This site is intended for health professionals only

BMA seeking legal advice on GP liability for shared records data breaches

BMA seeking legal advice on GP liability for shared records data breaches

The BMA is seeking legal clarification on whether GPs are liable for data breaches arising from shared care records, according to one LMC.

GP practices across Kent and Medway raised concerns last year about how DOCMAN GP records were being used to share information across the ICB’s new care record. 

The Kent and Medway Care Record (KMCR) provides a ‘joined-up view of an individual’s care’ by bringing together information from across health and social care organisations.

According to Kent LMC medical director Dr Jack Jacobs, the KMCR project team switched on access to DOCMAN records across the system without GPs being properly forewarned.

He said that as the data controllers, GPs were concerned about their legal liability if there was a breach of confidentiality as a result of records being shared widely across the KMCR, and around half of practices told DOCMAN to disable the sharing of information. 

The LMC therefore sought legal advice, funded by the GP Defence Fund (GPDF), to get clarification on this issue from specialist solicitors and KCs.

But last month, the LMC told practices that the ‘BMA legal team have decided to assume responsibility for the case on account of the national implications of the possible outcome’.

DOCMAN is used by GP practices as a repository for all correspondence about patients, including letters from hospitals or safeguarding reports from social services. 

Dr Jacobs said local GPs are ‘in principle supportive of sharing appropriate patient information with the KMCR for direct patient care’, and there was no issue with sharing GP records such as problem lists and medications from EMIS. 

He said: ‘However, we felt that the sharing of all our document repository on DOCMAN was not aligned to the Caldicott principles of providing information on a need-to-know basis and only when necessary. 

‘Our view is that DOCMAN is compiled for GP records to support care in General Practice – that is what GPs and most patients would probably expect.’

Dr Jacobs added: ‘GP partners are currently joint controllers with the ICB for data on the KMCR. GPs were not directly involved in its development or decisions around data processing. 

‘It’s not clear what extent of liability this would leave to GP partners should a data breach occur.’

A spokesperson for the Kent and Medway ICB said: ‘We have been working with partners to resolve any concerns they may have so the Kent and Medway Care Record can continue to be used to its full potential for the benefit of patients.’

According to the Kent and Medway ICS website, the amount of data the KMCR holds ‘is increasing all the time’ with new data ‘constantly being added’.

On potential data breaches, its website said: ‘While procedures are in place to prevent and manage incidents if they do occur, no system can prevent every breach. 

‘The data within KMCR is reliant on the data submitted by the KMCR partner organisations. While there is an audit process in place to review compliance, partner organisations are required to have their own monitoring, auditing and reporting processes in place to report breaches to the appropriate body.’

Kent LMC is currently awaiting the outcome of further legal advice, which is now being managed by the BMA. 

Following the imposition of a new GP contract which stipulated that practices must offer automatic access to GP patient records by 31 October, the BMA’s GP Committee had been preparing a legal challenge to further delay this target date.

However, last month the BMA abandoned its plans for a challenge against NHS England due to lack of financial resources and legal strength. 

Pulse has approached the BMA for comment.