We have all received advice and guidelines on its ramifications, but I wonder if a recent incident at my practice is indicative of the continued confusion.
Let me explain, and see what you think. A retirement property company emailed a list of their residents that needed the Flu vaccination this year. Going through the list of names and flat addresses, a fair number of the patients were not ours.
So, we asked ourselves, is this a GDPR breach? We felt it was and so the next step was to contact our Data Protection Officer (DPO), who was in the Information Governance Department for our area.
Their response agreed with our assessment, which was that GDPR had been breached - but they also said we did not need to take action as it was not us who caused the breach.
I responded to them ‘what do you mean?’, and they replied that it is the care home’s responsibility to report the breach to the ICO – all we can do is advise them of the breach. They told me to just return the email to them, but what is the point of that?
This set me thinking, it’s a bit like turkeys voting for Christmas… you need to report yourself for a breach. How many breaches will get covered up by them not being reported?
I then got in touch with the ICO and without mentioning names I gave them the scenario and they agreed with everything I had been told - yes it seemed like a breach and our DPO was right that the care home should report it, not us.
I then asked why we cannot report this breach ourselves, but the ICO clarified that it is up to the care home to report it and not me. I could report it, and it may be investigated, but the ICO would not be able to discuss the case and findings with me.
Is this a law with little chance of enforcement because it relies so heavily on self-reporting?
I later contacted the care home and they said that all the residents on the list we received had agreed it would be better if one practice came into to do the flu jabs and they thought we would be happy with that.
They did not think it mattered if they were not our patients and, in any case, it was easier for them to get the jabs done on one day. I am still discussing this matter with them, but they tend to say they have not done anything. Should there be any developments then I will let you all know.
Have you found yourself in any tricky positions in the months following GDPR? Let us know in the comments below. FPM members can access the GDPR Toolkit for a wealth of information and resources.
Hi Jane, In terms of physical records and posting them out to patients, the ICO’s has said that: “The Practice may also request that the physical response is picked up by the requestor from the surgery but if the requestor refuses to do so, the Practice cannot withhold the data and must send it on”. You can find out more in one of our previous GDPR articles “GDPR And Accessing Medical Records - A Practice Manager's Guide”; http://www.firstpracticemanagement.co.uk/blog/gdpr-and-accessing-medical-records-a-practice-managers-guide/ Thanks for getting in contact! First Practice Management
Can you charge postage for SAR to a solicitor if they are not willing to send a courier to collect the medical records which are free of charge.
A Letter to Myself as a New Practice Manager
1 March 2017
Practices' locum pay arrangements under the IR35 spotlight
15 October 2018
CQC has ‘improved the quality of care’ in general practice
23 October 2018
Pension scheme tax allowance changes a relief for GPs
5 November 2018
Health Secretary quizzed on post-Brexit stockpiling plans
26 November 2018