Most GP surgeries have good patient data protection schemes in place, a report by the Information Commissioner’s Office has concluded.

The report, published today, sums up 24 advisory visits by the ICO to GPs across England in the past year.

It says the majority of GPs had good data protection policies and awareness of data issues, including proper security and patient confidentiality.

Many surgeries incorporated information governance and confidentiality requirements into employment contracts and that staff “generally showed a good awareness of information governance and security issues.”

However, it also highlights that most practices are still quite paper-heavy and that paper records take up considerable space.

“Paper medical records were a challenge to manage at most locations due to the amount of space they take up,” it says. “Records were usually held in lockable filing cabinets or in separate lockable areas.”

The report adds that the security and quality of storage space varied. And while surgeries showed “a strong awareness of the need to dispose of confidential paper waste securely” the report argues that some need better procedures for systematically reviewing files.

“Surgeries were aware of standard NHS guidelines and timeframes for records retention and disposal, but there was a general lack of specific local procedures or protocols to review files and meet these standards,” it says.

The ICO report also argues that some improvements are needed in IT procedures, particularly where these used to be covered by services provided by primary care trusts, which have been disrupted by their abolition and the introduction of clinical commissioning groups.

It notes that a number of the surgeries visited allow unrestricted internet access by staff, including access to personal email and webmail accounts, which could be a source of data leakage, and that some have failed to secure USB ports or sticks.

The report argues there could also be improvements in reporting data breaches. Although it found that GPs had procedures in place for reporting serious and “untoward incidents” they tended not to clarify which incidents were information governance incidents.

ICO ‘good practice’ team manage, Lee Taylor, said the ICO hoped GP surgeries would use the report to review their procedures for handling personal information.

“Data breaches at GP surgeries can have significant repercussions for the individuals affected. But we were broadly pleased with what we saw during the advisory visits,” he said.

“Having the right policies and procedures in place is the backbone to good data protection and the GP practices we visited tended to have these.” The advisory visits were carried out between April and November 2013.