GP, IG/FOI/Records Access Lead, Caldicott Guardian, DPO
I can't think of anything more utterly useless. An absolute gimmick.
All I want is a clinic letter, preferably within 7 days of the appointment, and ideally electronically. I have no interest whatsoever in viewing the secondary care consultation, and I am absolutely sure that my consultant colleagues have absolutely no interest in viewing mine. A decent, informative, referral letter from me is what they want.
"Dr Shashikanth said his assigned PCN wants to write to patients promoting services"
That is marketing.
That requires the explicit consent of patients. I doubt they have all already agreed to receive such promotional material from an organisation out with their GP surgery.
PECR do not cover marketing by post, but if you are sending post to named individuals you must comply with the Data Protection Act and the GDPR.
Just to clarify, information already known to the patient still has to be disclosed under a SAR
Personally, I think we can safely infer that disclosing the record in this way, where reasonable (i.e. the patient can collect it), fully upholds the data subject’s right of access and meets the requirements that disallow an order under CPR 31.17 (and probably CPR 31.16).
Were you to make the record available for collection and not provide an alternative route if the patient was housebound/in prison/in a nursing home, then that could be deemed a contravention of Article 15.
If you refuse to send the SAR to a third party and that results in either no disclosure (pt in prison) or an unsafe disclosure (patient has lost capacity) then that could be deemed a contravention of Article 15. Such situations are uncommon though.
When it comes to civil actions, which the vast majority of SARs that we receive relate to, then the disclosure of records within civil claims is still governed by the Civil Procedure Rules (CPR). Disclosure in civil cases was clarified by the case of Dunn v Durham  EWCA Civ 1654, which confirmed that the CPR was the correct regime under which to disclose and redact *documents*.
There is case law about SARs, CPR, and DPA 1998 though, much of which would be applicable to DPA 2018:
Seeking remedy, where the patient refuses to collect the record and could perfectly do so, would have to go down the DPA s167 route. That is complex and expensive (as the judge says) and the court would view dimly on the costs involved when the alternative is simply for the patient to collect their own record. And no solicitor is going to risk high court costs for such a trivial matter – assuming the practice had not *refused* the SAR.
The ICO has stated that practices are, of course, entitled not to disclose to a third party where they have concerns, but that there must no be a “blanket” policy of never disclosing to a third party (because sometimes we have to). It is important that a SAR policy reflects this, that all SARs are assessed individually, including the ability of the patient (or their spouse/partner etc) to be able to collect the SAR - as they do with all other forms, certificates, letters, results.....
But I do a DS1500 anyway. It doesn't affect the benefits that they are entitled to, or ultimately receive, simply how quickly their application is processed.
"You will not face any negative consequences from the factual information you supply, for example if your patient lives longer than 6 months."
"Determining life expectancy in these circumstances is not an exact science. The form asks for factual information and does not require you to give a prognosis."
sorry, that prevents PATIENTS *registering* at another local practice!
They can't possibly do that.
The CCG could facilitate a "ban" in all but name by permitting all local practices to close their lists. That effectively prevents practices *registering* at another local practice.
Funding a DPO won't help with costs (time/money). The DPO role is advisory only, it remains the obligation of the data controller - the practice - to do the donkey work for SARs, DPIAs, privacy notices, assessing new data sharing etc etc.
Fund the work that the IG lead for the practice has to do is another matter, but throwing money at the practice won't help the fact that GPs are spending an increasing amount of time away from direct patient care dealing with SARs etc - no amount of money will help if they can't get locums to cover.
We do the same. Patient *always* collects the SAR.
We can't (usually) charge - all we can do is limit the cost to us, and put up private fees elsewhere to compensate.
I do hope that anyone who receives such an email will complain to the ICO
What's the difference between askMyGP and other e-consultation platforms (such as E-Consult)?
No, the GP practice remains the data controller I believe - data is viewed in real-time (streamed), not extracted and uploaded to a central data repository, so does not leave the GP records database as such. Practices can turn this on and off at will via EMIS web
Promoting the NHS App via text is direct marketing...
Good luck recruiting 120 GPs to the area...
We all have data privacy rights.
Patients AND doctors.
No - this would be a request under a different Act
See Paul Cundy's other article
To correct some factual inaccuracies:
"Patients will also have the power to request their information is moved or deleted"
The right to data portability (I think that is what you are referring to) does not apply to GP records - it only applies "where the processing is based on the individual’s consent or for the performance of a contract". For GP records, we do not rely upon consent, and we do nto have a contract with the patient.
The right to erasure does not apply if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority - Article 6(1)(e); which is the legal basis that we are relying upon for our GP records. Patients have the right to rectification, but not to their records being "deleted".
Thank you for everything Nigel, best of luck for the future.
No, the practice is the data controller.
The server is in Leeds (for example) and the system supplier hosts the surgery database - in doing so, is a data processor.
The system supplier cannot do anything with the patient records without the data controller's permission/instruction.