Over 3,000 GP practices are at risk of breaching the Data Protection Act due to a new childhood vaccination data system.
The BMA warned around 3,300 GP practices could be affected by the new extraction system, which is used to share data with the Child Health Information Service (CHIS).
The concerns revolve around the principle of data minimisation, which requires systems to hold the minimum amount of personal infromation needed to fulfil the purpose, but no more.
GPs should not sign up to any new CHIS extraction system until the issue is resolved, the BMA said.
Other extraction services may also put GPs at risk of breaching GDPR, the BMA warned. It said the situation is currently being clarified.
This comes as the new five-year GP contract has promised practices access to a data protection officer (DPO) through their CCG, in order to monitor compliance to the data protection law and to act as a point of contact for patients requesting access to their data.
In the memo to GPs, the BMA said: ‘We have received reports that LMCs in the West Midlands region have received communications from their local community trust with regard to changes to the process for electronic transfer of childhood vaccination and immunisations data from GP systems to the Child Health Information Service (CHIS).
‘We believe this issue also impacts practices in London and southwest regions and up to 3,300 practices. It is also possible that this issue may impact other extraction services; we are in the process of clarifying this.’
‘Having received legal advice, the GPs Committee is concerned that practices using the new proposed extraction system to share childhood immunisation data may be placing themselves in breach of GDPR,’ it added.
The BMA told Pulse it believes the issue may be due to the system not meeting the principle of ‘data minimisation’, which requires data controllers to only retain the minimum information needed, and no more.
The BMA told practices not sign up to any new extraction system related to changes to the CHIS in England, until the issue is resolved.
Concerns were also raised by Cleveland LMC, which reported that some NHS trusts had made changes to their system for the sharing of child health data, which may not comply with GDPR.
The LMC said: ‘We have been made aware of an issue elsewhere in the country where the local trusts have changed their system for the process for electronic transfer of childhood vaccination and immunisations data from GP systems to CHIS.’
‘Whilst we are not aware of this issue being in the Teeside area, GPC understand it may impact on other extraction services; they are in the process of clarifying this,’ it added.
The new Data Protection Act, brought in last May, has caused many issues for GPs, as the regulations stopped practices charging a nominal fee for digging out patient information.
This led to a signficant increase in subject access requests (SARs) received by GPs.
Some GPs also received a number of SARs from police departments, as part of firearms checks. This process was criticised by the Information Commissioner’s Office (ICO), which said the requests were not only ‘unnecessary’, but they could ‘potentially constitute a breach of the Data Protection Act’.
The five-year GP contract has pledged £20m through the global sum, each year, to compensate GPs for the extra work caused by such requests.
