GP data security – What the proposed new rules mean

Two major independent reviews (one from CQC and one from the National Data Guardian) on data security have suggested changes to the way that NHS organisations handle patient data.

Although the reports found that personal data is generally managed securely across NHS organisations, a number of recommendations have been set out to prioritise data security and implement a number of measures to ensure that patients understand how and when their information is being shared and that their data is safeguarded.

In this article we explore what the proposed changes may mean for GP practices.


Like many other business sectors, healthcare is increasingly adopting technology and going digital.

With data continuing to play a progressively critical role in healthcare – for GPs, pharmacies, hospitals and care homes – the risks that those businesses and practices are facing are changing at a rapid pace.

The majority of NHS organisations will inevitably find themselves more vulnerable to data breaches in the years to come, so it also becomes ever more important that there are regularly tested, adequate and robust data security systems in place to protect confidential patient data that they hold.

The report also calls for more adequate systems to ensure emails containing sensitive patient information are not sent to the wrong address, patient records are not lost, laptops are not used without encryptions and data is not shared without patient consent. On that last point, the reports have recommended a much more extensive dialogue with patients about how their personal data is shared – anonymised or not – and put forward a new model of patient consent.

CQC has warned GP practices to be prepared for strengthened and more stringent inspections on information governance moving forward. Data security will be audited and inspected to the same level as clinical and financial standards, with practices having to demonstrate clear ownership and responsibility for data held.

What does this actually mean for GP practices?

GPs have always depended on trust and this is no different. It is vital that the public trusts GP practices and all organisations across the NHS to keep their personal data safe and secure. Many GPs may argue – and will be right to do so – that they already take data security very seriously and that further bureaucracy at practice level will not help overcome other managerial challenges.

But with technology and data sharing to becoming an even bigger part of the delivery of primary care over the coming years (with electronic referrals, online patient appointment booking systems and large data systems), now might be the time to get ahead of the game and review data security procedures and implement appropriate changes.

Reminder: no action is needed to be taken by GP practices yet as these are simply recommendations at the moment. The government has now launched a 9 week consultation period to discussed the proposed recommendations on data security.

The new EU GDPR rules

Of more immediate concern for GP data security is the new EU General Data Protection Regulation (GDPR), which was finally released in April 2016. GPs will need to start planning ahead and preparing for the changes that are due to come into force in 2018. The UK’s decision to leave the EU comes at a crucial point in the evolution of EU data protection law and although the UK would not be tied down to the new rules now Brexit is confirmed, it is likely that, following post-exit negotiations, UK data protection standards would have to be equivalent to the EU’s GDPR framework.

For more information please read our article on preparing for the new EU GDPR rules here.

As the new rules bring greater power to authorities, data protection errors will now be far more expensive – both financially and through loss of reputation – than ever before.

More from our GP practice experts

You can find all of our latest GP practice sector news and newsletters here.

If you are looking for advice in a particular area, please get in touch with your usual Hawsons contact.

Alternatively, we offer all new clients a free initial meeting to have a discussion about their own personal circumstances – find out more or book your free initial meeting here. We have offices in Sheffield, Doncaster and Northampton.

Scott Sanderson

Scott Sanderson Partner

Scott Sanderson began his career with Hawsons and trained as a Chartered Accountant, becoming a partner in 2015, specialising in the healthcare sector and small businesses. For more details and advice, please contact Scott on [email protected] or 0114 266 7141.[/author_info]