Over the past couple of weeks I have been increasingly concerned that the likes of Patient Access  are positioning themselves to be the controller of your health data – and by offering a magic solution at no cost it is more likely than not – your data will be used.

If not now, then at some point the future.

There is no need for this data to be managed by an outside organisation.

The NHS is big enough and should be bright enough to put in place its own tools for managing and sharing data, or at least be honest and ask the questions.

My conversations with my GP practice along with my responses are below. Read it, soak up and then make your own mind up.

Something is not right here and the NHS seems to be complicit, it could be, I am wrong on this and

If you are communicating with your GP there is a chance they will no longer deal via email for day to day correspondence, forcing you to use paper or the online service known as Patient Access, importantly, my local hospital East Surrey is using another data collector, which means two firms now have access to my medical records.

I will provide further links at the bottom of this article.

#####

Good morning Furnace Green.
Some confusion  with your website, could be me being thick..
Online  access via your website is managed by Patient Access for which I have to register.
Yet Stericycle provide services and share my data – this is not even a UK based firm.
Does the surgery pay for these services or are they centrally funded?
Online – via the NHS App there is a request to share data with Patients Know Best in order to view some information.
This seems to be another third party provider.
Which one of these has access to my data, and how many portals do  I need to be registered with in order to make this work?
All I wanted to do this morning was engage, electronically with the service.
Thanks in advance.
Richard Smith
20 Gainsborough Road
CC Henry Smith MP – Henry, are you aware of these shenanigans?
#####
Short Telephone Call followed, no answers from the practice manager, except to say that they have not had any complaints before.
######
In reply from my GP Surgery

Good morning Mr Smith, thank you for your email.

Online access can be provided via a number of third parties, most commonly Patient Access – once a patient “signs up” for such access, they can then create an account with said third party so that they can order prescriptions etc via the website. As stated in your email, the NHS App uses another platform (Patient Knows Best) in the management of the data they hold.

Both Patients Access and the NHS APP are the Data Controllers for the information you share with them, so you should contact them to ask to see their Privacy Notices and/or details about how they look after your data.

It is possible to have an account with both Patient Access and the NHS App, depending on what sort of information you are looking for and/or what you are trying to do.

I hope this clarifies matters for you.

Kind regards,

Withheld.

Practice Manager

####

Follow up, response from NHS Digital

Good morning Mr Smith,

I have contacted the West Sussex Data Protection Officer for some advice in regard to your questions about Patient Access and the management of data security. I have received the following response:

Patient Access is an online patient access portal which has been designed by Egton Medical Information Systems Limited (EMIS). EMIS is the patient record data storage system that is used by the practice to manage all patients medical records.  It is a secure system and is used by GP practices across the country. It allows a continuous medical record to be maintained by the GP practice.

EMIS have responded to the law regarding patients individuals right of access to develop a system which allows patients to access their own record held by the NHS within the EMIS system. The medical record does not leave the domain of the EMIS medical recording system, but allows patients to log in to certain aspects of their own medical record held in the system, it also allows patients to undertake certain activities such as making appointments, or ordering medication, you may also use it to view your medical record held in the EMIS system.

Please find the link to the patient access privacy policy for your assurance.

https://support.patientaccess.com/privacy-policy

I hope you find this information useful and I hope it satisfies your enquiry regarding the security of your information. As discussed on the phone, if you choose to not use the online portal or the NHS App to request medications, please select the medicine you require on the right hand side of the prescription slip you receive from the pharmacy, and put this in the letterbox outside the surgery.

my reply is below

#####

Thank you.
I am afraid the response from them is based on a marketing document from  EMIS and not factually true, in that their own notice (read it) allows the transfer of data, even if they have not done so to date.
Just because all GP Practices use the system does not make it right, GP’s will do as they are told, they have a contract after all.
The data they have access to is more valuable than just about anything else on the planet.
Without being all ‘conspiracy theory’   – the data they collect could make them more valuable than God (I’ve met God, he’s a divorce lawyer in Holborn, London).
Even basic law will point out to you that their own notice does little to allay any fears.  The fact that bright educated people, like GP’s and their staff are not raising any questions over this means that summat is up.  I have taken it up directly with EMIS  and Henry Smith MP
You might think I am being unreasonable, yet it is the unreasonable man/women that raises these issues because they are important. The NHS is under siege from corporations promising all kinds of things at no/little cost.
Of course they will, they have access to data, and in an increasingly digital world that is power, further if there is nothing to hide, there is no need for a privacy notice.
The mere fact there is means there is something going on.
Richard Smith
Appendix/notes below.
From their website/the policy.

As noted above, we sometimes use other organisations to process your personal data on our behalf, for example, in relation to analysis of the use of the Service and/or Booking Service. We may use service providers to help us run the Site, App, Service and/or Booking Service, some of whom may be based outside of the UK or the EEA. However, it is our responsibility to ensure that if we use any such service provider that we ensure that we have the necessary safeguards in place. We may also independently audit these service providers to ensure that they meet our standards.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of any data transmitted to the App or the Site; any transmission that you make is therefore made at your own risk. However, once we have received your data, we will use strict procedures and security features designed to prevent any unauthorised or unlawful access to the same and all information you provide to us will be stored securely.

Couple of things. We are no longer part of the EEA. An admission that data transmitted across the internet is not secure  – the risk of data loss is all mine, and not theirs, according to their terms.

Even basic consumer and contract law provides more protection than that. E.g take a jumper back to Next and it’s replaced if faulty – the shop accepts responsibility. Patient Access loses your data – then tough, your problem .

BASIS ON WHICH WE PROCESS YOUR PERSONAL DATA

where it is in our legitimate interests to do so (provided this is not overridden by considerations regarding your rights and interests), such as:

This sentence is poorly worded and does nothing to explain further. I would suggest it’s worded like this for a reason. It could construed that

it is my best interests are to find a cure for x or y, but that alone should not allow access to all of my data and medical records and if it does

then who benefits financially from the sharing of these records.

Disclosure of  Data

DISCLOSURE OF YOUR INFORMATION

We may disclose your personal data to third parties in the following circumstances:

  • If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request.
  • To a contractor appointed by us to deliver elements of the Service on our behalf (and under our control). Any access we might grant to a contractor will be limited to such information as is required for them to deliver the relevant service (and will be subject to a contract which includes appropriate obligations of confidence and compliance with applicable law).
  • To your nominated pharmacy (or Smart Pharmacy as appropriate) in order to provide them with details of your medication requests.
  • To any third party provider with whom you make a booking through our Booking Service.
  • In order to:
    • enforce or apply the Terms of Use and other agreements or to investigate potential breaches of the same; and/or
    • protect the rights, property or safety of EMIS, our customers, or others (acting at all times in accordance with our obligations under the relevant data protection legislation and the terms of our agreement with your GP practice).
  • In accordance with any instructions we might receive from your GP practice (in respect of your Health & Fitness Data and in their capacity as a data controller).
  • In connection with a potential sale or transfer of part or all of our business. In such circumstances we may share information with prospective purchasers (for example as part of a controlled due diligence exercise).
  • If we reorganise our business as we may need to transfer information about you to another member of our group of companies so that we could continue to provide the Service to you.

###

Their privacy policy is here https://support.patientaccess.com/privacy-policy

Below is my email to Patient Access sent on the 23/6/21

Dear Sirs.
It has been suggested by my GP practice that I use your service.
Couple of questions.
Who pays for your service?
I understand that it is free for me to use, so how are you paid?
Marketing Services
What does this mean?
How is my identity a data control mechanism?
  • For marketing purposes: We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising, including the following personal data control mechanisms:
    • We may use your identity, contact details and Device Information to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (i.e. ‘marketing’).
    • You will receive marketing communications from us if you have requested information from us or receive services from us and you have not opted out of receiving that marketing.
    • We may ask you to identify areas of particular interest (which may be related to certain conditions) and if you choose to provide those details then we may send you information which we feel may be relevant to those areas of interest or which might otherwise be of interest to you based on the preferences identified.
    • We will get your express opt-in consent before we share your personal data with any third party for their marketing purposes.
    • You can ask us (or any third parties) to stop sending you marketing messages at any time (see below for further details).
Can you please explain the following paragraph?  What does this mean?
  • where it is in our legitimate interests to do so (provided this is not overridden by considerations regarding your rights and interests), such as:
    • managing the Service or Booking Service, updating your records, contacting you about the Service or Booking Service (where appropriate);
    • performing and/or testing the performance of, our products, services and internal processes;
    • following guidance and recommended best practice of government and regulatory bodies;
    • managing and auditing our business operations;
    • monitoring and to keeping records of our communications with you;
    • undertaking market research and analysis and developing statistics; and/or
    • for direct marketing communication purposes and to help us to offer relevant products and services;
Where is my data held and who is it shared with?
Is the data shared on servers held in the UK or elsewhere in the world, is that data encrypted and what algorithms are used to prevent third party access in case of a breach?
HOW AND WHERE WE STORE YOUR PERSONAL DATA

We use strict procedures and security features designed to prevent any unauthorised or unlawful access to the personal data which we control.

Personal data which we hold in relation to you will be stored securely at our offices and (where relevant) at the offices of third-party agencies, service providers, representatives and agents. We may also hold your personal data in secure data centres located within the United Kingdom or European Economic Area (EEA). 

Is this now out of date?

Have you ever had a data breach, if not how do you know?
Lastly, your funding model, who pays for your services to me and the GP practice.
I look forward to hearing from you.
Richard Smith
###
Links and supporting information
Patient Access – owned ultimately by this company
That is already a highly profitable business despite offering
free services like Patient Access to GP Surgery’s