NHS regional administrative staff are to gain GP-practice access rights on their chip and pin smartcards, allowing them to view confidential patient data on new national systems.
Warwickshire Primary Care Trust has written to GPs asking for consent to register smartcards for regional administration staff as if they worked for the local GP practice.
Paul Cundy, joint chairman of the British Medical Association's GP IT Committee, said, it "makes a nonsense of IT security" to allow regional administrative staff who are not involved in the care and treatment of any specific patient to have GP-practice smartcard rights on national systems.
Some doctors are concerned that it will establish the principle of regional administrators operating as GP practice staff on system security. Administrator smartcards will then provide access to confidential patient information stored on systems that are being installed under the £12.4bn National Programme for IT (NPfIT).
Hundreds of thousands of NHS staff are being issued with smartcards. Those with appropriate access rights will be able to access a database of 50 million electronic patient records being built as part of the NPfIT's Care Records Service.
A Warwickshire GP, Paul Thornton, who has written papers on data security in the NHS, said the request from the trust weakens the principle of role-based access controls, which are supposed to give NHS employees smartcard access to only the data they are entitled to see.
Administrative staff will be able to use their smartcards to access the NPfIT's Choose and Book system and view information that sets out a GP's reasons for referring a patient to a hospital consultant.
A letter from the Warwickshire trust to local GPs asks them to sign a statement that says, "I hereby authorise Warwickshire Primary Care Trust to register the Referral Information Centre's staff smartcards to our [GP] practice solely for the purpose of extracting referral information."
Lucy Noon, Corporate Services Manager at NHS Warwickshire, said that GPs are committed to providing them with information on patients who are referred to consultants.
"This access is supported by the Local Medical Committee. It is important to allow the trust to provide information on referral patterns to practices."
A spokesman for NHS Connecting for Health, which runs the NPfIT, said, "It is an information governance and business process matter for the trust. Moreover, it is current practice for administrative staff to have access to patient records, encouraged by GPs."
Read the full story on Tony Collins' blog
Read more on IT risk management
Hospital catering staff were given access to confidential patient information held on a £54m health service record system which is being rolled out across...