NHS data protection and GPs

• Increase image
• View all images

GPs must take compliance with privacy and data protection law seriously, writes Anne Crofts

Compliance with privacy and data protection law is as much about cultural and organisational behaviour as it is about developing systems and protocols and using privacy-enhancing technologies. That this may be a particular challenge for GPs was brought home to me when visiting a local GP practice recently. While introducing myself, I was able to read the clinical notes of the previous patient, as they were still displayed on the GP's monitor in my full view. This is clearly a breach of confidentiality and data protection law. It was most likely caused by lack of awareness and lax practice rather than any absence of protocol, systems or guidance.

NHS chief executive David Nicholson recently wrote to senior NHS managers highlighting a concern expressed by the information commissioner around the data security risks and vulnerabilities inherent in GP practices due to their "dispersed nature" and "independent status".

The circular reminds us that each GP practice, as a "data controller", is legally responsible for holding patient data securely and ensuring it is processed in accordance with the principles of the Data Protection Act and the law of confidentiality. The Department of Health is considering how compliance with security standards will be enforced and it is suggested that this will be through contractual clauses to be inserted in the national contract in due course.

Guarding against data loss

Preventing accidental loss of patient records is one aspect of data protection legislation and it is hardly surprising, given the number of high-profile data losses that have been reported recently, that primary care trusts and the public sector are focused on tightening up security and procedures for data sharing and transportation.

Recommendations in the circular include ensuring GPs use back-up tape encryption to NHS Connecting for Health standards and ensuring that data on laptops, CDs and memory sticks is encrypted. The circular refers to a number of technical tools and products available to GPs for encrypting data and ensuring the secure movement of patient records between NHS organisations.

Taking technical steps to minimise the chance of accidental data loss is not the whole story though. The cultural and organisational changes that need to take place may prove most challenging, particularly for smaller GP practices.

Changing practices

The public is becoming far more aware of how their personal data is used and what they are entitled to expect from organisations responsible for handling sensitive information. Some practices in primary care organisations are rapidly becoming unacceptable. For example, is it necessary to announce the name of a patient to the assembled waiting room or to allow a detailed telephone conversation between a receptionist and a patient to be casually overheard?

The information commissioner's powers were recently enlarged under the Criminal Justice and Immigration Act 2008 to include the power to impose large fines on data controller organisations and individuals who are aware of data protection risks in their businesses but who deliberately or recklessly commit serious breaches of the Data Protection Act. The recent Data Sharing Review by the information commissioner and Dr Mark Walport recommends further increasing the information commissioner's powers to ensure a more robust regime.

Ensuring compliance with privacy safeguards is becoming more important and will require GPs to make a significant investment not only in technological tools to ensure security but also in appropriate training and audit to ensure compliance. The Data Sharing Review sets out a number of recommendations in this regard and GPs would be wise to take note.