This site is intended for health professionals only

At the heart of general practice since 1960

pulse june2020 80x101px
Read the latest issue online

GPs go forth

Big data = big deal

  • Print
  • 5
  • Save

According to a recent article in Pulse, it’s only a matter of weeks before patient data will start flowing from GP practices to the Health and Social Care Information Centre (HSCIC) as part of which will allow information to be linked across all areas of healthcare.

Big deal, you might think, let’s just carry on seeing patients.  Actually it is a big deal, and for a number of reasons.

Perhaps the most important is that the data that will be extracted from patients’ medical records will be identifiable and not only will it be used within the NHS, it could be sold to private organisations who are willing to pay for it.

Another important reason is that in the eyes of the Information Commissioners Office we as GPs are considered to be ‘Data Controllers’ under the Data Protection Act. Therefore, if we haven’t taken adequate steps to inform our patients their confidential information is being shared (so they can exercise their right to say no) they can complain and it will be our necks on the block.  Oh - and apparently putting up a few posters in the waiting room and adding something to the practice web site isn’t considered adequate.

Which is why, after a lot of complaining by GPs and patients, NHS England and the HSCIC has decided to spend £2m on a publicity campaign which will include a leaflet drop to all 22m households in England.

Hooray, you might shout, common sense prevails and we don’t have to send letters to every patient informing them about any more.

No, all we have to do is wait for the deluge of questions about it.  Not that any of us have the answers to give.  I just hope the leaflet doesn’t contain the phrase: ‘if you’re worried about your data being shared, see your GP’.

Be warned, the floodgates are about to open.

Dr Hadrian Moss is a GP in Kettering, Northamptonshire. You can tweet him at @DrHMoss.

Readers' comments (5)

  • I am resisting the temptation to inform all my patients that I cannot now protect their data as Caldicott Guardian because the Government has passed a law saying that they are effectively above the existing law.
    Meanwhile, in my work at the CCG we are hampered in redesigning services because we are unable to have access to identifiable data (for instance to audit whether referrals are reaching the appropriate places). Presumably the solution to this will be for us will be to purchase that data from DH once they have stolen it from the patient/practice and offered it for sale to allcomers??

    Unsuitable or offensive? Report this comment

  • We will instruct our receptionists to say to patients we have few details and if they are worried they should see their MP.

    Unsuitable or offensive? Report this comment

  • Whilst I have no objection to my identifiable data being shared within the NHS, I'm not willing for any of my medical records to be shared with, or sold to, third parties.

    If the proposal was genuinely in the interest of improving patient care by information sharing between primary and secondary care there would be an option to permit access to the NHS only.

    Unsuitable or offensive? Report this comment

  • As an information professional, and one whose business currently has an application in train to become a Data Controller in our own right, I'm acutely aware of the responsibilities involved.

    I wrote to my personal physician recently and here's what I said:

    As holder of patient data, General Practices are legally obliged to register with the Information Commissioner as Data Controller, and have to comply with the Data Protection Act.

    "Although it might appear that the HSCA2012 might override the DPA1998, there’s an interesting set of comments on the EMIS National User Group pages:

     Practices as data controller are responsible for ensuring their patients are fully informed under the Data Protection Act.

     will extract patient information from the practice data base. The practice as data controller cannot decline the request from without the risk of prosecution. The only person who can decline the extraction of data is the individual patient.

     If patient data is extracted from the practice clinical data base without the patient being made aware then the practice could be prosecuted by the patient. It is thus vital that the practice takes steps to try and inform its practice population about the extraction so that individual patients have the opportunity to opt out of their personal data extraction. "

    The implication is, of course, that it would take only one disgruntled patient to successfully sue a Practice, for the entire house of cards (and I chose my metaphors carefully) to come tumbling down.

    Practices ought to be aware of just how legally exposed they are.

    In my personal view, is simply NPFiT re-animated, and will quite likely suffer the same fate.

    Unsuitable or offensive? Report this comment

  • Donna Kelly

    How would you suggest we warn all our patients within the short time constraint available and bearing in mind the huge cost to do so ?

    Unsuitable or offensive? Report this comment

Have your say

  • Print
  • 5
  • Save