GP practices General practitioner Patient and public Practice manager

Last updated:

TPP SystmOne - FAQs for GP practices

It is a fundamental responsibility of a doctor, when involving others in the care of their patients, to select and then disclose only necessary and sufficient information for the care needed or anticipated.

Exchanging unnecessary and excessive information is disrespectful of the patient and the recipient and contrary to GMC and other requirements.

It has become clear that if patient records are being shared through TPP's clinical system SystmOne, GPs are unable to specify which other organisations can have access to their patients' records.

This has serious implications for GPs as data controllers - patients could complain that their records are accessible by people and organisations who should not be able to do so and it is likely that a court action in support of a complaint would succeed.

These FAQs set out the current situation and provide answers to the critical questions TPP users will be asking.


What is the issue?

If sharing of patient records (functionality known as eDSM) is turned on in TSO (TPP SystmOne), these records can be accessed from all other TSO sites. The practice cannot selectively control this accessibility - it is all or nothing. When new sites join they too can access all other sites.

Accessibility relies on adding a patient's name, date of birth and other demographic details to the system, which then allows, with recording of the patient's consent, the ability to access a patient's record at any other TSO site.


The BMA's concerns

We have concerns that this consent requirement can be overridden, and therefore allow unauthorised access from sites or individuals not related to providing direct care to the patient. Practices are alerted when consent is overridden. Records of consented accessing have to be searched for or reports run. There are thought to be 6,600 individual TPP sites that could have this ability to access GP surgeries that have eSDM enabled.

TSO was originally commissioned, designed and implemented in the 1990s as a bespoke system to provide a local multi-user single shared record database in Bradford and Airedale. Since then it has proven popular and has achieved a wider presence in the NHS in GP surgeries, community services and elsewhere. The system that has been rolled out at a national level has extended the original default multi-user single database architecture.


Is TSO's enhanced data sharing model (eDSM) legal?

To date, there have been no legal challenges to TSO eDSM in the courts. However, the BMA, RCGP, NHS England and NHS Digital have all expressed concerns which have been supported by the Information Commissioners' Office ICO (ICO).

The ICO's view is clear - in its current configuration TSO breaches the 1st and 7th principles of the Data Protection Act (DPA) and is therefore unlawful. While the ICO has not indicated that they will take action against individual data controllers at this stage, it is a possibility. Patients could complain that their records are accessible by people and organisations who should not be able to do so. It is also highly likely that a court action in support of a complaint would succeed. For the latest statements from the ICO on this matter, please visit the ICO website.


Why is the BMA GP committee responding now?

Recent media interest has raised concerns both for patients and the profession. TPP has sent its existing customer practices a set of documents intended to clarify the situation. The BMA's view is that these documents do not fully do this and do not satisfy the test of being able to fully and properly inform patients. In the light of the ICO's statement we believe they need to be revised. We have identified some critical questions that we believe TPP users might reasonably want answered.


What are the immediate consequences?

TSO sites which have eDSM switched on should urgently consider any action they need to take, taking into account this guidance. Equally TSO sites planning to switch on eDSM functionality should ensure they comply with DPA requirements in advance.

Fundamentally, practices need to be able to inform patients who might be able to see their records, where, when, what parts of their records and for how long. In addition, they need to be able to limit sharing of their records to other TSO sites. GPs and patients need to know who is accessing their records.


Still have questions?

We have produced a comprehensive set of FAQs to help you understand the details of this issue.

They include advice on some of the following topics and much more:

  • Who is affected
  • What practices should do now
  • If, when and how to turn off sharing
  • Dissent codes
  • Further help and support
  • BMA questions to TTP


FAQs for GP practices

  • FAQs

    Does this affect all TSO practices?

    Not necessarily, as not all TSO practices have eDSM sharing turned on. This issue only applies if you have, or have had, sharing turned on. Those practices may need to take urgent action. We would however recommend that all TSO practices acquaint themselves with these developments.


    What should practices do now? How can a practice inform its patients regarding TSO data sharing arrangements?

    As things stand, the ICO is not expecting practices to write to every patient to fulfill requirements to fully inform them, but is expecting all other opportunities for fair informing to be utilised e.g. displaying posters, providing patient leaflets, etc.

    Practice tip - how to communicate this information with your patients

    Consider some of the following suggestions:

    - displaying posters in your waiting rooms;
    - notices on your websites and other on-line services;
    - leaflets placed in waiting rooms;
    - advice on repeat prescription messages;
    - advice during consultations;
    - text (SMS) notices;
    - advising your Patient Participation Group (PPG)


    Do I have to turn off sharing?

    Whilst patients are being fully informed about the TSO sharing model, the practice should balance the risks of continuing to use TSO with eDSM enabled until patients are informed versus using TSO with sharing turned off. Practices should be aware that any new patients will also need to be fully informed about the TSO sharing model so this is not a short-term exercise but an on-going process.

    it is the BMA's view that it is highly unlikely that patients will be fully informed already and that further actions will be necessary to ensure that they are.

    The BMA cannot advise any individual doctor or practice whether or not to turn off the sharing function of their system. This is a decision that has to be made based on each individual situation. If, for instance, you have complied with fair processing then there is no reason to turn sharing off. Alternatively, if you are not confident that patients fully understand the sharing arrangements you need to take urgent actions to ensure that they are fully informed. Given the advice from the ICO above, it is the BMA's view that it is highly unlikely that patients will be fully informed already and that further actions will be necessary to ensure that they are. 

    In making a decision it is important to consider the alternatives to using TSO and how often they are likely to be needed. Alternatives to TSO sharing for scheduled direct care could include using other traditional methods of referral, e.g. letter, the e-referral service, secure NHS e-mail, telephone calls, standardised forms or printouts, made on a patient by patient basis as and when necessary. Whatever alternatives GPs use they must ensure that they incorporate appropriate security measures, taking into account the sensitive nature of the data. These methods would need to comply with GMC guidance which becomes operative from 25 April 2017; these guidelines make it clear that GPs should only disclose relevant data necessary for direct care.

    In addition, the Summary Care Record in its basic form is available throughout England and provides information about drugs and allergies, and with the provision for additional information to be added with explicit patient consent in creating an enhanced SCR.

    What is clear is that practices cannot do nothing. They can reduce risk by ensuring a robust system is in place that enables patients to be fully informed about the TSO sharing model with sharing remaining on, or abolish future risk by turning sharing off whilst still informing, with the intention of turning it back on at some point in the future.


    Dissent codes

    As part of fair processing, the practice should have a system for recording patients who object to their data being shared outside the practice under these arrangements. We understand (and are deeply concerned) that TSO sharing does not automatically respect nationally agreed sharing dissent codes. This means it is possible that patient records are being shared despite the presence of these codes in their coded records. Practices with sharing turned on must immediately ensure that every patient's coded dissent preferences are reflected in the TSO specific sharing controls.


    If I am in a locality, group, federation or hub and we are already sharing - what do we do?

    Although sharing via TSO is almost always a group decision made by a health community the liability lies with the individual practices. If your local health community is using TSO then we suggest you urgently review your arrangements accordingly.


    What happens if I turn off sharing?

    If you are in a locality with working models that rely on data sharing, switching off data sharing could affect the functioning of such services or cause inconvenience for patients and GPs and staff. The ultimate responsibility for GPs and practices must however be to comply with the DPA as well as GMC standards.

    If you turn off sharing you will need to inform your patients why you are doing so, especially if it affects the delivery of any services. If practices are part of a local federation of locality group that has organised data sharing, this could be communicated by the relevant locality group.

    You will also need to try and ensure beforehand that those providers who are caring for your patients are provided with the information they need to treat them and any additional information that they reasonably request.


    I am about to join a locality, group, federation or hub - what do we have to do or achieve before we can share?

    We would suggest that you enter the group but with sharing turned off and use other existing means of providing information, unless you are certain appropriate fair processing is in place and your patients are already fully informed, in which case you will be more able to enter the group with sharing turned on.


    If I decide to not share now, when am I likely to be able to turn it on?

    When you have fairly informed patients about who will have access to their records or when TSO is fully compliant with the DPA - there is no timescale for this at present.


    Should I consider changing systems?

    This is an option; however practices should consider the enormous disruption that a core clinical system change incurs - it is generally accepted that it takes 18 months for a practice to return to business as normal. The BMA would not recommend changing systems without a very careful and detailed assessment. Practices are entitled to change systems under GPSoC and would need to apply to their CCG.


    What about breaches?

    Data controllers are required to inform their data subjects as soon as they become aware of breaches, as well as informing them of what they can do to "take steps to protect themselves".


    Access to our patient records under TSO is consent controlled and SmartCards are needed, what is the problem?

    There are access overrides that are considered to be too easy to action and which can be activated as the default across an organisation. Smartcards are not always necessary, users can log on with usernames and passwords.


    TSO has functionality to limit sharing of individual patient records, what is the problem?

    It has recently become possible to restrict sharing from within an individual's personal record but this cannot be done at a practice level. Restricting sharing in this way would be impossible to manage for every patient on a practice's entire list. Data controllers have a duty to protect patient records, making them available only when needed. By effectively opening up all their records for access all of the time GPs are exposing them to a vulnerability that is not justifiable. Finally, TSO does not automatically respect agreed national dissent codes embedded in individual patient records.


    What is the plan for the future?

    A variety of measures have been agreed with TPP to reduce the risks practices face using TSO while further measures are being discussed. These initial mitigations include:

    • Revised information and fair processing documents - these were circulated to TPP practices on 24 February 2017. The BMA does not believe these are fit for purpose.
    • Code of Conduct – a set of guidance and pointers, rather than a formal data sharing agreement, was sent to all TPP users on 24 February 2017.
    • A screen for TSO users showing existing and new organisations that have started sharing - made available on 16 March 2017.
    • Patients who have online access through SystmOnline being able to see who has accessed their record will be available from 16 March 2017.
    • Technical changes planned to be delivered by 31 July 2017:
      • New organisations entering TSO will have sharing turned off by default. They will have to confirm they understand and comply with all necessary requirements prior to activating sharing.
      • Sharing preferences on SystmOne - patients will be able to see their current sharing preferences.
      • Review of consent override functionality.

    The BMA and other stakeholders will be pushing for further changes to TSO to give GPs the ability to limit sharing with only selected organisations. This functionality will allow practices to decide which other TSO sites can access their records. This will provide full compliance with the DPA. TPP have also been asked to provide functionality that will alert patients, via patient online services, to consent overrides.

    TPP is responding quickly to these issues and is actively deploying updates and revisions. We understand that a software revision answering question 3 below was sent out on 16 March 2017. This is a rapidly changing situation and practices should keep up to date with changes.


    Where can I get further help and support?

    You should contact TPP if you have unanswered questions or require technical support.

    The BMA has sent TPP the following list of outstanding questions that they need to be able to answer:

    • How do I turn off sharing?
    • How do I turn on sharing?
    • Can I see a list of sites that could access my patient's records?
    • Can patients see a list of sites that could access their records?
    • Are my practice records shared? If so for how long have they been shared?
    • How often or how many records have been accessed on a daily/weekly/monthly basis?
    • When my record is accessed by another organisation is the practice informed? Can I be informed?
    • Has anyone accessed my record from another organisation? If so, was the practice informed?
    • Can I get a list of all organisations that have or could have accessed our records along with frequency?
    • Can alerts be configured? If so, how?
    • How many records have been accessed with a consent override?
    • How many record access alerts have I received as a user or clinician?
    • Do I need to view all the alerts I receive?
    • Is there a simple way to see who has accessed an individual record both within the practice and externally as I may be asked by a patient during a consultation?
    • Can patients find out directly whether their records have been accessed?
    • How can I find out about access where the consent override has been used?
    • How many TPP users can potentially see my records?
  • Download

    Download a copy of the full guidance and FAQs (PDF)