Exclusive Some GPs found they were mistakenly given access to other people’s ‘sensitive’ pensions information after logging into their own account on PCSE’s new online portal, Pulse has learned.
GP Survival chair Dr John Hughes told Pulse that the organisation heard from ‘three or four’ GPs last week who were stunned to find they could access the pensions information of colleagues after signing into their own PCSE pensions accounts.
When the GPs look at their accounts, the system ‘would bring up a list of lots of other people, plus their pension numbers’, which together with their names, ‘could be used to then go and access someone else’s complete pension payment details’, he said.
This is the latest issue with the new pay and pensions portal, after it emerged earlier in the week that around 1,000 GP practices have not received their QOF payments this month, alongside a host of other problems.
Dr Hughes said: ‘This is a very serious breach of confidentiality. I would say it further damages trust in the system, but I don’t think anybody has any trust in PCSE and the system at all at the moment.’
PCSE said the pay portal is designed to allow GP principals to see the pensions data of other GPs within their practice.
It also said that it could not find any record of complaints from GPs about the issue.
However, Hampshire GP and information governance lead Dr Neil Bhatia told Pulse that his colleague – a salaried GP – reported to him that her account was allowing her access to the pensions data of other practice staff. He also said that he himself then reported the issue to PCSE.
He said: ‘One of my GPs noticed this. She logged in and was immediately able to access, had she chosen to, the records of every other GP in the surgery. There were screens and screens of GPs. This is very sensitive information – people’s earnings – all sorts of information.
‘I rang PCSE and reported it. They said it’s just a one off – that she has just been given the wrong type of access. But I think this has happened elsewhere.’
He said PCSE would need to report this as a data breach to the Information Commissioner’s Office (ICO), if it hasn’t already.
He added: ‘The good thing is, the people who have been given unauthorised access are not the type of people who are deliberately going to click on a person’s record and look at it.’
PCSE launched a new online GP Pensions and Payments service on 1 June, which lets GPs manage their pensions accounts digitally, including viewing statements and submitting information such as end-of-year certificates and self-assessment forms.
A BMA spokesperson said: ‘It’s vital that the new system is fully secure and compliant with data protection legislation, and that only relevant staff with appropriate permissions are able to access employees’ pension details when necessary.
‘We would welcome assurances from PCSE and NHSEI that this is the case, but if there are instances where it is not we would urge any GPs or practices to contact the BMA with details.’
Pulse has approached PCSE for comment.