TPP: Privacy-unaware GP surgeries put patient records at risk with 'enhanced data sharing', claim campaigners

TPP, the company behind the SystmOne clinical management system widely used in GP surgeries across the UK, has rejected claims made over the weekend that patient records could be compromised as a result of 'enhanced data sharing' features in its software. Used by as many as one-in-three surgeries across the UK, managing the medical records of as many as 26 million patients, privacy campaigners criticised the company for the data sharing feature that, they claimed, could enable NHS staff from outside the surgery to access individual patient records. But TPP has hit back. It claims that this presented an over-simplified picture of the way in which privacy and security in the software is managed. "TPP provides clear information on how TPP's sharing model works so that health and social care professionals are fully informed of how the system works. "This is to ensure that such professionals understand how data will be shared within SystmOne and can provide comprehensive information to patients to enable them to make an informed decision on whether they wish their data to be shared," a TPP spokesperson told INQ. Individual patient consent must be sought as a matter of routine, they added, and only NHS staff with the right access levels and security clearance would be able to access it. "If no consent to share patient data has been provided then the user must physically override the consent providing a valid reason to do so," they added. Earlier, though, privacy campaigners had blasted the company for making it too easy for staff across the NHS to access "This is a truly devastating breach, which involves millions of patients' GP records - for some, the most deeply personal, sensitive and confidential data about them - being exposed to hundreds of thousands of people, with no mechanism to prevent them if any of them chooses to look," privacy campaigner Phil Booth, behind the medConfidential campaign group, told the Telegraph.As a result, suggested Dr Paul Cundy, the head of the British Medical Association's IT committee, GP surgeries up and down the country could be in breach of data protection laws - laws that could expose them to big fines from May next year when the EU's General Data Protection Regulation (GDPR) fully comes into force.But SystmOne creator TPP insisted that the issue had been blown out of all proportion. "The only story that exists here is that, as stated by the spokesperson from the Information Commissioner's Office, the ICO, NHS Digital, NHS England and TPP are in ongoing discussions over TPP's sharing model and how best to support data controllers whilst balancing the interests of the patient," TPP's spokesperson told INQ. The news came in the same week that a deal between Royal Free London NHS Foundation Trust and Google-owned artificial intelligence specialists DeepMind, which gave the company access to the private medical records of hundreds of thousands of patients, was slammed by an independent report. µ