Feeds

GP surgeries MUST DO BETTER on data handling, says ICO

Watchdog warning comes as NHS prepares to unlock medical records

Boost IT visibility and business value

A number of GP surgeries in England allowed their employees to have unrestricted internet access - thereby increasing the risk of data being leaked, hacked and targeted by viruses, Britain's information watchdog warned today.

Officials from the Information Commissioner's Office visited 24 GP practices between April and November 2013 to inspect how well those NHS doctors' surgeries were handling sensitive patient data.

It found (PDF) that several of the sites agreed that staff could access personal email accounts via the surgery's computer system, and added that local polices on acceptable internet and email usage were "not always reflected in the software/tools that enforced them".

The ICO said:

The visits helped to highlight the pressures faced by GPs as data controllers for their patient records in a time of massive change to the structure and practices within the NHS and the corresponding information flows.

NHS England is currently posting leaflets out in among junk mail to 26.5m households highlighting that patients have a right to opt out of its plans to share their medical records, even though it failed to provide a simple form that individuals could then submit to their GPs.

Under the so-called care.data scheme, the Health and Social Care Information Centre (HSCIC) will shortly begin laboriously collecting patient info from GP practices, which will then be linked with hospital data it already stores.

However, controversially, GP surgeries are ultimately saddled with any issues that arise while the records are being transferred to the HSCIC.

But the ICO found shortcomings during its visits to the GP practices.

It said improvements could be made when it comes to reporting data breaches and of informing patients about how their information will be shared with the NHS, private companies and "approved" researchers.

The regulator warned that more needed to be done with the "risks posed by unrestricted internet access."

Paper records containing sensitive medical information took up considerable space, the ICO noted. It said the volumes of paperwork needed to be carefully managed.

“The NHS processes some of the most sensitive personal information available and data breaches at GP surgeries can have significant repercussions for the individuals affected," said the ICO's Lee Taylor.

"But we were broadly pleased with what we saw during the advisory visits. Having the right policies and procedures in place is the backbone to good data protection and the GP practices we visited tended to have these."

On Monday, the regulator explained in a blog post how the UK's Data Protection Act applied to the care.data scheme.

The ICO's Dawn Monaghan said:

GPs holding personal information about patients is nothing new and is covered squarely by the DPA. Generally everyone understands what’s happening: you give personal information to your GP who then records that information as your medical history. This record may include information from other health services and allows your GP to track your health throughout your lifetime.

The changes begin with some of the personal information included in that record going from GPs to the HSCIC. This happens under the direction of NHS England, which is allowed due to a new law, the Health and Social Care Act 2012.

This law gives NHS England the right to direct the HSCIC to collect certain sorts of data from the medical records. The law is a statutory enactment which requires the disclosure of the data, which means the data becomes exempt from the main parts of the DPA.

In other words, there is no legal opt out under the UK's data protection law, which in turn means that care.data is not regulated by the ICO - nor does the watchdog set the rules on how the system works.

"That responsibility for letting patients know what is happening falls to GPs, as the data controllers," said Monaghan.

"It might seem unfair that this responsibility doesn’t fall on NHS England, who are instructing the data collection, or on the HSCIC who will collect and use it, but the DPA focuses squarely on the whoever originally collected, holds and is going to disclose the data (the data controller) - in this case the GPs."

She added that the ICO had initially concluded that NHS England - with its much-criticised leaflet drop that was addressed to households rather than individuals - had met the fair processing requirements under the DPA.

Beyond that, patients objecting to the medical records data grab are expected to burden GPs with their concerns.

NHS patients and information director Tim Kelsey attempted to shrug off critics who are worried about who might have access to the data-sharing system earlier this week.

He said on his Twitter account: "care.data only for NHS patient care purposes; no insurance or other applications permitted. NHS guarantees privacy."

The HSCIC will start receiving the data from GP surgeries in England in the next few months. Once collected, the ICO will be able to police how that information is shared because at that point the HSCIC will be the data controller.

It will be interesting to see at that stage if Kelsey's promises hold tight. ®

Build a business case: developing custom apps

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.