Maureen Baker

Dr Maureen Baker CBE

NHS Connecting for Health is issuing guidance on the use of the Personal Demographics Service. Dr Maureen Baker CBE, Caldicott Guardian and clinical director for patient safety at NHS Connecting for Health, explains what is in it and what should happen if the rules are broken.

With the shift to electronic patient information it is essential staff understand their responsibilities under the Data Protection Act, confidentiality laws and the NHS Care Record Guarantee for England.

While the systems provided by NHS Connecting for Health are protected by state of the art security and privacy measures, technology alone can never completely safeguard data. The bottom line is that it is the professional integrity of staff that provides the greatest protection.

The Personal Demographics Service is the national electronic database of patients’ demographic information. It is also a key element of the NHS Care Records Service underpinning the creation of an electronic care record for every registered NHS patient in England.

The PDS enables a patient to be readily identified by healthcare professionals and associated, quickly and accurately, with their correct medical details.

It can be accessed by healthcare staff using Choose and Book, the Summary Care Record application, the Electronic Prescription Service and other systems and services that require patient demographic information. No clinical information is stored on the PDS, only demographic information including NHS Number, address and date of birth.

Everyone working across the NHS has an absolute duty and commitment to ensure that all patient information – demographic as well as clinical – is kept safe, secure and confidential. At the same time, patients have a right to privacy and to expect the NHS to keep their confidential information safe and secure, whether that information is in electronic or paper form.

Guidance on inappropriate access

New guidance published this week by NHS Connecting for Health makes it extremely clear that those who search and view the PDS must be approved to do so and must have an appropriate business reason to do so.

A good example of a justifiable business reason would be a receptionist in an out of hours setting booking a patient into a local system.

The guidance outlines what local health communities should do to prevent, monitor and take action if NHS staff, GPs or GP practice staff use IT systems and services to inappropriately view a patient’s demographic information.

It is important that all care settings undertake to play their part in keeping the NHS infrastructure secure. In primary care, GPs need to ensure that systems are used with care and that their staff do not access patient information inappropriately.

Heads of GP practices, in their role as clinical governance leads, take responsibility for this when signing the Information Governance Statement of Compliance (IGSoC). In other care settings, the IGSoC is usually signed by the trust chief executive and all staff need to comply with this.

The IGSoC is the agreement between NHS CFH and service users that sets out the information governance policy and terms and conditions for use of NHS CFH systems and services.

Flagging sensitive records

Patients in sensitive or vulnerable positions, such as those in the public eye or who have suffered domestic violence, can request that their information on the PDS is flagged as sensitive. A patient’s record is only marked as sensitive (‘s-flagged’) by explicit request, never routinely.

This is typically by a patient asking their GP or by agencies such as police, parole boards or social services asking that s-flags are applied for witness protection and safety concerns with the patient’s permission.

When a record is ‘s-flagged’, the PDS does not return any of the patient’s contact details or other information that could be used to determine their location – for example, their address, telephone numbers and GP details.

Addressing inappropriate access

Anyone working within a local health community can request details as to who has accessed a particular patient’s demographic details on the PDS and which records have been accessed by a particular individual.

Patients can also ask who has accessed their demographic information. Should it transpire that someone has deliberately accessed records without permission, this may result in disciplinary action.

Inappropriate access can only effectively be policed by the user’s own organisation. Local NHS organisations have at their disposal a range of sanctions and actions that can be taken against any individuals who access records without the necessary approval and justifiable business reason. These are:

  • Criminal action under the Data Protection Act
  • Civil action for breach of confidentiality
  • Disciplinary action under terms of contract of employment
  • Preventing the user from ongoing access to computer systems – this sanction is available to primary care trusts under the terms of GMS/PMS contract with practices
  • Action by General Medical Council for breach of patient confidentiality.

Any of these actions can be taken either by the patient whose records have been accessed or by the Caldicott Guardian for the organisation concerned. The particular circumstances of each case will dictate the course of action taken.

All individuals working within the NHS have a contractual obligation to comply with the NHS Code of Conduct for Confidentiality. Clinicians who access patient records inappropriately are guilty of professional misconduct. As soon as inappropriate action is suspected then disciplinary policies and procedures should be used.

Patients have an unequivocal right to expect their personal information is not misused and the NHS Care Record Guarantee provides patients with a range of commitments around the confidentiality of patient information. It is vital this trust is maintained.

Link: NHS Connecting for Health: Managing inappropriate access to patients’ demographic information using National Programme for IT and local systems and services.