Exclusive GPs should consider switching off SystmOne’s patient record sharing function completely until provider TPP updates it, the GPC’s IT lead has said.
In a note to the wider GPC, sent after Pulse reported on the Information Commissioner’s Office concern about the feature, Dr Paul Cundy said ‘GPs need to take urgent action to assess their positions’.
When activated by a GP practice, SystmOne’s enhanced data sharing function allows hospitals, care homes and community services to access GP records and leave their own notes.
But SystmOne does not alert GPs to when new providers gain access to the patient record, and it does not allow practices to limit record access to local organisations or those directly involved in caring for a patient.
Pulse revealed last week that the ICO had raised concerns about SystmOne’s compliance with the Data Protection Act and had made it clear to TPP, and NHS Digital, what they had to change about the record-sharing function.
Dr Cundy told the GPC: ‘In this matter, now that GPs have been made aware, there can be no misunderstanding about their legal responsibilities as data controllers.
‘This means either fully informing their patients about who else can see their records, what parts of those records, in what circumstances, where, how, by whom, when and for how long.
‘Alternatively GPs may choose to protect themselves against this risk by turning sharing of and relying on alternative means.’
Dr Cundy added that this was ‘a serious issue with potentially huge implications for patients, GPs and TPP’, because ‘at the moment GPs are at risk of complaints being made against them’.
But he acknowledged that switching the function off was ‘not a decision to be made lightly’ based on how useful it is, especially for GP federations.
He said: ‘[The function] has been successfully used to provide locality or community sharing and this benefit must be weighed against the risks of the consequent wider uncontrollable sharing.
‘GPs should consider whether alternative mechanisms could be used to provide for the direct care of their patients in their locality, such as referrals, telephone calls, the Summary Care Record basic and detailed, eRS and faxes etc.
‘They should consider the frequency and likelihood of the need for these exchanges versus the scale of the wider accessibility that [the patient record sharing function] enables.’
A TPP spokesperson said it was correct that practices using SystmOne must either ‘fully inform patients about who might be able to see their records, what parts of the their records and in what circumstances’ or ‘turn off record sharing’.
They added that ‘this has always been the case’ and that ‘no SystmOne user should be using [the patient record sharing function] without fully understanding the consequences and without fully informing patients of the impact on their care’.
TPP has previously said it is ‘making amendments’ to the function, and the spokesperson added: ‘As previously mentioned, discussions with all parties (BMA, NHS Digital, NHS England and the ICO) remain ongoing.’
An ICO spokesperson said: ‘We do have data protection compliance concerns about SystmOne’s enhanced data sharing function. These concerns are centred around fair and lawful processing and ensuring appropriate security in respect of the data held on the system.
‘We have made these concerns clear to TPP and NHS Digital and we are in discussions with them about how these are resolved.’
What is a GP practice’s duty as data controller?
GP practices as data controllers of the patient record have a ‘fair processing’ duty under the Data Protection Act and this is particularly important with sensitive health information. This requires that patients are informed of any privacy risks from sharing or changes in how their data is used and who has access.
But the enhanced data sharing function under SystmOne – a patient record IT programme used by 2,700 GP practices – does not currently allow this level of scrutiny.
It allows community services, hospitals, child health services, A&E and urgent care organisations, hospices, care homes, offender health care providers, pharmacies and social care providers access to records, but does not let patients see who has accessed their record.
Privacy groups say this means – through no fault of GPs – patient privacy has been put ‘needlessly at risk’.