Disc with keyFiona Barr

The allegations that practice staff can view patient details on the PDS were first aired late last week in the newspaper GP. They stemmed from an investigation mounted by GPs in Nottinghamshire who were concerned about who was able to access the information held on the PDS for use with Choose and Book.

Chris Locke, chief executive of Nottinghamshire Local Medical Committee, said a GP in Nottinghamshire had asked a colleague in a different part of the country to see if a receptionist in their practice could locate a GP’s details using simply the name, gender and a 20 year date range for the possible date of birth.

The result was that the receptionist was able to view the GP’s name, address, date of birth, disability status (a facility which allows users to highlight a patient’s need for communication by Braille, wheelchair access and so on) and consent flag.

If one had existed, the receptionist would also have been able to see the Choose and Book password. The LMC believes information on where the patient had been referred may also have been visible. The identification of the GP on the system was made possible because the person had an unusual surname.

Locke told EHI Primary Care that one of the concerns was that abused partners wanting to conceal their location could be vulnerable to an NHS smartcard user misusing the system to locate their address: "Anyone who did so would be breaking the law but that could be shutting the stable door after the horse has bolted."

Undermining the system

"Good design has been undermined by a failure to operationally manage the implementation of the security facilities"

— Ewan Davis, chair of the PHCSG at the British Computer Society

Ewan Davis, chairman of the British Computer Society’s Primary Health Care Specialist group, said he was very concerned that people with legitimate reasons to conceal their demographic data had not been given the opportunity to do so before the PDS went live even though technically the PDS already allowed ‘stop-noting’ which would withhold data in such cases.

He told EHI Primary Care: “I think it’s very disturbing that good design has been undermined by a failure to operationally manage the implementation of the security facilities.”

Davis said he had been very impressed by the security systems planned for the NCRS but blamed political imperative which he said had led to the rushing out of smartcards, sometimes without the proper controls, and before there had been chance to alert citizens to the existence of the PDS.

He added: “My other major concern is that the whole programme may be undermined and thrown into a bad light which if the designers’ plans had been put into place wouldn’t have happened. If you are going to be successful at implementing an IT project you need some early wins and you need to avoid early elephant traps.”

Davis said the iSOFT user group forum alone had generated more than 100 messages on the subject in the last week or so and Richard Gunn, chairman of the iSOFT user group, told EHI Primary Care that the issue had led to a lack of confidence in the spine’s ability to protect patient information. He added: “iSOFT users have expressed the view that more can and should be done to protect patient confidentiality.”

Locke said that the GPs involved in the investigation were keen not to be identified by name after being told by Connecting for Health that to access the PDS for non-legitimate reasons would be breaking the law and could lead to disciplinary procedures and even prosecution.

Access protocols

The Nottinghamshire discoveries were followed up at the weekend by the revelation that details could not only be accessed but also changed. The possibility of viewing referral information via the PDS is unclear with some GPs claiming it is possible, although Connecting for Health disputes this.

Access to the PDS with a smartcard is determined by PCT and practices when smartcards are distributed. Practices can choose from three different consent levels for each member of their staff: clinical staff with rights to access clinical information, administrative staff with rights to access clinical information or administrative staff with rights to access to non-clinical information. However even access to non-clinical information allows receptionists to view PDS data including the consent flag and the Choose and Book password.

The consent/share flag is intended to indicate where patients are prepared for their information to be shared via the NHS care records Service although no information has yet to be uploaded to the NCRS.

EHI Primary Care understands that Choose and Book passwords would also need to be accompanied by a unique booking reference number given to the patient at the time a booking was discussed before clinical details would be released.

"The consent share flag through Choose and Book is currently available to all those with booking access rights, which is not what was originally intended"

— Dr Laurie Slater, IT lead for Hammersmith and Fulham PCT

Dr Laurie Slater, a London GP and IT lead for Hammersmith and Fulham PCT has an interest in the security controls within NCRS. He told EHI Primary Care that PDS data was essentially non-clinical and that it is individual practices, after discussion with their PCTs, who have the final say over which access permissions to allow.

He added: "There is a clear opportunity here for further education about these access controls so that we all understand the issues and can make sensible decisions about what permission to grant to various members of staff.

He added: "The consent share flag through Choose and Book is currently available to all those with booking access rights, which is not what was originally intended. Currently this is a fairly academic point as data has yet to be uploaded to the spine, but it seems likely that when the spine does contain clinical information that this flag will be restricted to clinicians, or those with special training. I gather that the precise models of consent and the ways in which patient data might be withheld are still under discussion."

While those discussions continue there is no doubt that all those involved in NHS IT remain concerned about the impact the current row over the PDS might have on clinical and public engagement in the National Programme for IT.

Related stories

Demographic service poses security risk, say senior GPs
PCT issues smartcards with identical PINs
‘Unworkable’ smartcard rules to be rewritten