"Confidentiality, Data security,patient safety, problems of accountability"

About: NHS Ayrshire & Arran

(as the patient),

In January 2008 I vistited my GP to arrange a surgery appointment. Despite having been a patient for 14 years I was informed I was not registered there. It appears that without my knowledge or consent my records had been transfered to a GP with whom I had no relationship. Consequently I feel that my confidentiality was fundamentally breached, my records were not available to support my health care and I had been deprived of services to which I was other wise entitled including cervical cancer screening. I was placed in fear of my life since at the point of discovery instead of being up to date as I had thought, I had actually missed 2 screenings and was suffering from a gynacological conditon.

The GP failed to respond to my initial complaint, his staff arranging for NHS NSS to respond. No significant event analysis was produced until 11 months after the issue had come to light. I think that the "Analysis" was of such poor quality and flawed logic that it concluded that a "misassociation" concerning the registration of a patient in Manchester, was responsible for the data security breach of my medical record and registration details; me being a patient in Scotland. In short it was attributed to an erroneous request rather than erroneous surrender. I don't believe there was an attempt to test or analyse their own procedures.

4 years after the event came to light I believe that the GP has still made no referral to his Caldicott Guardian, the NHS Ayrshire and Arran have yet to conduct any enquiry into the data security breach, NHS NSS have produced a partisan review which failed to measure procedures against "need to know",GMC guidelines or Data protection Act schedule 3 provisions. In my opinion NHS NSS responses have ignored and side stepped these issues .

I have, however, discovered that the GP's I have been in contact with seem procedurally blind to the reason for "deduction" from their lists. On what basis then can they form a judgement relating to "need to Know" GMC guidlines or compliance with Data protection Act schedule 3? It would seem to me that they are procedurally obstructed in the discharge of these legal and ethical obligations.

Do you have a similar story to tell? Tell your story & make a difference ››