This site is intended for health professionals only

3,000 practices at risk of GDPR breach due to new childhood vaccine data system

by Léa Legraien
25 February 2019

Share this article

Over 3,000 GP practices are at risk of breaching the Data Protection Act due to a new childhood vaccination data system.
The BMA warned around 3,300 practices could be affected by the new extraction system, which is used to share data with the Child Health Information Service (CHIS).
The concerns revolve around the principle of data minimisation, which requires systems to hold the minimum amount of personal infromation needed to fulfil the purpose, but no more.
Practices should not sign up to any new CHIS extraction system until the issue is resolved, the BMA said.
Other extraction services may also put practices at risk of breaching GDPR, the BMA warned. It said the situation is currently being clarified.
This comes as the new five-year GP contract has promised practices access to a data protection officer (DPO) through their CCG, in order to monitor compliance to the data protection law and to act as a point of contact for patients requesting access to their data.
In the memo to practices, the BMA said: ‘We have received reports that LMCs in the West Midlands region have received communications from their local community trust with regard to changes to the process for electronic transfer of childhood vaccination and immunisations data from GP systems to the Child Health Information Service (CHIS).
‘We believe this issue also impacts practices in London and southwest regions and up to 3,300 practices. It is also possible that this issue may impact other extraction services; we are in the process of clarifying this.
‘Having received legal advice, the GPs Committee is concerned that practices using the new proposed extraction system to share childhood immunisation data may be placing themselves in breach of GDPR,’ it added.
The BMA told our sister publication Pulse, where this article first appeared, it believes the issue may be due to the system not meeting the principle of ‘data minimisation’, which requires data controllers to only retain the minimum information needed, and no more.
The BMA told practices not to sign up to any new extraction system related to changes to the CHIS in England, until the issue is resolved.
Kay Keane, practice manager at Alvanley Family Practice in Stockport, said: ‘Thankfully we have not signed the extraction consent form. It would be extremely helpful to practices if these types of forms, extractions and data requests were given some kind of NHSE seal of approval, rather than PMs who are generalists having to make the decisions alone.’
Concerns were also raised by Cleveland LMC, which reported that some NHS trusts had made changes to their system for the sharing of child health data, which may not comply with GDPR.
The LMC said: ‘We have been made aware of an issue elsewhere in the country where the local trusts have changed their system for the process for electronic transfer of childhood vaccination and immunisations data from GP systems to CHIS.’
‘Whilst we are not aware of this issue being in the Teeside area, GPC understand it may impact on other extraction services; they are in the process of clarifying this,’ it added.
The new Data Protection Act, brought in last May, has caused many issues for practices, as the regulations stopped them charging a nominal fee for digging out patient information.
This led to a signficant increase in subject access requests (SARs) received by practices.
Some practices also received a number of SARs from police departments, as part of firearms checks. This process was criticised by the Information Commissioner’s Office (ICO), which said the requests were not only ‘unnecessary’, but they could ‘potentially constitute a breach of the Data Protection Act’.
The five-year GP contract has pledged £20m through the global sum, each year, to compensate practices for the extra work caused by such requests. 
A version of this story was previously published on our sister publication Pulse.
Additional reporting by Costanza Pearce.