In recent days GP practices up and down and the country have received reminders regarding the need to supply information for the Workforce Minimum Data Set.

The regulations, which require practices to record any members of staff, including locums, who have worked at a practice since the last extraction, even if it’s just for 1 day and/or session, has come in for plenty of criticism from practice managers. On one hand it’s an admin nightmare, on the other it has raised concerns over data protection. After all, as one Practice Index Forum contributor said, “practices are obliged to make sure that our patients are happy to have their data shared but it seems us, and our staff, have no right to choose to opt out of having our data shared… I’m really worried about our contractual position with staff as, currently, we don’t include the need to share this information as a requirement in their contracts”.

Practices are right to be aware of data protection requirements, which we’ll look at later, but on the point above it’s worth noting that, following representations from HSCIC (now NHS Digital), the ICO has amended its advice regarding section 10 of the Data Protection Act and has agreed that the information requested by NHS Digital does not contravene the act.

Practices are therefore obliged to provide the information and there is no longer any point in staff objecting directly to the Information Commissioner’s Office (ICO). However, HSCIC did amend its criteria to exclude NI numbers and sickness records, which were the main issues for most staff.

Wider data protection rules

When it comes to data protection law, practices do need to be careful. Back in August last year, Regal Chambers – a GP surgery in Hitchin, Hertfordshire – was fined £40,000 by the Information Commissioner for revealing confidential information about one of their patients to her estranged ex-partner, despite express warnings given by the woman to practice staff to protect her details.

Staff at the GP practice responded with 62 pages of information that included the woman’s contact details as well as those of her parents and an older child the man was not related to. An ICO investigation found that the GP practice had insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitled to see it. This was a breach of the Data Protection Act.

This case highlights the importance of providing staff with proper training and guidance and having appropriate systems to safeguard against unauthorised disclosures. Whilst most practices will have some sort of system in place, with the increasing workload and pressure on practices, sometimes basic principles can easily be overlooked.

Practices as data controllers

The crux of the matter is that practices are classed as data controllers. Under the Data Protection Act 1998 (DPA), the data controller is the person (or organisation) that ‘determines the purposes for which and the manner in which any personal data are to be processed’. In other words, the data controller has overall control of the data and decides how and why data are to be processed.

GP practices are data controllers for the information they hold about their patients. Most practices will have ‘data processing’ arrangements with third parties, for example IT system suppliers, who carry out a wide range of clinical and administrative processes within the practice, but it is the data controller who retains responsibility for compliance under the Act.

Action you can take

So what can you do to guard against a problematic situation arising in your practice?

According to the BMA, the first principle of the DPA requires data controllers to process the data they hold ‘fairly’ and ‘lawfully’. Fairness requires data controllers to be open and transparent about how information will be used and that data are handled in line with what individuals would reasonably expect. GP practices therefore must provide information to their patients which must explain how their data is used, when it might be shared and with whom, and who they should speak to about rights of objection.

The guidance continues on to say that this does not generally require every patient to be informed directly, but the Information Commissioner’s Office (ICO) expects reasonable attempts to be made to inform patients about how their medical records are handled.

The ICO suggests that a layered approach can be used. This means the provision of basic information available in different settings and formats with signposts to more detailed information, for example the practice website or leaflet.

Every GP practice should have at least one notice prominently displayed on the practice notice board and on the practice website explaining that the practice holds medical records confidentially and primarily for the provision of direct patient care. The notice should explain when medical records might be used for purposes other than direct patient care. An example from the ICO is:

How we use your information

Medical confidentiality is the cornerstone of trust between doctor and patient and we keep your records secure and confidential. For your direct care either from the practice or within the NHS hospital service we imply your consent to pass on relevant clinical information to other professional staff involved in your direct care.

Only when there is a legal basis for the transfer of data we may pass limited and relevant information to other NHS organisations to improve the efficient management of the NHS or to aid medical research.

If you wish to see more information about this subject please visit our website at: xxxxxx

If you wish to object to the use of your data for these ‘secondary uses please speak to: xxxxxx

Additions to that notice could include, for example:

• ‘This practice contributes to medical research and may send relevant information to medical research databases such as the Clinical Practice Research Datalink and QResearch when the law allows’
• ‘This practice contributes to national clinical audits and may sometimes send relevant data to NHS Digital when the law allows.’
• ‘In order to comply with its legal obligations this practice may send data to the Health and Social Care Information Centre when directed by the Secretary of State for Health.’

It is important that the notice, often referred to as a ‘privacy notice’ or ‘fair processing notice’, is kept up to date and is clearly visible in the practice – not hidden under later notices.

The ICO website provides very useful information about fair processing and how transparency and openness can be demonstrated.

Data flows

Practices need to adhere to certain rules if they are to be lawful data controllers. It’s key therefore that:

• the data flows which are in anonymous form
• the data flows which are in identifiable form (and the legal basis for these flows)
• the data sharing agreements the practice has signed up to are fully known and understood

The BMA adds that when data flows have been clarified this should form part of the more detailed information on the practice website or leaflet to which patients are directed by the privacy notice. The information should include details on the nature of the data, who they are shared with, for what purpose and the legal basis for the sharing.

Data protection is not something practices should take lightly, but with a bit of careful planning and by following the correct procedures there shouldn’t be anything to worry about.

And finally, returning to our initial point about WMDS, one practice manager suggests the best way around the admin burden is to only fill in the mandatory fields.

“I have had one call from someone last year asking me if I could put more information down,” they commented. “I said I had completed all the mandatory questions and they quickly accepted that. Time is precious so if it’s not mandatory, don’t do it.”

———-

Trending topics in the forum:

Poll: Are you restricting ear syringing?
Reception Manager v Practice Manager
Unhappy patient
PM notice period