Exclusive Healthcare professionals in police stations and immigration removal centres are able to access the full patient records from 2,700 practices, Pulse can reveal.
A report obtained by Pulse reveals that around 6,600 organisations using the SystmOne IT system can view the records of GP patients who registered with a practice on the system, if the practice has switched on the sharing function and the patient hasn’t explicitly objected.
These organisations include healthcare staff contracted to 23 police station ‘custody suites’, prisons, and immigration removal centres, including Yarl’s Wood, where asylum seekers are held while pending immigration status.
SystmOne developer TPP said that only registered health professionals within the organisations could access records and that national sharing was ‘immensely powerful’ for ensuring patients get the best care.
But the GPC’s IT policy lead, Dr Paul Cundy, told Pulse that GPs would struggle to explain to patients which organisations will have access to the records.
This could put them potentially at breach of the Data Protection Act, and the GPC advises GPs must be able to inform patients who might be able to see their records, where, when, what parts of their records and for how long.
Pulse revealed earlier this year that the Information Commissioner’s Office (ICO) had raised concerns about SystmOne’s data sharing model.
How does the model work?
SystmOne’s data-sharing model allows organisations using the system to see the records of patients in around 2,700 SystmOne GP practices if the practice has enabled ‘data sharing’ for its patients – which most practices do, and the GMC encourages this.
Under the ‘data sharing’ function, in most cases patients are opted in by the practice as long as the practices runs an ‘awareness drive’ – meaning patients would have to actively opt out if they do not want their data shared. But TPP told Pulse it ‘remains of the view that explicit consent is best’.
Even with the patients’ ‘implied consent’, other organisations have to ask the patient before accessing their full records.
However, there is an ‘override’ function that allows the organisations to view the full record of a patient if they can’t get the patient’s consent, if they are unconscious, for example.
There are safeguards for the override function; patients can explicitly opt out and the use of an override alerts the patient’s practice.
After Pulse reported this, a change was brought in allowing patients to see which organisations have accessed their records. Though practices were already able to generate reports of all the organisations on SystmOne that are able to access records.
One of these reports generated by a practice, obtained by Pulse, reveal that healthcare professionals in around 6,600 organisations have access to patient records, a number which is growing daily.
They include NHS organisations such as A&Es, district nursing groups and GP out-of-hours providers on SystmOne.
However, they also include non-NHS organisations such as healthcare professionals in police stations, prisons and the immigration removal centres.
TPP’s medical director Dr John Parry told Pulse that he understood that GPs have obligations under the Data Protection Act.
However, he added: ‘I worked in GP out of hours for many years, and it’s immensely powerful –with appropriate safeguards – to be able to say to a patient, yes I understand your problem, shall we look at your last few hospital letters.’
Dr Parry said that this could apply to places such as police stations. He added: ‘There have been some never events, in custody suites, where people with medical conditions have come to serious harm because they didn’t know what was wrong with them.
‘This is for healthcare professionals providing care for those in custody, it’s not part of the police national computer, the desk sergeant doesn’t have access to this information, it’s under the control of health professionals.’
But Dr Cundy told Pulse: ‘I don’t believe any GP has ever fully understood the extent of this sharing. So if the GP has not understood it, then how can you fully inform anyone.
‘Even now, now practices can see this list of 6,600 [organisations], how do you fairly inform patients about that?
‘It’s completely unreasonable to assume that patients will understand the scale of the sharing, or be happy with sharing with [clinical staff in] custody suites.’