Visit our Clinical Hub ยป
07 September 2018
print version

Q. The locum crisis has hit our area and three practices met recently to look at options for the summer holidays. We hope to cross-cover each other's holidays. I'm looking for advice whether we need any extra precautions with the advent of GDPR. We propose to see patients in our own surgeries but to use remote access to the holidaying practice's system. This gives us the patient's background and improves patient safety and continuity. We would end access permission on return from holiday. Any advice or observations would be greatly appreciated.

A. Functioning as a GP locum gives the covering practice a data protection basis for accessing the patient data. I do think that a locum agreement or confidentiality agreement would be a good idea. This should include a statement that access to patient records is on the basis of duty of care. You need to pay attention to access controls, so that the practice and the GP accessing patient records and entering consultation notes can be identified. The covering GP does not need patient consent to access the medical record when they are seeing a patient in a locum role, but I think it would be good to advise the patient that they are accessing their medical record. The key aspect of GDPR is 'no
surprises' for the data subject.If you were going to proceed like this, it would be good for each practice to note in their GDPR accountability logs what provisions they had taken to ensure maximum safety and security of patient data for holiday cross cover.

Secure Remote Access

There is a technical information security aspect to this work. I think an IT provider should be engaged to set the remote access up securely and ensure that devices connecting to the practice network are clean. Often the major risk for remote access is that the laptop or tablet connecting has malware or viruses already on the device. You obviously need to test the system before everyone leaves on holidays, to ensure it works. And you need a plan B if the remote access fails during the holiday period and you have a particularly complex patient to look after.

This remote locum access to patient data is in the best interests of the patient and improves the quality of care and continuity of care. When the holidays are over, you need to dismantle the remote access. Remote access is always a potential security hole.