EMIS move to
Amazon Web Services (AWS)
We have been informed that EMIS has sent out a communication to practices which
we believe is potentially misleading. In relation to the plan to move NHS
records to AWS (Amazon Web Services), which the GPC supports, their
communication states that practices “may wish to inform your patients”. This is
incorrect. It is a requirement under GDPR to be ‘transparent’. Practices must
inform their patients of significant changes to the way their data is
processed, and failure to do so will almost certainly be a breach of
GDPR.
Given the potential sensitivity of moving NHS records to AWS this seems to be counterintuitive when GDPR expects openness, transparency and accountability. BMA guidance on GPs’ responsibilities under GDPR states that: ‘Practices must ensure they continue to provide updated information to patients about new data sharing arrangements’. This involves updating practice privacy notices (PPNs) and where practices have the ability to provide electronic alerts to patients relatively easily then these methods should be used. In practical terms this means that where mobile numbers or email addresses are held the practice should use these to make patients aware that new arrangements for data sharing exist and invite them to read the updated PPN. This is set out in the BMA guidance ‘GPs as data controllers’ (see bottom page 6, from ‘Ensuring ongoing transparency – keeping patients updated’ to the top of page 8).
The communication also states “and/or undertake a Data Protection Impact Assessment (DPIA)”, which is also incorrect. A DPIA is not an optional alternative to informing patients, it is a standalone mandatory standalone requirement under GDPR that must be carried out prior to any significant or new processing arrangement. If you don’t do a DPIA you are in breach. However, EMIS have helpfully provided a link to a template DPIA that practices can use. It is acceptable under GDPR to “borrow” or share DPIAs where the changes apply equally to many parties.