Electronic patient records (EPRs) hold great promise for improving patient care and public health. However, governments in Europe and North America have recently adopted legislation for the processing of personal data. In the United Kingdom there is a consensus that the Data Protection Act (1998) and the Human Rights Act (1998) have significant implications for the consent required for health data to be processed or passed. However, interpretations of these implications have been wide-with considerable differences apparent between regulatory bodies, government, researchers and practitioners. These arguments centre on the form of consent generally required to pass electronic personal data to health care personnel for use in decisions about the health care of populations or the individual, the circumstances in which different methods of consent are appropriate and the sufficiency of the public interest needed to counter the need for direct informed consent. To assist those developing EPRs or similar systems, we present the 'opt-out' consent strategy used for the implementation of the Coronary Heart Disease (CHD) Register developed as part of the Scottish Executive National CHD Demonstration Project. This strategy balanced the individual's right to consent with the public interest by taking all reasonable steps to inform residents about the potential direct and indirect purposes of the register, storage arrangements and types of individuals likely to access personal and anonymised data on the register. Simultaneously, the population was provided with easy and equally available opportunities to opt-out of inclusion.