Updated ICO advice regarding data sharing
We have recently had contact from practices raising concerns that other organisations such as the Medical Examiner Team and Safeguarding Team have/or have requested access to the whole of their clinical system and all patient records.
Practices felt these requests were excessive and the requesting organisation did not need to have access to all patient records.
Due to these concerns, the LMC has contacted the Information Commissioner Office (ICO) to seek guidance.
Their advice was that this whole system access approach breaches the Data Minimisation Principle for special category data, “Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”.
They further added “You should only share the absolute minimum amount of personal information that is necessary for the other organisation to fulfil their task”.
Based on this very clear guidance from the ICO, our advice to practices is to not sign any data sharing agreements/enable Smartcard access that allows whole clinical system access where this will be in breach of the Data Minimisation Principle.
The LMC has written to the ICB, citing the information provided by the ICO and to advise on the guidance we will give to practices.
The LMC will continue to work with the ICB to find a safe solution to this issue for practices and patients.