Accelerated Access to GP Records
GPC Accelerated Access to Records Programme - October update
Following on from the guidance that GPC England (GPCE) shared with practices last Friday, we are expecting to continue dialogue with NHS England in the coming week to ascertain how practices can be best supported in the lead up to the 31st October go-live date and beyond.
Practices are strongly advised to carry out a practice Data Protection Impact Assessment (DPIA) if they have not already done so, and may wish to use the BMA’s DPIA as a template. This can be found here alongside a suite of resources (listed below) which practices can use in helping to prepare for prospective records access to their patients;
- FAQs for AAtR programme implementation
- Data Protection Impact Assessment (DPIA)
- Template text message for practices
- Example webpage for practice website (linked to from text message)
- Sample Draft Email to ICB Primary Care IT Teams
- Application form for online access to the practice online services
GPCE remains committed to supporting practices as they navigate this programme and will refresh and cascade resources on a regular basis.
Read our full guidance here
LMC update to members on IMMEDIATE ACTION RECOMMENDED: ACCELERATED ACCESS TO GP-HELD RECORDS
As mentioned many times previously, the LMC remains concerned about the ‘Accelerated Access to GP-Held Records’ project, which contractually requires practices to provide patients with online access to full prospective records from 31 October 2023.
The project results in the Department of Health and Social Care enforcing GP practices to implement changes which are high risk. It is almost a certainty that there will be data breaches due to this approach, patients will come to harm, and practices will be the bodies that the ICO and Data Subjects will take to court and fine.
The revised regulations say all patients MUST be provided with access with the only proviso being if a patient has declined in writing. Of course, there is always a balance, and the regulations also state that “The Contractor must … comply with all relevant legislation.”
NHS England have already issued guidance that practices should take safeguarding into account when considering access, which, in effect, is recognition that the regulations are inappropriate and should not be adhered to.
Despite raising this on multiple occasions before, DHSC has refused to take any action to mitigate the risk, for example by including data breaches within the remit of CNSGP.
The GPC of the BMA has continued to consider how to protect practices from this risk. All BMA members received an email on Friday advising them to undertake a DPIA (Data Protection Impact Assessment), and if they find that there are risks, to consider not allowing general access from 31 October 2023, but to mitigate the risks by using an opt in model instead. A copy of this email is attached.
All the advice and resources can be found here: BMA general practitioners committee England, including a draft DPIA. I have also attached a very helpful and straight forward flowchart to aid practices created by County Durham & Darlington Local Medical Committee.
We support this approach which recognises that regarding patient data the Data Protection Act 2018 and UK GDPR have primacy over GMS and PMS regulations. GPs must not breach their duties as Data Controllers in order to comply with the contractual obligation to provide access.
We recommend that every practice should consider this and discuss with their DPO.
Dr Grant Ingrams
Executive Chair, LLR LMC