Information Commissioner's Office
Printable version E-mail this to a friend

GP practices: good overall compliance with Data Protection Act, but still areas to improve on

report published by the Information Commissioner’s Office (ICO) today has highlighted the positive approaches GP practices are adopting to look after people’s data.

The report summarises 24 advisory visits undertaken by the ICO at GP surgeries across England in the past year. The visits found surgeries tended to have good data protection policies and awareness of issues, including the need for adequate security and patient confidentiality. Practices also tended to have procedures in place around the practical aspects of data handling, including disposal of confidential papers.

But there are also areas highlighted in the report where improvements can be made. The advisory visits found some surgeries didn’t fully appreciate the need to report data breaches, and could make improvements to the way they inform patients about how their information will be used. Improvements were also suggested around faxing and the risks posed by unrestricted internet access.

Almost all of the surgeries had significant volumes of paper records that take up considerable space, highlighting the need for careful management of patient records on an ongoing basis.

Announcing the publication of the report Lee Taylor, ICO Team Manager in the Good Practice team, said:

“The NHS processes some of the most sensitive personal information available and data breaches at GP surgeries can have significant repercussions for the individuals affected. But we were broadly pleased with what we saw during the advisory visits. Having the right policies and procedures in place is the backbone to good data protection and the GP practices we visited tended to have these.

“The findings are particularly important as the NHS has been undergoing a period of considerable change. We hope GP surgeries use this report to review their procedures for handling personal information at their own practice; this can only be good news for patients.”

The advisory visits were carried out between April and November 2013. The visits are a free service provided by the ICO for volunteers, and involve data protection experts visiting practices for around half a day. The visits to GPs were promoted with the support of the British Medical Association (BMA).

Organisations that would like to be considered for an advisory visit can learn more on the ICO website.

The ICO has produced data protection guidance for the health sector.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

5. If you need more information, please contact the ICO press office on 0303 123 9070.

Click here for more information