GPs should not switch off patient record sharing, says ICO
GPs using SystmOne should not switch off enhanced information sharing despite concerns that patients records could be compromised, the Information Commissioner’s Office (ICO) has said.
Pulse revealed that the ICO had raised concerns about TPP’s SystmOne programme’s compliance with the Data Protection Act and had made it clear to TPP, and NHS Digital, what they had to change about the record-sharing function.
But in a statement posted on its website, the ICO has said GPs should not go as far as switching off the function.
The statement said: 'The ICO has data protection compliance concerns about SystmOne’s enhanced data sharing function and the potential risk to patients’ medical records held by GPs.
'However, given the possible impact to patient care, the ICO is not advocating that users switch off data sharing at this stage.’
The ICO said its concerns were ‘centred on the fair and lawful processing of patient data on the system and ensuring adequate security of the patient data on the system'.
It said: ’We continue to work closely with TPP, NHS Digital and NHS England and have seen an initial plan that they have put forward.
'This includes initial steps they are taking to remedy these issues and further work is planned.’
It comes as the BMA has now issued formal guidance for GPs on the issue, saying that the situation had ‘serious implications for GPs as data controllers’.
It said: ‘Patients could complain that their records are accessible by people and organisations who should not be able to do so and it is likely that a court action in support of a complaint would succeed.’
While it declined to advise any individual doctor or practice on whether to turn off the sharing function of their system, the BMA said practices needed to act.
It suggested that practices could either ‘reduce risk by ensuring a robust system is in place that enables patients to be fully informed about the [SystmOne] sharing model with sharing remaining on, or abolish future risk by turning sharing off whilst still informing, with the intention of turning it back on at some point in the future'.
The guidance said: ‘Practices need to be able to inform patients who might be able to see their records, where, when, what parts of their records and for how long.
'In addition, they need to be able to limit sharing of their records to other [SystmOne] sites. GPs and patients need to know who is accessing their records.’
SystmOne’s enhanced data sharing function allows hospitals, care homes and community services to access GP records and leave their own notes.
But SystmOne does not alert GPs to when new providers gain access to the patient record, and it does not allow practices to limit record access to local organisations or those directly involved in caring for a patient.
A SystmOne spokesperson has pointed out that it 'does have audit functionality to show all organisations who are live – with the added benefit of being able to search within dates so they can regularly keep up to date with new organisations'.
Patients need to be told of SystmOne record sharing function
The GPC’s IT lead Dr Paul Cundy said earlier this month that GPs should consider switching off SystmOne’s patient record sharing function completely until provider TPP updates it.
Dr Cundy said that the issue could have potentially huge implications for patients but the decision to switch off the information sharing function should not be made lightly given how useful it was for GP federations.
TPP has told Pulse that it is correct that practices using SystmOne must either 'fully inform patients about who might be able to see their records, what parts of the their records and in what circumstances' or 'turn off record sharing'.
They added that 'this has always been the case' and that 'no SystmOne user should be using [the patient record sharing function] without fully understanding the consequences and without fully informing patients of the impact on their care'.
TPP remains in discussions with the BMA, NHS Digital, NHS England and the ICO about updating the function to allay the ICO's concerns.