Security concerns hit Scottish cervical cytology system

06 Feb 2007

The roll-out of a national cervical cytology screening system for Scotland could be delayed after GPs discovered that practice staff would be able to view the test results for all women in Scotland.

The gaping hole in the security of the Scottish Cervical Screening Call Recall System has only just emerged, just months ahead of a national launch date of 1 May.

Dr Stuart Scott, joint deputy chairman of the British Medical Association’s General Practitioner Committee, said the failure of the system to protect patients’ confidentiality became apparent during testing of the system a couple of weeks ago.

He told EHI Primary Care: “Anyone who has a log in for the system can see the results of all patients’ in Scotland rather than just the results of those patients registered at their practice. It’s completely unacceptable.”

Dr Scott said the Scottish Executive Health Department had put the rollout of the SCCRS on hold as soon as the potential confidentiality breach was discovered and was now working on a solution.

Dr Scott added: “They are hoping that they can get this resolved quickly.”

The SCCRS developed by NHS National Services Scotland (NSS) will replace a mixture of call and recall systems for cervical cytology currently used in Scotland with some GP practices using their own clinical system’s call and recall programmes while others rely on call and recall programmes run by their health board. The SCCRS had an original roll-out date of December which was then put back to 1 May, and could now face further delay if the confidentiality concerns cannot be addressed in time.

Dr Brian Robson, medical director for e-health at NSS, promised last week that the issue would be dealt with before the system was rolled out across Scotland.

He told BMA News: “This is not an acceptable situation. I can give an assurance on behalf of National Services Scotland that SCCRS will not be launched until this is sorted out.”

A Scottish Executive spokesperson told EHI Primary Care that all staff accessing cervical screening data are bound by professional and NHS codes of conduct and must comply with NHS Scotland rules on patient confidentiality and that access to cervical screening data is password protected for authorised users only.

She added: "We understand NSS, who oversee the Scottish Cervical Screening Call Recall System, have met with GPs to discuss their concerns with administrative staff having access to data and they are taking forward work to resolve this issue. The new call/recall system currently remains on schedule to be implemented throughout Scotland on 1st May 2007."

Dr Scott said the GPC has also raised concerns that the system that would be initially implemented in Scotland was web-based rather than integrated into GP IT systems. He said work had now begun to speed up the introduction of an integrated version although it would not be ready for the proposed May launch date.

He added: “We don’t want the benefits of a centralised call and recall system to be put on hold while that arrives but it should be ready some time over the summer.”

Reader's Comments

Whats the problem

06 Feb 07 14:56

Whats wrong with the admin staff being capable of accessing the data of patients not at their practice? If NHS staff are to be believed, then the staff will not access data they should not because that would be a sackable offence.

The proposed national database in England (they already have one in Scotland and are planning on expanding it) will give all users (including the same admin staff) access to data on patients not at their practice. From where I am standing it seems double standards that these results should be treated any differently to whether or not the same patient had thrush 3 years ago.

English lesson

07 Feb 07 09:37

This could never happen South of the border.

England's NPfIT will implement legitimate relationships and sealed envelopes prior to clinical information going onto the Spine won't they?

English lesson?

07 Feb 07 10:10

Was that a pig I saw flying by?

Practical problems too

09 Feb 07 16:35

This is part of the connundrum of confidentiality. Patients move, go on holiday, fall inconveniently ill outside their own parish.

Measures to provide perfect Information protection will also get in the way of smooth healthcare delivery. I am not advocating a free for all, but it would be good to have some recognition that NHS staff are mostly dedicated to treating patients, and respecting confidentiality, and will have legitimate reason to find results for patients standing in front of them. And there are HR processes to deal with exceptions. More so for administrative staff than errant doctors it has to be said.

The complicated maze being produced for England is proving increasingly unworkable, and slow. Audit trails and confidentiality agreements are a lower tech way to enforce good practice.