Thousands of patients are being warned their GP electronic records may not be secure, amid an ongoing investigation into systems supplier, TPP.

The Information Commissioner’s Office has confirmed it is investigating TPP, over an “enhanced sharing” function in its SystmOne electronic patient record system.

“We do have data protection compliance concerns about SystmOne’s enhanced data sharing function,” a spokeswoman told Digital Health News.

TPP’s SystmOne is the second most widely used GP electronic system in England, used by nearly 3000 GP practices.

The ICO’s concerns about SystmOne specifically relate to the “fair and lawful processing of patient data on the system and ensuring adequate security of the patient data on the system”, based on the record sharing function within the system.

The ICO was talking to TPP and NHS  Digital about resolving these concerns, she said.

In a statement, a TPP spokeswoman said the company always encouraged GPs to inform patients of the record sharing function and “no user should be using the sharing functionality without fully understanding it and informing patients of the impact on their care.

“Balancing the ethical duty to share information for the benefit of the patient against the risk of misuse of patient data has always been an important consideration for the NHS.”

The company has recently updated its guideline to using the enhanced data sharing function “to help our users deal with these matters more effectively and keep patients informed”. The sharing function was approved for deployment under the Connecting for Health as part of the National Programme for IT.

“We believe it is vital that all parties continue to consider the wider issues of national sharing and, more importantly, the clinical risk of failing to provide continuity of care.”

Data sharing issues with SystmOne were first reported by Pulse, which said that the GPC had been raising concerns with TPP for more than a year.

The specific function allows hospitals and other care organisations to access, and add, to a patient records, providing they are an authorised TPP user.

Responding to the news, Medical privacy group MedConfidential said: “Failures of this sort are exactly why patients must be able to see by which organisations their GP records have been accessed.”

MedConfidental said it was encouraging that TPP was working to resolve the issue, by adding a visible audit trail for patients.

“This work will help reduce the harm of data breaches across the NHS, and not just for TPP.”