GPs are the weakest link in data losses claims NHS chief
By Steve Nowottny
The Government is planning to make compliance with data security standards a contractual requirement after claiming GPs are the weak link in keeping patient records safe.
The plans – which are likely to be resisted by GPC negotiators – come just a week after a Pulse investigation found that four NHS trusts in five have lost patient data or suffered a data security breach since the beginning of last year.
More than 1,300 incidents have been reported since January 2007 – with the majority occurring in hospitals or among PCT staff.
But the Department of Health is considering introducing new measures into the contract as one of a number of ways of cracking down on practices, after a warning from the Information Commissioner that GP surgeries may be particularly vulnerable to data loss because of their ‘dispersed nature' and their ‘independent status'.
In a circular to PCTs, NHS chief executive David Nicholson said: ‘Each practice is legally responsible for holding data securely and we are looking at the national contract and considering how best to secure compliance with standards through contractual means in the future.'
Other measures proposed include asking practices to sign up to information governance standards, enabling practices to encrypt back-up tapes and ensuring PCTs have conducted risk assessments for the transport of patient identifiable data among practices.
GPC negotiator Dr Chaand Nagpaul said that while GPs were always mindful of their responsibilities to safeguard data, breaches were in fact more likely to occur in hospitals and larger organisations.
‘There is absolutely no evidence to suggest that GP surgeries are in any way posing a greater risk of data security compared to the rest of the NHS,' he said. ‘On the contrary given the fact that they are small organisations, it is far easier to monitor, manage and supervise data security and protocols.'
‘I'm surprised he feels it is something that should be incorporated into the GP contract because we already do have data security standards,' he said, adding that data security was already incentivised in the IM&T DES and the organisational domains of the QOF.
But Dr Neil Bhatia, a GP in Yateley in Hampshire, said: ‘There's no doubt that there are practices whose information governance and policies do place information at risk of being disclosed without consent, lost or stolen.'
‘I can't see why GPs would be concerned about it being contractual – it is a legal requirement after all.'You are are the weakest link: NHS chief executive David Nicholson You are are the weakest link: NHS chief executive David Nicholson