GPs have been told they should proceed to offer automatic record access to patients, after the Information Commissioner’s Office (ICO) published a response to their concerns.
Practices were required to offer automatic access to prospective records via the NHS App by 31 October, as per the changes to the GP contract.
But the BMA’s GP Committee expressed ‘grave concerns’ around the implications for safety of vulnerable patients having full record access and of the projected workload that GPs would take on to implement the programmes.
It recommended GP practices should do a data protection impact assessment (DPIA) before enabling patient records access, and consider an opt-in model if risks identified.
A DPIA is a process designed to help systematically analyse, identify and minimise the data protection risks of a project or plan.
Now the ICO has published a response to the DPIAs it received from GP practices.
It said that as long as GP practices ‘remain in control’ of deciding which records are made available, it considers that they ‘remain able to mitigate any risks to the rights and freedoms of individuals’ from the rollout of the programme.
NHS England said that practices that have been awaiting a response from the ICO before enabling access ‘should now engage with their commissioners’ about their plans for providing access ‘for all their patients’ and ‘meeting their contractual obligations’.
The ICO’s response said: ‘We acknowledge that there are data protection risks posed by the programme and detailed within your DPIA, however, we disagree that you are unable to sufficiently mitigate these without breaching your NHS GP contract.
‘We note that NHSE guidance states that GP practices “still retain full data controllership and can locally disable the functionality of their clinical IT system to prevent the provision of online access to prospective information and/or deny patient access to their prospective GP record – should they deem such action necessary to ensure compliance with the Data Protection Legislation”.
‘As long as GP practices remain in control of deciding which records are made available and retain the ability to prevent a patient record being accessed through the system, we consider that they remain able to mitigate any risks to the rights and freedoms of individuals from the rollout of the programme.’
However, the ICO acknowledged that offering record access ‘may mean more work for GP surgeries’.
The response added: ‘It is the ICO’s opinion that the high risks identified would constitute operational risks concerning the allocation of resources, rather than data privacy risks which would infringe the data protection legislation.
‘While we appreciate these changes may mean more work for GP surgeries at a time when they are stretched, it is not within the remit of the ICO to advise on risks that are not posed to individuals, based on the nature, type, extent and frequency of the processing involved.’
It also said that it will ‘continue to monitor the programme’ and ‘may take further interest’ should there be developments requiring intervention by the ICO.
I think your headline needs correction. You can’t really offer ‘automatic’ access, you either offer access or you give it automatically. It was the automatic granting of access, without any request from the patient, or any warning to the patient that it was being given, that was so problematic. The ICO is happy that the mitigations identified by practices in their DPIAs make the process of giving access legal, even if that requires a lot of effort on the part of the practice. The ICO is limited to speaking on issues of Data Protection Law.
My reading of the ICO’s letter was that they’re ok with the programme BECAUSE GPs retain the ability to withhold access and thus mitigate the risks, this backs up the “opt in” approach some practices have adopted. The comments about it adding to GP workload further reassure me that this is the approach they’re expecting us to take (simply switching access on for the vast majority of patients being a far less labour intensive approach).
Obviously NHSE would encourage us to interpret it differently…
Dear Al,
Precisely, what the ICO is saying is that if your DPIA identifies risks you can operate an opt in method, which is entirely compatible with para 16.5.ZA.7 (the whatever reason clause) of your contract. Everyone wins, GPs are acting legally, they are compliant with their contract and those patients who want access will get it, those who don’t won’t have their data put at risk and no pointless work for the practice.
In a way quite elegant.
Regards
Paul C