Cookie policy notice

By continuing to use this site you agree to our cookies policy below:
Since 26 May 2011, the law now states that cookies on websites can ony be used with your specific consent. Cookies allow us to ensure that you enjoy the best browsing experience.

This site is intended for health professionals only

At the heart of general practice since 1960

Urgently consider switching off patient record sharing, GPC IT lead tells practices

Exclusive GPs should consider switching off SystmOne’s patient record sharing function completely until provider TPP updates it, the GPC’s IT lead has said.

In a note to the wider GPC, sent after Pulse reported on the Information Commissioner's Office concern about the feature, Dr Paul Cundy said ‘GPs need to take urgent action to assess their positions’.

When activated by a GP practice, SystmOne’s enhanced data sharing function allows hospitals, care homes and community services to access GP records and leave their own notes.

But SystmOne does not alert GPs to when new providers gain access to the patient record, and it does not allow practices to limit record access to local organisations or those directly involved in caring for a patient.

Pulse revealed last week that the ICO had raised concerns about SystmOne’s compliance with the Data Protection Act and had made it clear to TPP, and NHS Digital, what they had to change about the record-sharing function.

Dr Cundy told the GPC: ‘In this matter, now that GPs have been made aware, there can be no misunderstanding about their legal responsibilities as data controllers.

‘This means either fully informing their patients about who else can see their records, what parts of those records, in what circumstances, where, how, by whom, when and for how long.

‘Alternatively GPs may choose to protect themselves against this risk by turning sharing of and relying on alternative means.’

Dr Cundy added that this was ‘a serious issue with potentially huge implications for patients, GPs and TPP’, because ‘at the moment GPs are at risk of complaints being made against them’.

But he acknowledged that switching the function off was ‘not a decision to be made lightly’ based on how useful it is, especially for GP federations.

He said: ‘[The function] has been successfully used to provide locality or community sharing and this benefit must be weighed against the risks of the consequent wider uncontrollable sharing.

‘GPs should consider whether alternative mechanisms could be used to provide for the direct care of their patients in their locality, such as referrals, telephone calls, the Summary Care Record basic and detailed, eRS and faxes etc.

‘They should consider the frequency and likelihood of the need for these exchanges versus the scale of the wider accessibility that [the patient record sharing function] enables.’

A TPP spokesperson said it was correct that practices using SystmOne must either 'fully inform patients about who might be able to see their records, what parts of the their records and in what circumstances' or 'turn off record sharing'.

They added that 'this has always been the case' and that 'no SystmOne user should be using [the patient record sharing function] without fully understanding the consequences and without fully informing patients of the impact on their care'.

TPP has previously said it is 'making amendments' to the function, and the spokesperson added: 'As previously mentioned, discussions with all parties (BMA, NHS Digital, NHS England and the ICO) remain ongoing.'

An ICO spokesperson said: 'We do have data protection compliance concerns about SystmOne’s enhanced data sharing function. These concerns are centred around fair and lawful processing and ensuring appropriate security in respect of the data held on the system.

'We have made these concerns clear to TPP and NHS Digital and we are in discussions with them about how these are resolved.'

What is a GP practice's duty as data controller?

GP practices as data controllers of the patient record have a ‘fair processing’ duty under the Data Protection Act and this is particularly important with sensitive health information. This requires that patients are informed of any privacy risks from sharing or changes in how their data is used and who has access.

But the enhanced data sharing function under SystmOne - a patient record IT programme used by 2,700 GP practices - does not currently allow this level of scrutiny.

It allows community services, hospitals, child health services, A&E and urgent care organisations, hospices, care homes, offender health care providers, pharmacies and social care providers access to records, but does not let patients see who has accessed their record.

Privacy groups say this means – through no fault of GPs - patient privacy has been put ‘needlessly at risk’.

Readers' comments (11)

  • Locally we have something called the Cheshire Shared record. Several practices have refused to sign up to it - despite huge pressure - fearing exactly this - unfettered access by who knows who. Despite reassurances that people can only see records if they are on their case load - i know at the moment - only people directly employed by me in my surgery have access. not some person in 50 miles away. The reality is the extended spine services provide most of what is needed in an emergency/out pts. etc. This should be being pushed more.

    Unsuitable or offensive? Report this comment

  • Serious concern requiring Urgent Attention

    Unsuitable or offensive? Report this comment

  • When I consent patients I explain that the record will be available to anyone in the NHS family, but that they should ask the patient's permission before accessing their full notes (which is true).

    Surely this is only a problem if the person consenting the patient misunderstands the concept and only consents the patient for a specific situation (i.e. I will share your record with the diabetes centre)

    I do also mention that the record can be accessed without the patient's consent if there is an emergency -- but that is the case regardless of weather the GP surgery chooses to share the record or not. (via the shared consent override)

    You are right that people could break the rules and access the patient's record without their consent - but that is also true for accessing unshared records.

    Unsuitable or offensive? Report this comment

  • As a GP and the Clinical Director of TPP, I understand that these are very important considerations. Our recent updated guidance has been designed to help our users deal with these matters more effectively and keep patients informed. We believe it is vital that all parties continue to consider the wider issues of national sharing and, more importantly, the clinical risk of failing to provide continuity of care.

    We have always known that to achieve true interoperability across the NHS, and to provide the same high standard of care for all patients (regardless of registered GP, commuter or not, in receipt of specialist treatment etc.) a national sharing model should be adopted. Although SCR provides access to some vital information, it is undeniably not as useful as the full patient record - it is not designed for use in continuing care and is not available to all care settings.

    Balancing the ethical duty to share information for the benefit of the patient against the risk of misuse of patient data is not a new problem. We must remember that the patient is key in all of this and their preference, and safety, must be considered above all else.

    Unsuitable or offensive? Report this comment

  • If social services have access to SystmOne, and then access the entire GP medical record of adult patients who are parents of children under social services investigation, because the adult patient at some point in the past consented to sharing for "NHS / healthcare" purposes, where does that leave me as the data controller?

    TPP might be worried about the clinical risk of continuity of care whilst creating their own, potentially unlawful, sharing solution.

    But I'm worried about the present situation in which non-healthcare organisations are having increasing access to SystmOne without my knowledge.

    Unsuitable or offensive? Report this comment

  • As a GP and Clinical IT Lead I feel the sooner data sharing modelling policy catches up with the wider shared record the better. A national sharing model is the only thing that makes sense - the patient should be at the centre of this and in my view GPs shouldn't be expected to police the record any longer. On one hand the national steer is towards wider sharing and on the other we are not provided with sensible data sharing tools to enable this. Currently data controllers are taking a calculated risk to try and deliver wider sharing to the benefit of patient care across health and social care settings. There needs to be a strong national steer to sensibly manage the tension between wider sharing and current consent models.

    Unsuitable or offensive? Report this comment

  • pious words from james and john, but us GPs are in the firing line for both their lax conrtol systems and the failure of other agencies to obtain true consent from patients.
    Sharing should be turned off until this is sorted out centrally

    Unsuitable or offensive? Report this comment

  • Pious indeed!

    We have been under high pressure by NHS "family" (!) to sign up but have been steadfast. We are referred to as "outliers" by our local NHS "family members"...
    And is very little chance that a majority of our patients would fully understand the implication of electronic record sharing in its current form so the chances of informed consent are minima and if as Guardians don't know who is accessing, what chance is there of counselling our patient?
    We know of local Trusts wanting access to meet their CQUIN needs that has little to do with direct patient care.

    Unsuitable or offensive? Report this comment

  • I would agree that the law needs updating but at the moment it hasn't and so we need to follow it. Saying 'the law is wrong' and 'we have a better way' is not acceptable. GPs are the data controller (rightly or wrongly) and the system suppliers are data processors so should be doing what they are instructed to do by the data controllers.

    The new european GDPR laws (which will come even with Brexit) actually strengthen rather than ease the data laws so there is no sign of things changing soon. And for the first time data processors will also be able to be held liable for breaches (whereas at the moment it is only data controllers). Check https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

    The ask is fairly simple - let GPs and patients choose what they share and who they share with (or not). The other clinical systems do this so why not TPP?

    Unsuitable or offensive? Report this comment

  • Paul Cundy is one of the best of our leaders., and we need to take him seriously
    SYstmone is on the other hand a really bad IT system that is completely unresponsive to GP needs.
    THe only way to make them behave is to push them - hard by stopping access which they will hate.
    So let's do it!

    Unsuitable or offensive? Report this comment

View results 10 results per page20 results per page

Have your say

IMPORTANT: On Wednesday 7 December 2016, we implemented a new log in system, and if you have not updated your details you may experience difficulties logging in. Update your details here. Only GMC-registered doctors are able to comment on this site.