ICO investigating GP system supplier TPP over ‘data protection compliance concerns’

ICO investigating GP system supplier TPP over ‘data protection compliance concerns’

Thousands of patients are being warned their GP electronic records may not be secure, amid an ongoing investigation into systems supplier, TPP.

The Information Commissioner’s Office has confirmed it is investigating TPP, over an “enhanced sharing” function in its SystmOne electronic patient record system.

“We do have data protection compliance concerns about SystmOne’s enhanced data sharing function,” a spokeswoman told Digital Health News.

TPP’s SystmOne is the second most widely used GP electronic system in England, used by nearly 3000 GP practices.

The ICO’s concerns about SystmOne specifically relate to the “fair and lawful processing of patient data on the system and ensuring adequate security of the patient data on the system”, based on the record sharing function within the system.

The ICO was talking to TPP and NHS  Digital about resolving these concerns, she said.

In a statement, a TPP spokeswoman said the company always encouraged GPs to inform patients of the record sharing function and “no user should be using the sharing functionality without fully understanding it and informing patients of the impact on their care.

“Balancing the ethical duty to share information for the benefit of the patient against the risk of misuse of patient data has always been an important consideration for the NHS.”

The company has recently updated its guideline to using the enhanced data sharing function “to help our users deal with these matters more effectively and keep patients informed”. The sharing function was approved for deployment under the Connecting for Health as part of the National Programme for IT.

“We believe it is vital that all parties continue to consider the wider issues of national sharing and, more importantly, the clinical risk of failing to provide continuity of care.”

Data sharing issues with SystmOne were first reported by Pulse, which said that the GPC had been raising concerns with TPP for more than a year.

The specific function allows hospitals and other care organisations to access, and add, to a patient records, providing they are an authorised TPP user.

Responding to the news, Medical privacy group MedConfidential said: “Failures of this sort are exactly why patients must be able to see by which organisations their GP records have been accessed.”

MedConfidental said it was encouraging that TPP was working to resolve the issue, by adding a visible audit trail for patients.

“This work will help reduce the harm of data breaches across the NHS, and not just for TPP.”

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Movers and Shakers news roundup

Movers and Shakers news roundup

Our latest Movers and Shakers roundup includes the abrupt departure of TPP’s long-serving clinical director, Dr John Parry.
GPs face EMIS IT outage at busiest time of the week

GPs face EMIS IT outage at busiest time of the week

An outage to the EMIS IT system caused “chaos” for GPs in England when access was cut off to appointment booking systems and patient records.
Somerset ICB integrates shared care record with Dorset GP data

Somerset ICB integrates shared care record with Dorset GP data

Clinicians at Yeovil Hospital can now access Dorset patients' GP data through Somerset's shared care record.

11 Comments

  • My data was shared without my permission, nationally, and only came to my attention when I noticed my SCR sheet accompanying a referral letter. The IT Mgr thanked me for pointing out the error in their system, but that it was “too late,….its out there now”. The repercussions have been life changing and there is evidence that many employees have automatically had access to my data who should not have. It seems there are or were, 3 or 4 categories under which past history could be listed. This decision was made (by whom?) arbitrarily and in my case, carelessly, and without my, the patient’s input. I have been unable to have clarified where this data went, whether it was edited, etc. There is now a sickening deafening silence. I am prevented from making an official complaint as there is a form of blackmail whereby information is withheld from the patient “if there is a pending complaint with any Trust”! In effect it means shut up or we can obfuscate further, I am considering having myself “wiped” by applying through the Dept of Health as I already feel like a persona non grata. Ironically, the past history should have included 3 major health events which were missing from my records, and not past, resolved, transient matters relating to traumatic life events. I have been in communication with Dame Fiona and will be seeing my MP. But it’s rather like the police policing the police. It’s all the Government, silly. What a haphazard, amateurish, shambles; beyond compare. I feel disposable; collateral damage and cannot understand why there have not been more prosecutions.

  • I do think this issue has slightly misrepresented how SystemOne works.

    I also understand that TPP plan to expose that audit on the patient facing services which has been suggested by a few others in these comments and is a enlightened way to improve data sharing and good data behaviour at the same time… http://www.xml-solutions.com/the-secret-to-overcoming-patient-consent-concerns/. I hope the NHS in general will begin to do this increasingly over the next few years.

  • John, I’m speaking generally (about access to my health record) but yes I’d want to control both. [The long answer is in the ‘The Patient will see you now’ book by Eric Topol].

  • Kevin,
    I suspect you may be mixing up two things here: (1)the ability of a doctor to let another clinician view your record when you are seen by them (2) your ability to view what is in your own record. They are quite different matters and their consent mechanisms under SystmOne are quite separate (and different) too.

  • I was referring to the information security principle of information being available. In general (wider NHS), records are not shared electronically.

    I would like better visibility of my record, e.g. I did have access to my record but changing surgeries reverted consent to the default ‘not shared’. I’ve used my own record access as an example but every project I’ve worked on has the same ‘not shared’ default.

    Let me choose, not the organisations or system suppliers. (choose using technology not on a piece of paper or staff on a PC)

  • Daniel – what is incorrect or misleading in what Pulse reported? Even TPP haven’t denied the way the system works. They just feel it is the right thing to do (even if the ICO says it isn’t).

    Kevin – IG / Data protection is about you being able to consent to your record being shared but also someone else being able to dissent to that sharing. It should not be about stopping correct sharing. It is when people don’t do things correctly that, when discovered, leads to sharing being stopped. All the other clinical systems share in a manner that hasn’t caused the ICO concern so it’s not like the guidance is that unclear.

    • Hi GP,
      One of the main inaccuracies in the Pulse article was the supposition that SystmOne only holds the GP’s patient record, and all other organisations are merely contributing to the same record Quote: “SystmOne’s enhanced data sharing function allows hospitals, care homes and community services to access GP records and leave their own notes”. Whilst this partly true, it seriously obscures the complete picture – SystmOne provides an electronic medical record for any organisation using the application (depending on the type of module being used, of course). It also allows all other organisations to see that medical record, providing ALL sharing settings are correct… all organisations using SystmOne must select sharing settings for each patient, for both an inward direction (seeing the ‘rest’ of the shared patient record) and an outward direction (sharing the local record with the rest of the shared patient record). Although organisations can opt to have these settings implicitly applied to patient records, it is good practice to seek explicit consent from patients before changing sharing settings. This two-stage sharing is not explained by the pulsetoday (or the telegraph) article, and is actually the difference between secure sharing methodology and insecure sharing.

      On top of the enhanced sharing settings, each organisation managing a record on SystmOne has the opportunity to mark specific entries as ‘sensitive’ for a number of reasons, this means that the particular entry is not shared with the rest of the record, even when sharing settings have been correctly applied with explicit consent.

      Lastly, in the article on pulse today, Dr Cundy even goes as far to suggest faxing as an alternative … a form of communication so archaic is was recommended not to be used by (then) HSCIC in October 2014, and with clear empirical proof of being an insecure (and highly inefficient) method of sharing sensitive data.

      This ‘issue’ has been blown out of massive proportion by various different parties. Patients must be registered on an organisation’s unit before any information can be seen (including spine demographics and SCR). The sharing settings are designed to seek explicit consent from the patient before the wider patient record can be viewed. When a GP makes a referral to another organisation using SystmOne, they are given the option to ask the patient whether the receiving organisation is allowed to see their record. Any perceived risk is no different to another member of staff at the same organisation viewing the patient record without clinical reason or permission.

      • Indeed things are always more complicated than in a news paper article and there are safeguards in place. The question is whether those safeguards are sufficient – and the ICO isn’t convinced.

        You are right that a member of staff in your own organisation can abuse their position to access medical records but you do have control over who you employ and on what terms. You can make sure they are trained and can dismiss them if they transgress (as I have had to do in the past). In SystmOne the numbers increase exponentially and the control over those individuals decreases – and even more worrying when we step outside the NHS.

        Even if the safeguards are sufficient then patients should still be allowed to choose whether they share and who they share with. If I opted out of sharing I would expect that meant I had opted out – yet in SystmOne my consent could be over-ridden if the person at the other end decided it was necessary. Giving blood to Jehovah’s Witnesses is a clear example of how people can make choices and expect those choices to be honoured even when it doesn’t make sense to the person treating them.

  • I would also be annoyed if IG/Data Protection concerns was used to prevent a clinician (providing me care) access to my clinical record.

    Agree with medconfidentials suggestion to give patients access an audit trail (not just for GP Systems)

  • I’d be intrigued to learn exactly what their concerns are since the Pulse article contained some incorrect or misleading statements about the sharing functionality as it stands.

Comments are closed.