Does this affect all TSO practices?
Not necessarily, as not all TSO practices have eDSM sharing turned on. This issue only applies if you have, or have had, sharing turned on. Those practices may need to take urgent action. We would however recommend that all TSO practices acquaint themselves with these developments.
What should practices do now? How can a practice inform its patients regarding TSO data sharing arrangements?
As things stand, the ICO is not expecting practices to write to every patient to fulfill requirements to fully inform them, but is expecting all other opportunities for fair informing to be utilised e.g. displaying posters, providing patient leaflets, etc.
Practice tip - how to communicate this information with your patients
Consider some of the following suggestions:
- displaying posters in your waiting rooms;
notices on your websites and other on-line services;
leaflets placed in waiting rooms;
advice on repeat prescription messages;
advice during consultations;
text (SMS) notices;
advising your Patient Participation Group (PPG)
Do I have to turn off sharing?
Whilst patients are being fully informed about the TSO sharing model, the practice should balance the risks of continuing to use TSO with eDSM enabled until patients are informed versus using TSO with sharing turned off. Practices should be aware that any new patients will also need to be fully informed about the TSO sharing model so this is not a short-term exercise but an on-going process.
it is the BMA's view that it is highly unlikely that patients will be fully informed already and that further actions will be necessary to ensure that they are.
The BMA cannot advise any individual doctor or practice whether or not to turn off the sharing function of their system. This is a decision that has to be made based on each individual situation. If, for instance, you have complied with fair processing then there is no reason to turn sharing off. Alternatively, if you are not confident that patients fully understand the sharing arrangements you need to take urgent actions to ensure that they are fully informed. Given the advice from the ICO above, it is the BMA's view that it is highly unlikely that patients will be fully informed already and that further actions will be necessary to ensure that they are.
In making a decision it is important to consider the alternatives to using TSO and how often they are likely to be needed. Alternatives to TSO sharing for scheduled direct care could include using other traditional methods of referral, e.g. letter, the e-referral service, secure NHS e-mail, telephone calls, standardised forms or printouts, made on a patient by patient basis as and when necessary. Whatever alternatives GPs use they must ensure that they incorporate appropriate security measures, taking into account the sensitive nature of the data. These methods would need to comply with GMC guidance which becomes operative from 25 April 2017; these guidelines make it clear that GPs should only disclose relevant data necessary for direct care.
In addition, the Summary Care Record in its basic form is available throughout England and provides information about drugs and allergies, and with the provision for additional information to be added with explicit patient consent in creating an enhanced SCR.
What is clear is that practices cannot do nothing. They can reduce risk by ensuring a robust system is in place that enables patients to be fully informed about the TSO sharing model with sharing remaining on, or abolish future risk by turning sharing off whilst still informing, with the intention of turning it back on at some point in the future.
As part of fair processing, the practice should have a system for recording patients who object to their data being shared outside the practice under these arrangements. We understand (and are deeply concerned) that TSO sharing does not automatically respect nationally agreed sharing dissent codes. This means it is possible that patient records are being shared despite the presence of these codes in their coded records. Practices with sharing turned on must immediately ensure that every patient's coded dissent preferences are reflected in the TSO specific sharing controls.
If I am in a locality, group, federation or hub and we are already sharing - what do we do?
Although sharing via TSO is almost always a group decision made by a health community the liability lies with the individual practices. If your local health community is using TSO then we suggest you urgently review your arrangements accordingly.
What happens if I turn off sharing?
If you are in a locality with working models that rely on data sharing, switching off data sharing could affect the functioning of such services or cause inconvenience for patients and GPs and staff. The ultimate responsibility for GPs and practices must however be to comply with the DPA as well as GMC standards.
If you turn off sharing you will need to inform your patients why you are doing so, especially if it affects the delivery of any services. If practices are part of a local federation of locality group that has organised data sharing, this could be communicated by the relevant locality group.
You will also need to try and ensure beforehand that those providers who are caring for your patients are provided with the information they need to treat them and any additional information that they reasonably request.
I am about to join a locality, group, federation or hub - what do we have to do or achieve before we can share?
We would suggest that you enter the group but with sharing turned off and use other existing means of providing information, unless you are certain appropriate fair processing is in place and your patients are already fully informed, in which case you will be more able to enter the group with sharing turned on.
If I decide to not share now, when am I likely to be able to turn it on?
When you have fairly informed patients about who will have access to their records or when TSO is fully compliant with the DPA - there is no timescale for this at present.
Should I consider changing systems?
This is an option; however practices should consider the enormous disruption that a core clinical system change incurs - it is generally accepted that it takes 18 months for a practice to return to business as normal. The BMA would not recommend changing systems without a very careful and detailed assessment. Practices are entitled to change systems under GPSoC and would need to apply to their CCG.
What about breaches?
Data controllers are required to inform their data subjects as soon as they become aware of breaches, as well as informing them of what they can do to "take steps to protect themselves".
Access to our patient records under TSO is consent controlled and SmartCards are needed, what is the problem?
There are access overrides that are considered to be too easy to action and which can be activated as the default across an organisation. Smartcards are not always necessary, users can log on with usernames and passwords.
TSO has functionality to limit sharing of individual patient records, what is the problem?
It has recently become possible to restrict sharing from within an individual's personal record but this cannot be done at a practice level. Restricting sharing in this way would be impossible to manage for every patient on a practice's entire list. Data controllers have a duty to protect patient records, making them available only when needed. By effectively opening up all their records for access all of the time GPs are exposing them to a vulnerability that is not justifiable. Finally, TSO does not automatically respect agreed national dissent codes embedded in individual patient records.
What is the plan for the future?
A variety of measures have been agreed with TPP to reduce the risks practices face using TSO while further measures are being discussed. These initial mitigations include:
- Revised information and fair processing documents - these were circulated to TPP practices on 24 February 2017. The BMA does not believe these are fit for purpose.
- Code of Conduct – a set of guidance and pointers, rather than a formal data sharing agreement, was sent to all TPP users on 24 February 2017.
- A screen for TSO users showing existing and new organisations that have started sharing - made available on 16 March 2017.
- Patients who have online access through SystmOnline being able to see who has accessed their record will be available from 16 March 2017.
- Technical changes planned to be delivered by 31 July 2017:
- New organisations entering TSO will have sharing turned off by default. They will have to confirm they understand and comply with all necessary requirements prior to activating sharing.
- Sharing preferences on SystmOne - patients will be able to see their current sharing preferences.
- Review of consent override functionality.
The BMA and other stakeholders will be pushing for further changes to TSO to give GPs the ability to limit sharing with only selected organisations. This functionality will allow practices to decide which other TSO sites can access their records. This will provide full compliance with the DPA. TPP have also been asked to provide functionality that will alert patients, via patient online services, to consent overrides.
TPP is responding quickly to these issues and is actively deploying updates and revisions. We understand that a software revision answering question 3 below was sent out on 16 March 2017. This is a rapidly changing situation and practices should keep up to date with changes.
Where can I get further help and support?
You should contact TPP if you have unanswered questions or require technical support.
The BMA has sent TPP the following list of outstanding questions that they need to be able to answer:
- How do I turn off sharing?
- How do I turn on sharing?
- Can I see a list of sites that could access my patient's records?
- Can patients see a list of sites that could access their records?
- Are my practice records shared? If so for how long have they been shared?
- How often or how many records have been accessed on a daily/weekly/monthly basis?
- When my record is accessed by another organisation is the practice informed? Can I be informed?
- Has anyone accessed my record from another organisation? If so, was the practice informed?
- Can I get a list of all organisations that have or could have accessed our records along with frequency?
- Can alerts be configured? If so, how?
- How many records have been accessed with a consent override?
- How many record access alerts have I received as a user or clinician?
- Do I need to view all the alerts I receive?
- Is there a simple way to see who has accessed an individual record both within the practice and externally as I may be asked by a patient during a consultation?
- Can patients find out directly whether their records have been accessed?
- How can I find out about access where the consent override has been used?
- How many TPP users can potentially see my records?