01708 607444
01708 607722

Statement from the ICO

Response statement from TPP

You may be aware that there has recently been some debate about SystmOne's enhanced Data Sharing Model (eDSM) and the Data Protection Act, including articles published last week on the Pulse and Digital Health websites.

The SystmOne eDSM is designed to facilitate safe and secure information sharing between health and social care organisations on a national scale for use in direct patient care. It enables patients to have greater control over their own records, and aligns with the NHS' vision of a 'paperless' NHS. The model was assured by Connecting for Health in 2013, under a national framework, and was given full roll out approval.

At the end of last year, the ICO raised concerns that eDSM does not adequately ensure that data controllers can be compliant with elements of the Data Protection Act. We would like to stress that the ICO has not commenced a formal investigation, nor issued an enforcement notice, either to TPP or to data controllers. Since these concerns were raised, we have worked alongside NHS Digital, NHS England and the ICO to provide mitigations to these concerns going forward. This is to ensure that data controllers are confident that they comply with the DPA. It is important to note that throughout these discussions, turning off eDSM has not been considered a viable solution for any party.

In conjunction with the aforementioned bodies, TPP has already made some of the planned enhancements to the way eDSM works. These enhancements will continue to be communicated out to users via the usual channels and all user guides will be updated. As with all tools in SystmOne, we continuously look to enhance our functionality, and may well make additional future improvements to eDSM in line with our usual development cycles.

TPP's main priority continues to be ensuring ongoing support and guidance to data controllers, alongside serving patients appropriately and protecting their safety. As all data controllers will be aware, there is a 'duty to share' under Caldicott guidance; users will need to inform patients if they choose to disable eDSM.

TPP will continue to inform users of any changes in functionality and will continue to keep interested parties up to date with the progress of our collective discussions. Please do get in touch with our systems analysts or clinical team if you have any concerns or would like further detail on any of the points above.

Update from the ICO

"The ICO has data protection compliance concerns about SystmOne's enhanced data sharing function and the potential risk to patients' medical records held by GPs. However, given the possible impact to patient care, the ICO is not advocating that users switch off data sharing at this stage. The ICO's concerns are centred on the fair and lawful processing of patient data on the system and ensuring adequate security of the patient data on the system. We continue to work closely with TPP, NHS Digital and NHS England and have seen an initial plan that they have put forward. This includes initial steps they are taking to remedy these issues and further work is planned."

Since the article over the weekend, our CSU trainers have been contracted by a number of practices seeking clarification on the issue and asking whether they should 'turn off' sharing. Whist the ICO have raised concerns about the way S1 shares data, they fully acknowledged that to simply turn it off would constitute a significant and unwarranted clinical risk. They are instead seeking to work with TPP to ensure compliance, as they see it, to the relevant data protection laws. The issue is that the law doesn't accurately reflect the way in which TPP can share data and therefore is open to interpretation. The law also doesn't reflect the way in which SCR or GP2GP shares data either. Until this is tested legally there is no definitive way to know whether e-DSM is compliant or not. What we do know is that the clinical risk of turning off sharing is significant.

This view point is fully supported by the S1 National User Group. We are working with both TPP and NHSDigital to get further clarification. I've also been involved with a number of workshops nationally around requirements for data sharing between systems that will also address the issues raised. The issue is not helped by a general lack of understanding about the checks and balances built into the system.

Additionally 'turning off' sharing itself creates its own additional risks and issues. A practice could change its default settings to express dissent to share in and out. Most, if not all, practices currently have their practice default settings to consent to share in and consent to share is left unset. This means that data shared by the patient recorded elsewhere will appear in the New Journal, however as sharing out is left unset the system will default to an implied dissent to share GP data to any other service. Therefore records unset to share out are not shared with anyone else.

There is a very important exception to this though, in acute settings, OOH, 111 and A&E, if the patient consents to let those services see their GP record it will be visible to that service for the duration of that episode of care.

Changing the default setting will have the following effects.

  • It will only apply to records as and when they are first opened after the change.
  • It will over write all previous preferences, including where express to consent to share has been given by the patient. This could can a significant clinical risk to the patient,
  • It will change all implied dissents to share (unset), to express dissent to share. That means the records will be blocked to all other S1 services including all urgent care units, irrespective of the patient's wishes.
  • Once a setting is applied to a record, it is not possible to revert it back to an implied state. The record can only be subsequently changed to express consent to share or express dissent to share.

Default the practice settings to explicit dissent to share in - Same as above plus

  • All other S1 units' information will be blocked from the practice. This will include hospice, DN, HV, OOH etc.

In summary whist there are clearly concerns around e-DSM, this needs be contrasted with the implications for direct patient care. Ultimately it is of course a practice decision as to how to proceed in the short and long term, but the advice the trainers are giving is consistent with the latest ICO statement, in that practices should not stop sharing. As soon as further clarification is been received from TTP/ICO/NHSDigital or NHSEngland, we will of course update.