GP practices are doing well overall at protecting patient data, despite operating at a time of ‘considerable change’ in the NHS, a report has found.
The report from the Information Commissioner’s Office (ICO) found practices generally had good data protection policies in place, and a good awareness of potential issues surrounding security and patient confidentiality.
The report summarises 24 ‘advisory visits’ to GP surgeries across England conducted by the ICO in the past year.
In the majority of cases, practices performed well and were sensitive to the practical requirements of the Data Protection Act, such as how to dispose of confidential records.
But the report also notes some areas of improvement, such as reporting of data breaches and systems for informing patients of changes to the way data is being used.
It also highlighted cases where several practices allowed staff unsecured access to the internet, including personal emails, or allowed them to use USB drives, which could all increase risks of data leakage, hacking or viruses.
The report comes at a sensitive time, with practices grappling with the requirement on them to inform patients about the way their data is to be used in the NHS England care.data programme.
Related articles
Patients may lose trust in NHS if care.data scheme goes ahead, admits NHS England risk analysis
Care.data – every little helps
Dr Amir Hannan: ‘This goes to the very heart of the doctor-patient relationship’
Lee Taylor, team manager in the ICO Good Practice team, said: ‘The NHS processes some of the most sensitive personal information available and data breaches at GP surgeries can have significant repercussions for the individuals affected.
‘But we were broadly pleased with what we saw during the advisory visits. Having the right policies and procedures in place is the backbone to good data protection and the GP practices we visited tended to have these.
‘The findings are particularly important as the NHS has been undergoing a period of considerable change.’
All visits were conducted in response to direct requests from practices; the ICO offers them as a one-day evaluation and provides practical advice and guidance on site, and a short report afterwards.
