This site is intended for health professionals only

New BMA guidance advises GPs to carry out DPIA before enabling patient records access

by Anna Colivicchi
11 October 2023

Share this article

GP practices should do a data protection impact assessment (DPIA) before enabling patient records access, and consider an opt-in model if risks identified, the BMA has said.

Practices will need to offer automatic access to prospective records via the NHS App by 31 October, as per the changes to the GP contract but around 60% of practices have not yet done so.

The BMA’s GP committee (GPC) expressed ‘grave concerns’ around the implications for safety of vulnerable patients having full record access and of the projected workload that GPs would take on to implement the programmes.

Earlier this week, it published extensive guidance to help GPs fulfil the contract requirement.

The guidance said: ‘Providing patients with access online to their medical records in accordance with the new legal requirements is a new form of processing, so GPs as data controllers need to conduct a data protection impact assessment (DPIA).

‘The BMA has conducted a general DPIA on behalf of the profession as a way of sharing the data protection analysis it has carried out. It is intended to help practices carry out their own DPIAs.’

A DPIA Is a process designed to help systematically analyse, identify and minimise the data protection risks of a project or plan.

While the BMA has completed a general DPIA this month, practices are required to undertake their own and can use the suggested BMA template, which is based on the Information Commissioner’s Office’s, or decide to develop their own. 

The guidance said that the BMA’s DPIA has identified ‘a number of risks that may be mitigated by operating an op-in model’, which means providing access only to patients who request access, instead of providing access to all patients who have not opted out.

Practices that conduct their own DPIA and reach the same conclusion may want to operate an opt-in model, the GPC said.

This could be via batchcoding with the ‘104’ code and then asking all patients if they wish to opt in to access.

The GPC prepared a step-by-step guide outlining actions that practices may need to take depending on where they are in the process.

Practices that decided to implement ‘consent-based’ record access should also ‘establish a plan for communication with patients’ and the communication with patients should reference the fact that a DPIA has been carried out and the practice has determined that seeking consent is the only way to ensure that access can be safely provided.

In a recent webinar, NHS England said that over 1,700 EMIS practices have already gone live, with 1,100 scheduled for October, and 923 TPP practices have bulk-enabled access.

It also said that EMIS can make technical changes to bulk-update individual patient settings and ‘reduce the administrative burden of updating individual accounts’, despite having earlier warned that windows for bulk enabling were running out.

Last month, NHS England claimed that GP practices have already experienced ‘a reduction in administrative burdens’ after granting patients online access to records.

A version of this story was first published on our sister title Pulse