This site is intended for health professionals only

At the heart of general practice since 1960

CCGs should pay for data protection officers, suggests partnership review

CCGs should fund data protection officers to help overworked practices cope with patient data requests, the GP partnership review has suggested.

The review, which was commissioned by the Government and independently chaired by GP Dr Nigel Watson, said the ‘burden’ of the General Data Protection Regulation (GDPR) was disproportionately high for GPs and needed to be addressed.

Under GDPR, which took effect in May, GPs have to comply with requests for data from patients within one month and cannot charge patients or solicitors for a copy of health records.

GPs must also designate a data protection officer to monitor compliance and act as a point of contact for patients requesting access to their data. They can be appointed within the practice, shared with another practice, or appointed externally by CCGs or health boards.

The review, published today, said: ‘This burden should be recognised and supported, which could include the provision of resources such as a data protection officer by CCGs.’

Earlier this month culture, media and sport minister Margot James ruled out exempting GPs from GDPR so they could charge patients for access to data.

Speaking to Pulse, Dr Watson said GDPR was having a ‘disproportionate impact’ on general practice, and while other small businesses can pass the charge onto their customers, practices cannot do that.

He said: ‘Many have a full-time person photocopying or printing out notes for patients or solicitors asking for subject access requests. So the cost to practices – now they can’t charge – is quite significant and is being borne by practices.

‘We are suggesting the NHS or Government needs to take recognition of that. This has a financial impact on general practice. And therefore there needs to be some resource to go with it.'

GPC IT lead Dr Paul Cundy said: ‘I think every little helps...I would have worries about CCGs having the competence to provide data protection officers but direct re-imbursement of practice-provided data protection time would be welcomed.’

NHS England previously said that CCGs have a ‘responsibility to provide support for data protection officers’ although the details of how that is done is up to individual CCGs.

Pulse reported in October that commissioners in parts of England were suggesting charging GPs hundreds of pounds a year to access data protection officers. In one case, NHS Bedfordshire CCG said GPs would have to pay £1,800, although later claimed this was an ‘early estimate’.

Meanwhile, practices in Scotland will have data officers provided for them by health boards at no cost, the Scottish Government announced in December.

Key recommendations from the report

1. There are significant opportunities that should be taken forward to reduce the personal risk and unlimited liability currently associated with GP partnerships.

2. The number of general practitioners who work in practices, and in roles that support the delivery of direct patient care, should be increased and funded.

3. The capacity and range of healthcare professionals available to support patients in the community should be increased, through services embedded in partnership with general practice.

4. Medical training should be refocused to increase the time spent in general practice, to develop a better understanding of the strengths and opportunities of primary care partnerships and how they fit into the wider health system.

5. Primary Care Networks (PCNs) should be established and should operate in a way that makes constituent practices more sustainable and enables partners to address workload and safe working capacity, while continuing to support continuity of high quality, personalised, holistic care.

6. General practice must have a strong, consistent and fully representative voice at system level.

7. There are opportunities that should be taken to enable practices to use resources more efficiently by ensuring access to both essential IT equipment and innovative digital services.

 

Source: GP Partnership Review

Readers' comments (2)

  • Neil Bhatia

    Funding a DPO won't help with costs (time/money). The DPO role is advisory only, it remains the obligation of the data controller - the practice - to do the donkey work for SARs, DPIAs, privacy notices, assessing new data sharing etc etc.
    Fund the work that the IG lead for the practice has to do is another matter, but throwing money at the practice won't help the fact that GPs are spending an increasing amount of time away from direct patient care dealing with SARs etc - no amount of money will help if they can't get locums to cover.

    Unsuitable or offensive? Report this comment

  • Dear All,
    The actual quote i gave pulse had the word "some" inserted between the word "about" and "CCGs". It should read "....I would have worries about SOME CCGs having the competence to provide data....."
    Regards
    Paul C

    Unsuitable or offensive? Report this comment

Have your say