Update Assurance process on the National Data Opt-out Standard

Owned by Chiara.Beckett (Unlicensed)
Last updated: 27-06-2023 by Bhoopalan Parthiban (Deactivated)Version comment
5 min read

ID

RM184

Version

1.0.0

Type

Roadmap Item

Frameworks

Title

Update Assurance process on the National Data Opt-out Standard

Description

Changes to the National Data Opt-out Standard due to a new assurance process

Date Added

May 16, 2023

Standards and Capabilities

Interoperability Standard, National Data Opt-out

Change Route

Patch

Change Type

Uplift

Status

Closed

Publication Date

May 30, 2023

Effective Date

Jun 13, 2023

Incentives / Funding

No

Incentive / Funding Dates

N/A

Background

The National Data Opt-Out is an option that gives Patients a simple and accessible way of controlling how their Confidential Patient Information (CPI) is used for purposes beyond direct care. The National Data Opt-Out allows Patients to choose if they wish to only allow their CPI to be used for their direct care and treatment, or if they wish to allow their data to be shared with other Health Care Organisations for planning and research purposes.

By 31st July 2022, Suppliers of General Practice systems needed to be compliant with all requirements pertaining to National Data Opt-Out. Where the National Data Opt-out must be applied, it should be at the earliest stage in the processing chain as possible, prior to any data being extracted from the Foundation Solution.

A new Assurance Approach has been defined and clarification guidance regarding the data bulk extract has been included in the National Data Opt-out Standard.

Outline Plan

N/A

Summary of Change

Interoperability Standard - National Data Opt-Out: Introduction, Compliance and Requirement sections updated

Introduction

The National Data Opt-Out Service Programme has been established to ensure that a mechanism is developed and available for Health and Social Care organisations to use that will enable a Patient’s preference to be honoured accordingly, e.g. if a Patient’s preference is to opt-out then their data is to be withheld from being shared from appropriate disclosures – this is known as the ‘Upholding’ of an opt-out.

Compliance, and Assurance and Testing

At a high-level, Compliance, Assurance and Testing of the National Data Opt-Out will align with the following steps:

  1. The NDOP Service Onboarding Team will provide Suppliers with the necessary information and materials to enable them to determine the feasibility of developing a technical product. This can be done with a combination of face to face and online sessions and by self-serving content from the Internet

  2. The NDOP Service Onboarding Process flow is available

  3. Suppliers are prioritised for go live by approved process employed by the NDOP Service Onboarding Team

  4. The NDOP Service Onboarding Lead will manage access to Path to live (PTL) environments

    1. Whilst connected to the INT environment, the Supplier will be expected to execute their own tests. The testing may be used as evidence to support the mitigation of risks identified in the Risk Log. Alternatively, SA may request tailored evidence in order to support their assurance activities

  5. In parallel the ‘Supplier & Product information’ SCAL tab and Connecting Systems Risk Log will be completed by the Supplier. If the Supplier has an existing SCAL then this would be sent to them to ensure the details are correct. The NDOP conformance tab would be inserted to the existing SCAL

  6. SCAL completion and sign-off:

    1. In parallel with development and testing / technical conformance the Supplier will provide Supplier & Product information and all Service-specific sections in the SCAL

    2. The contents of the SCAL (as provided by the Supplier) will be reviewed by the Authority stakeholders (co-ordinated by the Onboarding Lead) and any exceptions that are flagged e.g., ambiguous or incomplete Supplier responses to any requirements or questions, will be annotated and returned to the Supplier to resolve

  7. Once the SCAL is signed off by the NDOP Service Onboarding Lead, the Supplier will be sent the legal document (Connection Agreement) for signature. This always involves the Supplier commitment to sharing the EUO AUP with all EUOs

  8. The Supplier is now ready for a live deployment to a limited number of sites (known as First of Type), which will be managed by the NDOP Service Onboarding Lead with Live Services (for ‘release management’), an exception to this is GPIT NMEs, see note below

  9. The Deployment Verification Criteria (DVC) for NDOP is:

    1. Stable running for a minimum of 14 days

    2. At least 1 report applying NDOP has been produced during DVP

Upon agreement that DVC has been met, the Supplier is then permitted to move to full rollout

Note: New Market Entrants Foundation Suppliers will not be able to move to live service until the full foundation Solution has been assured. This will be managed by the Suppliers assigned GPITF delivery lead.

For further information or to onboard to National Data Opt Out, please contact liveservices.operations@nhs.net

At a high-level, Compliance, Assurance and Testing of the National Data Opt-Out will align with the following steps:

  1. A GP System Supplier will provide NHS Digital Solution Assurance with their full list of data extractions/ data disseminations impacted for NDOP, for reference.

  2. A GP System Supplier will provide NHS Digital Solution Assurance with their detailed user stories and their associated acceptance criteria, for each NDOP requirements in scope, for reference and any feedback.

  3. A GP System Supplier will provide NHS Digital Solution Assurance with their test cases against each of their user stories and the pass/fail test results against each test case. Evidence of associated test criteria for supplier test cases may be additionally requested by NHS Digital Solution Assurance. 

  4. A GP System Supplier Testing to include but not limited to:

    1. Retrieval and upholding of Patient National Data Opt-Out preference for a single Patient data dissemination(s)

    2. Retrieval and upholding of Patient National Data Opt-Out preference for multiple Patients data dissemination(s)

    3. Patient changes their National Data Opt-Out choice and its’ effect on data dissemination(s) from the GP System

    4. Testing that any Type 1 opt-out preferences recorded in the GP system for Patients, continue to be respected

    5. Testing that the GP system is able to report with the required report data attributes on whether Patient data was included or removed from a dataset along with the reason for inclusion/exclusion

    6. Audit logging for retrieval of Patient’s National Data Opt-Out preference

  5. NHS Digital Solutions Assurance to sample a set of Supplier test cases for witness testing in a witness test session lasting not exceeding more than one day

  6. FOT (First of Type) DevMAC to be awarded to the GP System Supplier at the end of the successful assurance

  7. FRA (Full Rollout Approval) DevMAC post successful FOT

Requirements

National Data Opt-Out applies to all in-scope data from GP systems including any exports, extracts, releases, disseminations and disclosures from GP systems as defined by National Data Opt-Outs Operational Policy.

Supplier Solutions need to retrieve the National Data Opt-Out Status before using or disclosing data, which can be done over Message Exchange for Social Care and Health (MESH). 

Technical information below describes, how to access and use MESH to check for national data opt-outs:

Check for National Data Opt-outs Service

DCB3058 Compliance with National Data Opt-Outs contains further information on the Standard and information on the legal, strategic and policy context behind the requirements.

The final set of National Data Opt-Out requirements, v2.0 published April 2019, can be accessed below: 

 

Full Specification

National Opt-Out Standard

Assurance Approach

See the updated Assurance Approach in the National Opt-Out Standard.

Â