IT system leaves GP practices in the dark about who can access records

Written by Rebecca Hill on 8 March 2017 in News

GP practices may be inadvertently breaking data protection rules due to a record-sharing feature in a widely-used IT system, it has been reported.

Up to 3,000 practices could be affected - Photo credit: PA

According to the GP trade title Pulse, some 2,700 practices using the TPP SystmOne system could be unaware that they are in breach of data protection legislation.

The IT system has a record-sharing feature that aims to give hospitals, care homes and community services access to GP records and let them record their own notes.

However, the TPP SystmOne does not automatically restrict access to these records to organisations that provide the GP practice in question with services, such as out-of-hours care.

This means that any authorised user of TPP SystmOne at an organisation that uses the system could technically access at least some of patients’ records, which Pulse said was causing practices who are using the system being in breach of data protection regulations, as they cannot say who has accessed patient records.

Related content

NHS shares patient information with Home Office for immigration enforcement
NHS Digital avoids regulatory action from ICO over data opt-out errors
Earning public trust in the age of cyber threats

Guidance from TPP sets out a process that practices can run on a patient-by-patient basis to see which staff members have accessed patient records within the practice – but this can only provide information on which organisations have access to the data – not the individuals.

Both NHS Digital the UK’s data protection watchdog the Information Commissioner’s Office confirmed to PublicTechnology that they were aware of the potential issue and were working together, alongside TPP, to resolve it.

An ICO spokeperson said: “We do have data protection compliance concerns about SystmOne’s enhanced data sharing function. These concerns are centred on the fair and lawful processing of patient data on the system and ensuring adequate security of the patient data on the system.”

The spokesperson added: “We have made these clear to TPP and NHS Digital and we are in discussions with them about how these are resolved.”

TPP published updated guidance on its online systems at the end of February, which indicated that it was trying to fix the issue. This said that TPP would be “making amendments to the record audit” functions to allow patients to see every organisation that has accessed the information recorded in the system.

This document also states that practices do not need to turn off sharing for patient records, and that changing the sharing preferences to prevent organisations from seeing data that is currently visible to them “has clinical safety implications”.

The campaign group MedConfidential welcomed the move by TPP to update the system so that patients could see who has accessed the information in their records - but added that such errors demonstrate “why patients must be able to see by which organisations their GP records have been accessed”.

The group said that failures like this would happen again until the government committed to “ensuring that every patient in the NHS can see how their data is used”.

It said: “TPP has now committed to telling patients how their data is used… what about everyone else?”

The government’s response to the Caldicott review into patient data and consent – which reported in the summer last year – is expected to address such concerns and is due for publication soon.

Share this page



Add new comment

Related Articles

Half of councils fail to provide a good online service for social care support
17 May 2017

Charity Independent Age says Socitm survey results - which show a lack of easy-to-access information on care for older...

Three London borough councils to co-develop families’ case management ‘app store’
15 June 2017

The London boroughs of Kensington and Chelsea, Westminster City and Hammersmith and Fulham to create digital tools to improve communication between families and children’s services and allow...

Scottish Government seeks views on its eHealth strategy
6 June 2017

Government wants to know about successes and failures of telecare and telehealth plans to ensure its vision is on the right path

Related Sponsored Articles

Defence in a digital and disruptive era: innovation in IT
8 June 2017

BT looks at turning points within the UK defence sector, the evolving nature of warfare and how new cyber-attacks pose new questions for our national defence