This site is intended for health professionals only

GPs told to get on with offering automatic patient record access

by Anna Colivicchi
8 February 2024

Share this article

GPs have been told they should proceed to offer automatic record access to patients, after the Information Commissioner’s Office (ICO) published a response to their concerns.

Practices were required to offer automatic access to prospective records via the NHS App by 31 October, as per the changes to the GP contract.

But the BMA’s GP Committee expressed ‘grave concerns’ around the implications for safety of vulnerable patients having full record access and of the projected workload that GPs would take on to implement the programmes.

It recommended GP practices should do a data protection impact assessment (DPIA) before enabling patient records access, and consider an opt-in model if risks identified.

A DPIA is a process designed to help systematically analyse, identify and minimise the data protection risks of a project or plan.

Now the ICO has published a response to the DPIAs it received from GP practices.

It said that as long as GP practices ‘remain in control’ of deciding which records are made available, it considers that they ‘remain able to mitigate any risks to the rights and freedoms of individuals’ from the rollout of the programme.

NHS England said that practices that have been awaiting a response from the ICO before enabling access ‘should now engage with their commissioners’ about their plans for providing access ‘for all their patients’ and ‘meeting their contractual obligations’.

The ICO’s response said: ‘We acknowledge that there are data protection risks posed by the programme and detailed within your DPIA, however, we disagree that you are unable to sufficiently mitigate these without breaching your NHS GP contract.

‘We note that NHSE guidance states that GP practices “still retain full data controllership and can locally disable the functionality of their clinical IT system to prevent the provision of online access to prospective information and/or deny patient access to their prospective GP record – should they deem such action necessary to ensure compliance with the Data Protection Legislation”.

‘As long as GP practices remain in control of deciding which records are made available and retain the ability to prevent a patient record being accessed through the system, we consider that they remain able to mitigate any risks to the rights and freedoms of individuals from the rollout of the programme.’

However, the ICO acknowledged that offering record access ‘may mean more work for GP surgeries’.

The response added: ‘It is the ICO’s opinion that the high risks identified would constitute operational risks concerning the allocation of resources, rather than data privacy risks which would infringe the data protection legislation.

‘While we appreciate these changes may mean more work for GP surgeries at a time when they are stretched, it is not within the remit of the ICO to advise on risks that are not posed to individuals, based on the nature, type, extent and frequency of the processing involved.’

It also said that it will ‘continue to monitor the programme’ and ‘may take further interest’ should there be developments requiring intervention by the ICO.

A version of this article was first published on our sister title Pulse