GP practices should do a data protection impact assessment (DPIA) before enabling patient records access, and consider an opt-in model if risks identified, the BMA has said.
Practices will need to offer automatic access to prospective records via the NHS App by 31 October, as per the changes to the GP contract but around 60% of practices have not yet done so.
The BMA’s GP committee expressed ‘grave concerns’ around the implications for safety of vulnerable patients having full record access and of the projected workload that GPs would take on to implement the programmes.
This weekend it published extensive guidance to help GPs fulfil the contract requirement.
The guidance said: ‘Providing patients with access online to their medical records in accordance with the new legal requirements is a new form of processing, so GPs as data controllers need to conduct a data protection impact assessment (DPIA).
‘The BMA has conducted a general DPIA on behalf of the profession as a way of sharing the data protection analysis it has carried out. It is intended to help practices carry out their own DPIAs.’
A DPIA Is a process designed to help systematically analyse, identify and minimise the data protection risks of a project or plan.
While the BMA has completed a general DPIA this month, practices are required to undertake their own and can use the suggested BMA template, which is based on the Information Commissioner’s Office’s, or decide to develop their own.
The guidance said that the BMA’s DPIA has identified ‘a number of risks which may be mitigated by operating an op-in model’, which means providing access only to patients who request access, instead providing access to all patients who have not opted out.
Practices who conduct their own DPIA and reach the same conclusion may want to operate an opt-in model, the GPC said.
This could be via batchcoding with the ‘104’ code and then asking all patients if they wish to opt in to access.
The GPC prepared a step-by-step guide outlining actions that practices may need to take depending on where they are in the process.
Practices who decided to implement ‘consent-based’ record access should also ‘establish a plan for communication with patients’ and the communication with patients should reference the fact that a DPIA has been carried out and the practice has determined that seeking consent is the only way to ensure that access can be safely provided.
In a webinar last week, NHS England said that over 1,700 EMIS practices have already gone live with 1,100 scheduled for October, and 923 TPP practices have bulk-enabled access.
It also said that EMIS can make technical changes to bulk-update individual patient settings and ‘reduce the administrative burden of updating individual accounts’, despite having earlier warned that windows for bulk enabling were running out.
The records access saga
Earlier this year, the BMA was considering a legal challenge over the imposed contractual requirement to offer patients access to prospective records – which health secretary Steve Barclay criticised in a speech last week.
However, last month the union abandoned its plans for a challenge against NHS England due to lack of financial resources and legal strength.
Patients were initially set to be given automatic access to their prospective patient records through the NHS app from 1 November last year – starting with EMIS and TPP, and with other smaller suppliers to follow at a later date.
But in October last year, suppliers confirmed they would not yet switch on automatic patient access to their records via the NHS app due to safeguarding concerns.
NHS England is also aiming to roll out patient access to their historic patient records although have not set out a timeline for this goal.
Surely the DPIA is the job of the NHS or the Data Controller, and the GPs are not in control of the data any more, if control is being exercised by Government, so it is not the gPs job.
Presumably blanket choice of an opt-in model would be the answer, but still the work neeeds to be done by government/NHS, not GPs? We need the GPs to be seeing patients.
Dear All,
The BMA advice unfortunately fails to make a significant point. A DPIA considers both the quality and nature of data to be processed as well as its quantum. If a DPIA identifies a high risk to processing they must be referred to the ICO. If a large amount of highly sensitive data is proposed to be processed then the Data Controller is advised under DPA 2018 to seek assurance from the ICO that any proposed mitigations are acceptable. Furthermore the processing cannot take place, if the DC has referred itself to the ICO, until they have approval from the ICO or have made any changes recommended by them. It is clear that opening up their entire patient database reaches thresholds of sensitivity as well as quantum and thus every practice should be seeking advice from the ICO on their individual DPIAs.
Additionally the ICO would not be able to offer any generic advice, they would have to work their way through each and every DPIA to give individualized advice to each practice. That might take a while.
Regards
Paul C