This site is intended for health professionals only


GPs’ care.data responsibilities amount to ‘good customer service’, says information commissioner



Exclusive GPs should regard the process of notifying their patients about care.data as a matter of ‘good customer service’ and not as a ‘legalistic tick-box’, the Information Commissioners Office has said.

The ICO, which advises on data protection, said that GPs have a duty as ‘data controllers’ to advise patients about changes to how their data is used, but has said this is a matter of good standard customer service.

However, GP leaders have said this underestimates the strain it will put on practices to notify patients, and that practices should be funded to meet these requirements as they exceed just ‘good customer service’.

Speaking to NHS England’s care.data advisory group, the ICO’s Dawn Monaghan explained that GPs had responsibilities as ‘data controllers’ for ensuring that messages about the scheme are ‘consistent’.

The minutes for the meeting address the key guidance from the ICO and state: ‘Key is that it is up to the GP to tell the patients what is happening, and how this is best done. National messages at a national and local level are needed to ensure messages are consistent and without confusion.’

‘[The] overarching message is that this is as much about good customer service as anything.’

NHS England have yet to confirm further funding for practices to notify patients, after a previous attempt to send a leaflet to every household in England reached less than a third of intended recipients.

But the ICO has previously told Pulse that GPs who don’t take steps to alert their lists could be found in breach of the Data Protection Act.

A spokesperson for the ICO said: ‘The point Dawn was making was that the data controllers, including GPs, know their audience best so are best placed to communicate the changes to their patients.’

‘In effect, they should see it as good customer practice rather than a legalistic tick box.’

Under the fair processing requirements of the DPA, GPs are responsible for patient records while they’re held in the surgery and are obliged to inform patients of changes to the way that their data is used.

The advisory group minutes state this is ‘not asking, not consent – it is about telling.’

Once the information has left the GP surgeries, NHS England and the Health and Social Care Information Centre become joint controllers of the data at the HSCIC.

Dr Grant Ingrams, deputy chair of the GPC’s IT subcommittee and a GP in Coventry told Pulse: From the ICO’s point of view, GPs are the data controllers. So from their point of view, because we’re data controllers we’re the ones who need be sure that what needs to be done has been done.’

‘From my point of view, that’s fine. But unless the NHS is going to fund that or provide the resources to do that, as in they do it on our behalf, or they fund us to do it, I don’t mind. Then it makes care.data a dead duck.’

‘Because I don’t think any GP is going to pay hundreds or thousands out of their own pocket to run a campaign.’

Dr Ingrams added: ‘If they say “well you’ve got to pay for it, and you’ve got to do it”. Well fine, it’ll be on the bottom of my to-do list and I might get round to it in five years.’

But GPC negotiator and lead on care.data Dr Beth McCarron-Nash told Pulse that informing patients about the Government’s changes went beyond the role of already overstretched GP’s.

She said: ‘If they want the data, they should fund practices to write to patients if that’s the requirement. We will continue to push the point that patients need to be adequately informed.’

‘We know that the communications have not worked, and that needs rectifying before [care.data] can go ahead.’

At the annual LMCs Conference in Harrogate in May, GP leaders voted that care.data should be run under an opt in system, where patients are asked to give explicit consent for their data to be extracted.

And NHS England’s own deputy medical director, Dr Mike Bewick, told an audience at Pulse Live Manchester that parts of the scheme should be opt in only.