Over the past couple of weeks I have been increasingly concerned that the likes of Patient Access are positioning themselves to be the controller of your health data – and by offering a magic solution at no cost it is more likely than not – your data will be used.
If not now, then at some point the future.
There is no need for this data to be managed by an outside organisation.
The NHS is big enough and should be bright enough to put in place its own tools for managing and sharing data, or at least be honest and ask the questions.
My conversations with my GP practice along with my responses are below. Read it, soak up and then make your own mind up.
Something is not right here and the NHS seems to be complicit, it could be, I am wrong on this and
If you are communicating with your GP there is a chance they will no longer deal via email for day to day correspondence, forcing you to use paper or the online service known as Patient Access, importantly, my local hospital East Surrey is using another data collector, which means two firms now have access to my medical records.
I will provide further links at the bottom of this article.
Good morning Mr Smith, thank you for your email.
Online access can be provided via a number of third parties, most commonly Patient Access – once a patient “signs up” for such access, they can then create an account with said third party so that they can order prescriptions etc via the website. As stated in your email, the NHS App uses another platform (Patient Knows Best) in the management of the data they hold.
Both Patients Access and the NHS APP are the Data Controllers for the information you share with them, so you should contact them to ask to see their Privacy Notices and/or details about how they look after your data.
It is possible to have an account with both Patient Access and the NHS App, depending on what sort of information you are looking for and/or what you are trying to do.
I hope this clarifies matters for you.
Follow up, response from NHS Digital
Good morning Mr Smith,
I have contacted the West Sussex Data Protection Officer for some advice in regard to your questions about Patient Access and the management of data security. I have received the following response:
Patient Access is an online patient access portal which has been designed by Egton Medical Information Systems Limited (EMIS). EMIS is the patient record data storage system that is used by the practice to manage all patients medical records. It is a secure system and is used by GP practices across the country. It allows a continuous medical record to be maintained by the GP practice.
EMIS have responded to the law regarding patients individuals right of access to develop a system which allows patients to access their own record held by the NHS within the EMIS system. The medical record does not leave the domain of the EMIS medical recording system, but allows patients to log in to certain aspects of their own medical record held in the system, it also allows patients to undertake certain activities such as making appointments, or ordering medication, you may also use it to view your medical record held in the EMIS system.
I hope you find this information useful and I hope it satisfies your enquiry regarding the security of your information. As discussed on the phone, if you choose to not use the online portal or the NHS App to request medications, please select the medicine you require on the right hand side of the prescription slip you receive from the pharmacy, and put this in the letterbox outside the surgery.
my reply is below
As noted above, we sometimes use other organisations to process your personal data on our behalf, for example, in relation to analysis of the use of the Service and/or Booking Service. We may use service providers to help us run the Site, App, Service and/or Booking Service, some of whom may be based outside of the UK or the EEA. However, it is our responsibility to ensure that if we use any such service provider that we ensure that we have the necessary safeguards in place. We may also independently audit these service providers to ensure that they meet our standards.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of any data transmitted to the App or the Site; any transmission that you make is therefore made at your own risk. However, once we have received your data, we will use strict procedures and security features designed to prevent any unauthorised or unlawful access to the same and all information you provide to us will be stored securely.
Couple of things. We are no longer part of the EEA. An admission that data transmitted across the internet is not secure – the risk of data loss is all mine, and not theirs, according to their terms.
Even basic consumer and contract law provides more protection than that. E.g take a jumper back to Next and it’s replaced if faulty – the shop accepts responsibility. Patient Access loses your data – then tough, your problem .
BASIS ON WHICH WE PROCESS YOUR PERSONAL DATA
where it is in our legitimate interests to do so (provided this is not overridden by considerations regarding your rights and interests), such as:
This sentence is poorly worded and does nothing to explain further. I would suggest it’s worded like this for a reason. It could construed that
it is my best interests are to find a cure for x or y, but that alone should not allow access to all of my data and medical records and if it does
then who benefits financially from the sharing of these records.
DISCLOSURE OF YOUR INFORMATION
We may disclose your personal data to third parties in the following circumstances:
- If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request.
- To a contractor appointed by us to deliver elements of the Service on our behalf (and under our control). Any access we might grant to a contractor will be limited to such information as is required for them to deliver the relevant service (and will be subject to a contract which includes appropriate obligations of confidence and compliance with applicable law).
- To your nominated pharmacy (or Smart Pharmacy as appropriate) in order to provide them with details of your medication requests.
- To any third party provider with whom you make a booking through our Booking Service.
- In order to:
- protect the rights, property or safety of EMIS, our customers, or others (acting at all times in accordance with our obligations under the relevant data protection legislation and the terms of our agreement with your GP practice).
- In accordance with any instructions we might receive from your GP practice (in respect of your Health & Fitness Data and in their capacity as a data controller).
- In connection with a potential sale or transfer of part or all of our business. In such circumstances we may share information with prospective purchasers (for example as part of a controlled due diligence exercise).
- If we reorganise our business as we may need to transfer information about you to another member of our group of companies so that we could continue to provide the Service to you.
Below is my email to Patient Access sent on the 23/6/21
- For marketing purposes: We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising, including the following personal data control mechanisms:
- We may use your identity, contact details and Device Information to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (i.e. ‘marketing’).
- You will receive marketing communications from us if you have requested information from us or receive services from us and you have not opted out of receiving that marketing.
- We may ask you to identify areas of particular interest (which may be related to certain conditions) and if you choose to provide those details then we may send you information which we feel may be relevant to those areas of interest or which might otherwise be of interest to you based on the preferences identified.
- We will get your express opt-in consent before we share your personal data with any third party for their marketing purposes.
- You can ask us (or any third parties) to stop sending you marketing messages at any time (see below for further details).
- where it is in our legitimate interests to do so (provided this is not overridden by considerations regarding your rights and interests), such as:
- managing the Service or Booking Service, updating your records, contacting you about the Service or Booking Service (where appropriate);
- performing and/or testing the performance of, our products, services and internal processes;
- following guidance and recommended best practice of government and regulatory bodies;
- managing and auditing our business operations;
- monitoring and to keeping records of our communications with you;
- undertaking market research and analysis and developing statistics; and/or
- for direct marketing communication purposes and to help us to offer relevant products and services;
We use strict procedures and security features designed to prevent any unauthorised or unlawful access to the personal data which we control.
Personal data which we hold in relation to you will be stored securely at our offices and (where relevant) at the offices of third-party agencies, service providers, representatives and agents. We may also hold your personal data in secure data centres located within the United Kingdom or European Economic Area (EEA).
Is this now out of date?