Thousands of GPs risk breaching data protection laws in new vaccine data system
- 4 March 2019
More than 3,000 GPs are at risk of breaching data protection laws if they sign up to a new way of sharing childhood vaccination data, the BMA has warned.
The new extraction system, which shares immunisation data between GP systems and the Child Health Information Service (CHIS), could be sharing more data than the law allows.
The new system uses a process that copies, transfers and stores the whole GP database, rather than the minimal data required to update vaccinations data.
Under the principle of data minimisation a system is only required to hold the minimum amount of personal information to complete the task it was designed for.
According to a memo from the BMA some 3,300 GP practices could be affected, including the West Midlands, London and the southwest regions.
GPs have been warned not to sign up to any new CHIS extraction system until the matter is resolved.
A BMA spokesperson told Digital Health: “The system in question uses a process whereby the whole GP database is copied, transferred and stored, rather than just the limited information needed to update childhood vaccination and immunisations data on CHIS.
“Based on legal advice, we believe the main risk is that practices may breach GDPR by not meeting the principle of ‘data minimisation’ which requires data controllers to carry out the minimum processing necessary.
“Practices should ensure that any new proposals meet GDPR requirements and if they have any doubts they should contact their Local Medical Committee (LMC), the BMA or their data protection officer.”
It comes after the new GP contract called for Clinical Commissioning Groups to ensure GP practices have access to a Data Protection Officer (DPO) in addition to their existing data services.
In the memo to GPs the BMA said: “We have received reports that local medical committees (LMCs) in the West Midlands region have received communications from their local community trust with regard to changes to the process for electronic transfer of childhood vaccination and immunisations data from GP systems to the CHIS.
“Our advice when being approached to sign any new data sharing agreements pertaining to changes to the CHIS in England is that no GP practice should sign up to any new extraction system until our concerns have been addressed.”
4 Comments
When I worked for a GP supplier it took me less than a morning to write a immunisation service.
20 years later I could do the same using FHIR in about the same time.
Why do you need to grab so much data???.
This shows the importance of GP surgeries doing a DPIA for all such data sharing.
The issues of data minimisation and purpose limitation would have been identified straight away.
Agree with you. In fact DPIA is part of the new DSPT compliance.
Why not just transfer everyone’s complete health records to Facebook. Then everyone could access whatever they want. Job done! Healthcare funding could then be redirected back to healthcare instead of being spent on buying IT systems, and our data could not possibly be less private in the hands of Facebook than it is in the hands of the NHS. Stuff the GDPR!
“That which is most obvious does not strike a man at all, unless that thought has at some time struck him.”
“The purpose of philosophy is to show the fly the way out of the fly bottle.”
Comments are closed.