Office opening hours: 8.30am to 5.30pm Monday to Friday. Offices closed on Bank Holidays.
Home Menu Search

Data Sharing and TPP

Date sent: Wednesday 22 March 2017

Dear Colleague

You will probably have read that concerns have been raised about the NHS IT systems in general practice and the sharing of data - click here - to read the Daily Telegraph article last Saturday.

The issue relates to the enhanced Data Sharing Model (eDSM) that exists within TPP SystmOne. There have been concerns raised with the Information Commissioner (ICO) that this model is not sufficiently robust to meet the requirements that exist within the Data Protection Act, particularly Principle 1 and Principle 7. Click here to access DPA Principles.

Data security

There are over 6000 organisations that use TPP SystmOne and this includes 2700 practices but also includes:

There are large parts of Wessex where the sharing of information held within the GP patient record is occurring now.  The Community providers in Dorset, Wiltshire, Southampton, Portsmouth and the Isle of Wight all use Community TPP, some of our hospices now use Palliative care version of TPP, Poole Hospital is shortly going to go live with a core module to enable the hospital clinicians to see the GP records with the patients consent.  The Primary Care Access Centres, such as the one in Lymington, when they see patients, the clinicians are able to access the complete GP record.

These example are benefiting patients now and where sharing this data occurs patients need to be made aware and so there is a model of informed consent and generally their is a Data Sharing agreement in place.

One of the issues is that there are potentially over 6000 organisations who can access your patient records if the practice sets TPP SystmOne to the sharing in and sharing out option.

My understanding, and I am happy to be corrected, is that for someone to see my medical records (and I am registered with a TPP practice) a person would need to work for an organisation that uses TPP SystmOne, they would need to have a unique identifier and password to access their system. They would then need to register me on their system, which would include various demographic information about me, they would then need to search for my records, once they found them and to access they they would have to indicate that they have consent to view the record. This consent can be overridden and therefore allow unauthorised access from sites or individuals not related to providing direct care to the patient. There would then be an audit trail in my records to show who had accessed them and when and which organisation the worked for. Practices are alerted when consent is overridden. Records of consented accessing have to be searched for o reports can be run.  A message is sent to the practice to indicate someone has accessed these records.  In addition I am registered for online services with TPP SystmOne so I can, if I wish to look to see who has viewed my records.

There are concerns that the consent to view model is not secure enough.

Patients can decide they do not want to share their records and can therefore ask for this facility to be turned off for their records. In addition there is the facility to make an entry in any patients notes that is only visible by the person making the entry, or you can restrict the access to the practice so that anyone outside the practice cannot view this entry.

Fair processing of data

Your patients have the right to know what you are doing with their data and any action that fails to achieve this could potentially end up in a prosecuting under the Data Protection Act.  This is balanced with the duty of a GP under the GPC to share information for the provision of direct care for a patient.

The Information Commissioner is not requiring practices to write to every patient to inform them of any changes to the Data Sharing but there does need to be a proportionate response from an orgaisation to inform patients.

Last year, I was involved in a pilot with the TPP practices, a Community Provider and a local Hospice to create a shared record to benefit patient care and to try to become more efficient.  To get the pilot started we engaged with the Information Commissioners's office to try to ensure that we were compliant with the DPA.

We suggested that we would inform patients by:

We did all the above and then about 6 weeks later we switched the data sharing on. This was acceptable to the ICO's office.

Attached is a leaflet that I have drafted for my practice, I am waiting further discussions before I finalise this but I am sharing the unfinished leaflet to give you an insight into the issues that I believe need to be shared with the patients.

The GPC, RCGP, NHS Digital and TPP are working with the ICO to try to resolve this matter.  The GPC is about to produce guidance for GPs which I will share when this is available.

Today the ICO's office has issued the following statement:

ICO statement in relation to the potential risk to patient medical records held by GPs on TPP SystmOne

An ICO spokesperson said:  “The ICO has data protection compliance concerns about SystmOne’s enhanced data sharing function and the potential risk to patients’ medical records held by GPs.

“However, given the possible impact to patient care, the ICO is not advocating that users switch off data sharing at this stage.

“The ICO’s concerns are centred on the fair and lawful processing of patient data on the system and ensuring adequate security of the patient data on the system. We continue to work closely with TPP, NHS Digital and NHS England and have seen an initial plan that they have put forward. This includes initial steps they are taking to remedy these issues and further work is planned.”

Click here - to access the ICO's statement.

I will keep you updated when I have further information.

Best wishes


Dr Nigel Watson

Chief Executive

Wessex LMCs

Churchill House, 122-124 Hursley Rd

Chandler's Ford, Eastleigh

Hants. SO53 1JB (Registered Office)

Tel: 02380253874

Mobile: 07825173326


Attached file: Please read this leaflet carefully v3.docx

Related guidance and emails...

LMC email update

Email sent by Wessex LMCs, on Friday, 24 Mar 2017 This email provides some additional information about data sharing and also some...


Medical confidentiality is at the bedrock of the Doctor-Patient relationship and it is enshrined in a number of codes, guidelines and...

GDPR Headlines

BMA Guidance To read the BMA’s latest guidance on Subject Access Requests (including fees), Data Protection Officers, FAQs and more go...

Summary Care Record (SCR)

What is Summary Care Record The SCR is intended to support patient care in urgent and emergency care settings. The SCR stores a defined...

This page appears in...

Download and bookmark...

About this page...

Updated on 22 March 2017 1756 views