This site is intended for health professionals only

Thousands of practices unaware they could be ‘in breach of data rules’

Exclusive Thousands of GP practices may inadvertently be in breach of data protection legislation after activating a record-sharing feature in their IT system, Pulse has learnt.

The Information Commissioner’s Office has told Pulse that it has ‘data protection compliance concerns’ about SystmOne’s enhanced data sharing function that allows hospitals, care homes and community services to access GP records and leave their own notes.

The ICO is currently investigating concerns that GPs are unable to tell patients who is able to see their data, and so are unable to fulfill their duties as data controllers after activating the data-sharing function, as urged by many CCGs.

An ICO spokesperson told Pulse: ‘We do have data protection compliance concerns about SystmOne’s enhanced data sharing function. We have made these clear to TPP and NHS Digital and we are in discussions with them about how these are resolved.’

Some 2,700 practices currently run SystmOne and Pulse understands the GPC has been raising the issue for more than a year. GPC deputy chair Dr Richard Vautrey said: ‘We know that the ICO has had serious concerns and this is why TPP are having to address that situation.’

In information released last week, SystmOne’s provider TPP said it was ‘making amendments’ to the record audit function – currently available for practices – to let patients see who has accessed their record. TPP added that their data sharing model had full approval when it was first rolled out, and it is ‘committed to supporting the sharing of data across the NHS for direct care’.

A TPP spokesperson told Pulse: ‘NHS Digital and TPP are aware that the ICO have raised concerns about TPP’s enhanced data sharing model. TPP, along with NHS Digital, are in discussions with the ICO about how these concerns can be addressed.’

What is enhanced data sharing?

GP practices as data controllers of the patient record have a ‘fair processing’ duty under the Data Protection Act and this is particularly important with sensitive health information. This requires that patients are informed of any privacy risks from sharing or changes in how their data is used and who has access.

But the enhanced data sharing function under SystmOne does not currently allow this level of scrutiny. It allows community services, hospitals, child health services, A&E and urgent care organisations, hospices, care homes, offender health care providers, pharmacies and social care providers access to records, but does not let patients see who has accessed their record.

NHS England’s director of Patient Online services Dr Masood Nazir wrote to GPs and IT leads last May saying currently ‘it is not possible to restrict default sharing out from the GP system to a group of local organisations and it is therefore not possible to meet the requirements of the Data Protection Act.’ He added: ‘This means that local GPs are unable to meet their data controller requirements’.

Privacy groups say this means – through no fault of their own – GPs have put patient privacy ‘needlessly at risk’. Phil Booth, medConfidential coordinator told Pulse: ‘Failures of this sort are exactly why patients must be able to see which organisations have accessed their medical records.’

Pulse asked NHS England why, when they had concerns last May, they have not acted and a spokesperson told Pulse it takes data security ‘very seriously’ and ‘In keeping with good governance practice, once the issue was identified, a solution was agreed and is now being implemented.’