TPP has confirmed it is piloting new functionality in its SystmOne electronic patient record, with a view to addressing data protection concerns raised by the Information Commissioner’s Office (ICO).

The ICO first raised concerns about TPP in March, specifically in relation to the enhanced data sharing model (EDSM) in its SystmOne electronic patient record system.

SystmOne is used by nearly 3,000 GP practices in England, and the function makes it possible to share information about patients with other users.

The ICO’s worries centred on principles 1 and 7 of the Data Protection Act. These relate to fair and lawful processing of data, and to data security.

On Wednesday (30 August) it was announced that TPP has developed new functionality within SystmOne which is designed to address these issues. The changes are said to follow detailed discussions between the company, the ICO, NHS Digital and NHS England.

In a statement, TPP reported that the functionality “gives GPs greater flexibility and increased control over which organisations have visibility of the GP record”.

The statement added that the changes also enable “patients to work in partnership with their GP to decide who can view their shared record”.

The firm plans to pilot the new arrangements in the coming weeks. Sites involved in the testing have apparently already been selected, and any existing sharing arrangements in place will not be affected by the work.

In its own statement, the ICO welcomed the developments: “These changes, which will be implemented for GP practices using the system along with updated documentation, are welcome and represent significant progress in addressing the concerns raised by the ICO for GP data controllers using SystmOne”.

Both organisations said they would continue to work together during the pilot and following its completion, so as to ensure any final concerns are addressed.

The worries about the SystmOne model sparked a discussion paper published by the independent CCIO and Health CIO networks. It contended that current data protection guidance and regulations are contradictory and not conducive to effective patient care.

Complexities around data sharing are expected to increase with the introduction of the General Data Protection Regulation (GDPR), which comes into force next May.

Designed to make data protection guidance consistent across the European Union, it will introduce significantly higher penalties for breaches.