Guidance

Accelerated access to GP-held patient records – May 2024

The BMA have recently published further guidance on this matter. Accelerated access to records has caused understandable concerns for practices especially with a national push on ICBs to increase uptake by NHSE.

The update reads:

The BMA understands that some Integrated Care Boards (ICBs) are putting increasing pressure on practices to comply with the contractual requirement to provide online access to the prospective medical record for their registered patients, whether those patients have requested that access or not.

The BMA advice remains valid: we would encourage practices to follow their Data Protection Impact Assessment (DPIA) and put in place the mitigations identified, in order to be confident that the change to the processing of personal data is legal under the Data Protection Act.

It is worth noting that following the BMA’s advice of Autumn 2023, the Information Commissioner’s Office (ICO) was asked by many practices for its opinion on the proposed processing required by the contract, and its legality, should a practice’s DPIA be followed.

The ICO was content that the proposed processing was legal, with the caveat that the mitigations proposed within the DPIA be put in place. The ICO published their response here. The change to processing did not reach the bar requiring prior consultation, as the risks identified and mitigations proposed were deemed to be sufficient.

A key paragraph in the ICO’s response stated “As long as GP practices remain in control of deciding which records are made available, and retain the ability to prevent a patient record being accessed through the AAGPR [Accelerated Access to GP Records] system, we consider that they remain able to mitigate any risks to the rights and freedoms of individuals from the roll-out of the programme. We are satisfied that the potential data protection risks have been identified, and that sufficient mitigations are in place which still enable GP practices to meet their contractual requirements.”

It is the BMA’s view that the ICO advice should be followed by practices, and the relevant mitigations implemented, to ensure the processing is compliant with the requirements of the Data Protection Act. Should the proposed mitigations not be put in place, there may be a potential risk that the processing would not be compliant with the Data Protection Act. We would advise practices to construct a DPIA if one has not already been done (a template DPIA is available in the Resource section) and to implement the mitigations identified in its completion. We would also recommend you engage with your ICB.e 

Should the practice’s DPIA identify an opt-in model as a way of mitigating against the risk of harm, we recommend you demonstrate to your ICB team how you are approaching this, and advertising to those in your practice population who do not yet have online access. Should there be a long waiting list to process opt-in applications, we would recommend engaging with your ICB and seeking mutual agreement (with your LMC if necessary) around which parts of the overall practice contract should be prioritised.

There are many benefits for patients and practices in using the NHS app and other online patient-facing services. Access to the most detailed parts of the patient’s GP medical record when there may be a potential risk of harm should inadvertent or unexpected disclosure occur, needs to be enabled with care.

BMA _accelerated-access-to-gp-update-may-2024.pdf

First Published
28 May 2024
Updated On
29 May 2024
Due to be Reviewed
28 August 2024
Not signed in.

Please Login or Register an account to access the ability to favourite this.
Share this article

You might also find this useful...