Blog

Secret-Diary-of-a-Practice-Manager-2.jpg (1)

Secret Diary of a PM – A GDPR Dilemma

Over the past eighteen months I have written a number of blogs on the implications and interpretations of GDPR.


We have all received advice and guidelines on its ramifications, but I wonder if a recent incident at my practice is indicative of the continued confusion.

Let me explain, and see what you think. A retirement property company emailed a list of their residents that needed the Flu vaccination this year. Going through the list of names and flat addresses, a fair number of the patients were not ours.

So, we asked ourselves, is this a GDPR breach? We felt it was and so the next step was to contact our Data Protection Officer (DPO), who was in the Information Governance Department for our area.

Their response agreed with our assessment, which was that GDPR had been breached - but they also said we did not need to take action as it was not us who caused the breach.

I responded to them ‘what do you mean?’, and they replied that it is the care home’s responsibility to report the breach to the ICO – all we can do is advise them of the breach. They told me to just return the email to them, but what is the point of that?

This set me thinking, it’s a bit like turkeys voting for Christmas… you need to report yourself for a breach. How many breaches will get covered up by them not being reported?

I then got in touch with the ICO and without mentioning names I gave them the scenario and they agreed with everything I had been told - yes it seemed like a breach and our DPO was right that the care home should report it, not us.

I then asked why we cannot report this breach ourselves, but the ICO clarified that it is up to the care home to report it and not me. I could report it, and it may be investigated, but the ICO would not be able to discuss the case and findings with me.

Is this a law with little chance of enforcement because it relies so heavily on self-reporting?

I later contacted the care home and they said that all the residents on the list we received had agreed it would be better if one practice came into to do the flu jabs and they thought we would be happy with that.

They did not think it mattered if they were not our patients and, in any case, it was easier for them to get the jabs done on one day. I am still discussing this matter with them, but they tend to say they have not done anything. Should there be any developments then I will let you all know.


Have you found yourself in any tricky positions in the months following GDPR? Let us know in the comments below. FPM members can access the GDPR Toolkit for a wealth of information and resources.

Comments

First Practice Management 23/11/2018

Hi Jane, In terms of physical records and posting them out to patients, the ICO’s has said that: “The Practice may also request that the physical response is picked up by the requestor from the surgery but if the requestor refuses to do so, the Practice cannot withhold the data and must send it on”. You can find out more in one of our previous GDPR articles “GDPR And Accessing Medical Records - A Practice Manager's Guide”; http://www.firstpracticemanagement.co.uk/blog/gdpr-and-accessing-medical-records-a-practice-managers-guide/ Thanks for getting in contact! First Practice Management

Jane Hollingsworth 22/11/2018

Can you charge postage for SAR to a solicitor if they are not willing to send a courier to collect the medical records which are free of charge.

Leave a Comment

Related Posts

Main Image

A Letter to Myself as a New Practice Manager
1 March 2017


Main Image

Practices' locum pay arrangements under the IR35 spotlight
15 October 2018


Main Image

CQC has ‘improved the quality of care’ in general practice
23 October 2018


Main Image

Pension scheme tax allowance changes a relief for GPs
5 November 2018


Main Image

Health Secretary quizzed on post-Brexit stockpiling plans
26 November 2018


Categories

Popular Blog Tags

Post Archive

Trending

Upcoming Events

There are currently no events scheduled.

Jobs

Practice Business Manager - Spalding Lincolnshire

Closing Date: 12 February 2021

Salary: Dependant on skills and experience

Practice Manager - Cheltenham

Closing Date: 24 January 2021

Salary: £40,000 to £45,000 a year

Practice Business Manager - Stockport

Closing Date: 22 January 2021

Salary: £35,000 - £42,000 p/a ( negotiable - depending on experience )

Practice Manager - London

Closing Date: 31 January 2021

Salary: TBC

Practice Business Manager - Broadstone, Dorset

Closing Date: 22 January 2021

Salary: £50,000- £60,000 p/a depending upon experience

Operations Manager - Hertfordshire

Closing Date: 20 January 2021

Salary: Dependent on experience

Practice Manager - West Sussex

Closing Date: 25 January 2021

Salary: £50 - 60K dependent on experience

Business Manager - Alvaston (Derby)

Closing Date: 24 January 2021

Salary: Dependent on experience

PCN Manager - Five Elms PCN (Kent)

Closing Date: 31 January 2021

Salary: £44,606 pro rata/ Band 8a

Practice Business Manager - Spalding Lincolnshire

Closing Date: 12 February 2021

Salary: Dependant on skills and experience

Operations Manager - Hertfordshire

Closing Date: 20 January 2021

Salary: Dependent on experience

Practice Business Manager - Stockport

Closing Date: 22 January 2021

Salary: £35,000 - £42,000 p/a ( negotiable - depending on experience )

Practice Business Manager - Broadstone, Dorset

Closing Date: 22 January 2021

Salary: £50,000- £60,000 p/a depending upon experience

View all jobs

What others are viewing now

Latest Forum Posts

Fetching latest posts...

First Practice Management (FPM) is the UK's premier resource for GP practice managers. We help practice managers to get their practice compliant with regulation and to stay compliant.

Useful Links

Contact Us

First Practice Management,
Indigo House, Sussex Avenue,
Leeds, LS10 2LF
Phone: 0333 240 4010
Email: mail@firstpracticemanagement.co.uk

2021 © All Rights Reserved. Privacy Notice | Cookie Policy | Terms of Service