• publicly-funded, commissioned or coordinated health and care
• private care given in NHS settings

All organisations providing or coordinating publicly-funded health or care in England will need to comply with the opt-out, even if the organisation’s headquarters are outside England. This includes private, voluntary and independent organisations and adult social care. Children's social care services are not covered by the opt-out.

The national data opt-out applies to data that originates within the health and adult social care system in England as set out in information standard DCB3058: Compliance with National Data Opt-outs. The health and adult social care system in England is defined within the Heath and Social Care Act Section 250. Organisations considered to be included are:

• Department of Health and Social Care and other national bodies, for example NHS England
• NHS and Local Authorities providing health and adult social care services in England
• other organisations or individuals who provide health or adult social care services in England under contracts agreed with NHS and local authorities.

This includes the following organisations and services:

• adult care homes
• ambulance services 
• child health services
• community services
• Defence Medical Services (DMS)
• dentists (providing NHS care)
• DHSC and the national bodies it governs
• GP practices 
• home-provided services
• hospitals
• mental health services
• opticians (providing NHS care)
• pharmacists (providing NHS care)
• private providers including Any Qualified Providers (AQPs) who provide health and adult social care services which are funded or co-ordinated by a public body
• public health  services, including local authority services and providers such as school nursing
• secure facilities such as prisons and young offender institutes

The national data opt-out also applies to any subsequent release of the data collected by these organisations acting as data controllers, such as NHS Digital or Public Health England. Data relating to private care held by NHS Digital is included. 

The national data opt-out does not apply to:

• health and care data for privately-funded care or treatment by a private provider organisation, unless it is coordinated by a public body, such as a local authority
• organisations providing only children’s social care 
• organisations that deal with health related data that originated outside the health and adult social care system, for example assessments for disability or other benefits purposes for the DWP
• patient information that originated outside England, including home nations and crown dependencies - these locations may have their own opt-out arrangements

For more information, including specific inclusions and exclusions, see Which organisations does the opt-out apply to? in the national data opt-out operational policy guidance.

All health and adult social care organisations in England that act as a sole data controller or a joint data controller for patient data have a responsibility to consider the national data opt-out policy and ensure it is being applied in accordance with the policy.

A data controller is a person acting on behalf of an organisation who (either alone or jointly with other persons) determines the purposes for which and the way any data is or is to be processed. Read the ICO guidance on data controllers and processors. 

Data controllers must also ensure that any other organisation acting as a data processor on their behalf is also in compliance with the policy.

For more information see 4. Which organisations does the opt-out apply to? in the operational policy guidance document.