Commissioners in parts of England have suggested they will charge practices up to £1,800 a year to access data protection officers that are required under new laws, our sister publication Pulse has revealed.
Under the new General Data Protection Regulation (GDPR), which came into effect on 25 May, GPs must designate a data protection officer (DPO) to monitor compliance to the law and act as a point of contact for patients requesting access to their data.
These can be appointed internally within the practice or externally by CCGs or health boards.
However, GP leaders have said CCGs charging for access to a data protection officer ‘shows a complete lack of understanding’ of the pressures facing GPs, arguing that commissioners should be supporting practices instead.
This comes after the BMA asked GPs to lobby their MP over the ‘unintended consequences’ of GDPR, which has forced practices to spend hours compiling patient records either ‘pro bono or in reality [out] of NHS resources’.
According to the Information Commissioner’s Office, data protection officers assist GPs ‘to monitor internal compliance, inform and advise on your data protection obligations… and act as a contact point for data subjects’.
BMA guidance states practices can designate their own officers, share an officer with other practices or appoint an external DPO that could be supplied by the CCG.
NHS Bedfordshire CCG told our sister publication Pulse GPs would have to pay £1,800 each year to access a shared DPO through the CCG – but later claimed this was an ‘early estimate’.
The CCG was unable to clarify what the current cost of the service is, while adding that practices could choose to appoint their own officer. So far, only one practice has signed up to use the CCG’s data protection officer.
A spokesperson for the CCG said: ‘NHS Bedfordshire CCG has arranged for the provision of an enhanced GP IT service, which will supply a data protection officer to GP practices in Bedfordshire. If practices do not want to subscribe to this service, they are free to appoint their own data protection officer.’
Meanwhile, in NHS Telford and Wrekin CCG, all 14 local practices have signed up to pay £300 per year for an officer supplied by the CCG.
A CCG spokesperson said: ‘This role supports practice resilience and also encourages working at scale among practices and has been welcomed.’
But in NHS East Berkshire CCG, Pulse has learnt the CCG is acting as a DPO for its practices as an ‘interim measure’ at no cost, while practices in Doncaster have access to a collaborative DPO through the LMC, paid for as part of their statutory levy.
The new GDPR laws have meant GPs have to comply with requests for data from patients within one month and are no longer allowed to charge patients or solicitors for a copy of patient records.
NHS England guidance that was updated in anticipation of the new legislation states ‘CCGs can negotiate an enhanced GP IT service… as a call off agreement (i.e. chargeable to practices), under the main service contract for the provision of nominated individual(s) to practices that wish to designate a DPO from the service’.
But Dr Richard Vautrey, BMA GP committee chair, said CCGs should ‘extend their expertise to support practices’ as opposed to ‘levying charges against them’.
He said: ‘Given the workload pressures in general practice, it’s quite feasible for surgeries to collaborate with others to help manage this new burden placed on them…
‘However, for any CCG to be charging for an appointed DPO to be contracted to a practice shows a complete lack of understanding of the pressures their practices are facing.’
An NHS England spokesperson said: ‘CCGs have a responsibility to provide support for data protection officers in general practice.
‘However, it’s a matter for individual CCGs whether they wish to go further and offer a DPO service which GP practices can buy into and, if so, how much it is reasonable to charge.’
This story was first published on our sister publication Pulse.