IT system leaves GP practices in the dark about who can access records

Written by Rebecca Hill on 8 March 2017 in News

GP practices may be inadvertently breaking data protection rules due to a record-sharing feature in a widely-used IT system, it has been reported.

image of two doctors sat at a desk looking at a computer screen

Up to 3,000 practices could be affected - Photo credit: PA

According to the GP trade title Pulse, some 2,700 practices using the TPP SystmOne system could be unaware that they are in breach of data protection legislation.

The IT system has a record-sharing feature that aims to give hospitals, care homes and community services access to GP records and let them record their own notes.

However, the TPP SystmOne does not automatically restrict access to these records to organisations that provide the GP practice in question with services, such as out-of-hours care.

This means that any authorised user of TPP SystmOne at an organisation that uses the system could technically access at least some of patients’ records, which Pulse said was causing practices who are using the system being in breach of data protection regulations, as they cannot say who has accessed patient records.

Related content

NHS shares patient information with Home Office for immigration enforcement
NHS Digital avoids regulatory action from ICO over data opt-out errors
Earning public trust in the age of cyber threats

Guidance from TPP sets out a process that practices can run on a patient-by-patient basis to see which staff members have accessed patient records within the practice – but this can only provide information on which organisations have access to the data – not the individuals.

Both NHS Digital the UK’s data protection watchdog the Information Commissioner’s Office confirmed to PublicTechnology that they were aware of the potential issue and were working together, alongside TPP, to resolve it.

An ICO spokeperson said: “We do have data protection compliance concerns about SystmOne’s enhanced data sharing function. These concerns are centred on the fair and lawful processing of patient data on the system and ensuring adequate security of the patient data on the system.”

The spokesperson added: “We have made these clear to TPP and NHS Digital and we are in discussions with them about how these are resolved.”

TPP published updated guidance on its online systems at the end of February, which indicated that it was trying to fix the issue. This said that TPP would be “making amendments to the record audit” functions to allow patients to see every organisation that has accessed the information recorded in the system.

This document also states that practices do not need to turn off sharing for patient records, and that changing the sharing preferences to prevent organisations from seeing data that is currently visible to them “has clinical safety implications”.

The campaign group MedConfidential welcomed the move by TPP to update the system so that patients could see who has accessed the information in their records - but added that such errors demonstrate “why patients must be able to see by which organisations their GP records have been accessed”.

The group said that failures like this would happen again until the government committed to “ensuring that every patient in the NHS can see how their data is used”.

It said: “TPP has now committed to telling patients how their data is used… what about everyone else?”

The government’s response to the Caldicott review into patient data and consent – which reported in the summer last year – is expected to address such concerns and is due for publication soon.

Share this page



Add new comment

Related Articles

Shelves with patient files MPs and experts call for more digital health records as NHS mail goes undelivered
27 February 2017

The government has been urged to focus on speeding up move to digital healthcare records amid accusations that the NHS covered up the loss of more than half a million pieces of confidential...

An NHS lanyard NHS England to scrutinise suppliers of personalised healthcare IT systems
17 February 2017

Suppliers offering IT systems for personalised healthcare need to gain approval from NHS England, as the body aims to ensure healthcare providers are using high quality solutions that offer good...

scientists, user, science, data, analytics ONS launches Data Science Campus
27 March 2017

The Office for National Statistics has today launched its Data Science Campus in Newport, Wales, to make better use of data and develop the statistical information it provides.

Houses of Parliament, Westminster, London Interview: Conservative peer Chris Holmes calls for a considered but can-do attitude from government on blockchain
27 March 2017

Two sides to the BitCoin? Conservative peer Chris Holmes talks to Rebecca Hill about being positive about blockchain’s potential for public services without seeing it as a ‘wonder drug’.

Related Sponsored Articles