For patients not fully registered (for example those who are newly registered whose detailed records have not yet been received, transitory patients or temporarily registered patients) healthcare staff in GP Practices will benefit from having access to their SCR in order to treat the patient appropriately whilst waiting for more information to be received.

In order to view an SCR, healthcare staff must use their NHS Smartcard, have a Legitimate Relationship with the patient and also obtain the patient's permission to view their SCR.  For fully registered patients, a Legitimate Relationship exists by virtue of them being fully registered and Permission to View does not apply since the SCR will not contain any data that the GP Practice does not already possess.  However, for non- fully registered patients, a Legitimate Relationship must exist and the patient's permission to view will need to be asked.

GP IT system suppliers are in the process of developing the functionality to allow GPs to view SCRs for non- fully registered patients within their existing GP IT systems (i.e. integrated SCR viewing).  Practices will be made aware by their system supplier when this is available.  Until such time, GP Practice clinicians will need to use the SCR Application (on the Spine web portal) in order to view SCRs for non- fully registered patients.

Processes for viewing the SCR in GP Practices for patients not fully registered

This section provides guidance on how GP Practices can view SCRs for patients not fully registered, including the appropriate creation of Legitimate Relationships (LRs) and necessary work processes, as well as the Practice and PCT responsibilities. There are two approaches through which a GP Practice can view SCRs – one will work best for large GP Practices, the other will work for smaller GP Practices.

1. Large GP Practices

When a patient presents themselves for treatment to a large GP Practice, where role separation exists between the GP reception or administrative staff who create the LR and the clinician who will view the SCR, a self referred legitimate relationship should be used to allow SCR viewing, as well as the patient's permission to view.

Where GP Practices have integrated SCR viewing within their GP IT system, the self referred LR will be automatically confirmed by the system. If the GP Practice is using the SCR Application, the administrative staff will need to manually confirm the LR using the ‘Select for Care' button, on behalf of their workgroup (which will be set up by the Registration Authority as part of the implementation).

When a self referred LR is confirmed, no alerts are generated because of the role separation between confirming the LR and then viewing the SCR (unless the permission to view is over-ridden).

If any alerts are generated because permission to view has been overridden, they should be investigated by either the GP Practice privacy officer or the local PCT privacy officer (or both if the PCT privacy officer is copied into the alert notification or has sufficient RBAC rights on their smartcard to run audit reports for the GP Practice).

2. Small GP Practices

When a patient presents themselves for treatment at a small GP Practice, where role separation between staff members is not possible, a self claimed legitimate relationship should be confirmed before viewing the record, as well as permission to view. This requires health care staff to confirm their own LR (as opposed to having it created for them) and this type of LR should only be used when there is no role separation possible. The decision to use self claimed LRs should be decided in conjunction with the local PCT to ensure a fair assessment is made of what type of LR to use. Self claimed LRs will generate an alert to be reconciled with local records every time one is created (as well as when permission to view is over-ridden) to ensure no records are accessed inappropriately.

These alerts should be investigated by the local PCT privacy officer as an audit measure for smaller practices.

Deciding Which Approach to Take

In order to decide which approach to take, the following points should be considered:

1. Whether the GP Practice is of a sufficient size to allow role separation.
2. Whether the GP Practice has an appropriate Privacy Officer function to manage the creation and maintenance of workgroups (when required) and to monitor alerts.

This discussion must occur between the GP Practice and PCT prior to SCR Application being deployed. As noted, each GP Practice can have its own privacy officer, as can each PCT and how the responsibility is distributed between these needs to be a local decision.

Once this decision is reached, the agreement should be formalised in order to empower the PCT privacy officer where necessary, to audit the alerts and have the relevant organisation codes assigned to their smartcard.

More detailed information on the different types of LR and more information on how to monitor and reconcile alerts is available on the following pages:

• Different types of LR
• Information on how to monitor and reconcile alerts

Privacy officer overview training can also be found on the SCR training pages.

In all cases, the relevant training is to be undertaken to ensure the privacy officer and end users are aware of their responsibilities both in viewing SCRs and monitoring appropriate access. Where the GP Practice wishes to undertake the role of privacy officer, there also needs to be strong links with the PCT Caldicott Guardian for guidance, where needed, and agreement of the GP Practice model.

Further Points for Consideration

1. If the PCT privacy officer monitors the alerts generated by a GP Practice, the PCT privacy officer would have to have a role added to his smartcard for each organisation he is expected to monitor.  If that PCT privacy officer was auditing multiple GP Practices, then the alert notification process may not be the most efficient way of monitoring alerts as the individual GP Practice is not identified in the notification.

In these instances, the PCT privacy officer is advised to run regular audits using the TES Alert Viewer of each organisation and monitor the alerts that way, using the different organisational profiles on their smartcard.

2. A GP Practice Privacy Officer will have the ability to view who, where and when the patient has had their SCR viewed. It is not appropriate for GP Practice Privacy Officers to use these abilities to track where the patient has been treated outside of that practice unless specifically requested to do so by the patient as part of a subject access request under the Care Record Guarantee.

3. As part of implementing SCR viewing in a GP Practice or PCT, attention should be given to current IG policy and any existing policies and procedures affected by accessing the records should be updated accordingly to give instruction to users.