GDPR doesn't apply to receptionists?

Posted 13th Mar 2023

So long story short the school nurse rang us up to confirm if our kids had their MMR injections (something a child receives as a baby). We confirmed yes and rang our surgery to confirm the dates of the injections. The receptionist informed us that the school nurse had already asked and been told those details.
Is that normal to give out that information over the phone to anyone that asks? I mean how would the surgery receptionist be able to confirm the credentials of the person asking?
Surely all medical records should be private?

41 Comments

sorted by

Anonymous User
13th Mar
why are you fighting everyone who tries to help you. if you've got a problem with the school, take it up with the school perhaps?
aLV426 Author
13th Mar
I'm not fighting everyone and no one is helping as all the replies have gone off on a tangent and not answered my question?
darlodge
13th Mar
My childs school ask for agreement to ask the GP about vaccinations to make the school managed vaccinations and reporting simpler.

To my knowledge they aren't allowed to ask about any other medical details, only vaccinations.

Saying that though, schools are trusted in my eyes, they spend 6 hours a day minimum with our children almost unsupervised so I don't see the issue them having access to the child's medical records as it would all be audited at the GP end when their medical record is opened. (edited)
aLV426 Author
13th Mar
I guess it would be relevant information for a "health care professional" to know between the ages 0~5 - not when they are teenagers and not for a school that is not performing vaccinations...
MrMaxPackage
13th Mar
Data sharing agreements are in place as the information is required and necessary. How they share that information would be in the agreement. Request a copy of the agreement…
aLV426 Author
13th Mar
Not for medical records they aren't: nhs.uk/usi…ds/
cookiemonster83
13th Mar
Maybe if you didn't reply to everyone who has taken the time to offer their opinion with an immediate snarky response about how they're missing the point, you'd have had some more help by now.
Gruff__
13th Mar
The school nurse is probably as much a part of the NHS as she is the school. Patient data is routinely shared between various parts of the NHS so that healthcare can be delivered appropriately and efficiently.

If you're worried about this sort of thing you'd be HORRIFIED to discover what information Google knows about your children and who they sell it to.
aLV426 Author
13th Mar
I think you are missing the point - some random person just ran up and asked for the medical details of my kids. I say random as what checks where done? The same performed when we rang up and asked the same question - we were even informed that she had just given those same details to the school?
eayragt
13th Mar
Firstly, you seem to have an issue with your surgery, not the school nurse.

Secondly, school nurses are normally NHS nurses who cover lots of local schools and are probably really well known to your local surgery, so vetting wasn't required.

Maybe your surgery dont have any procedures? Try ringing them and say you're Shiela from school nursing and want some info about you child's records. Get given them and you have a point. Don't and you don't.
optrex10
14th Mar
Mountains and mole hills comes to mind. If their names dobs and addresses had been given out without check fine. But I'm pretty sure that gp surgery know that school nurse, her number would come up on their system when she called. Not sure what you are worried about.. someone randomly calling all go surgeries asking if certain kids have had vaccines? Seems an odd data phishing exercise. Why don't you ask the GP surgery about what checks they do before they give out any info.
bozo007
13th Mar
This seems to say that schools can access. But I may be wrong. (edited)
samosa
13th Mar
Any chance you may have already disclosed this when applying for school admission and perhaps given some permission to reach out to the GP when required?
aLV426 Author
13th Mar
I guess what makes the request strange is the fact that MMR vaccination is something that happens between ages 0~5. They were asking about this for 2 of my kids who are now teenagers! I also do not see the relevence for a school nurse to have this information? What value is there in it?
smith2001uk
13th Mar
It could be that they were upgrading their record systems and needed to be sure what they had on there was accurate. Maybe ask some other parents or guardians if they've had the same call/email. Might shed some light on my theory
Damnyoureyes
13th Mar
They are most probably coming up to their next vaccinations for tetanus diphtheria and polio and meningoccoccal infections and it the next opportunity to get the MMR if they hadnt had it, also with other students coming in that may not have had it to assess class risk of infection spreading to vunerable students?
aLV426 Author
13th Mar
Again - it's not relevant what the detail is for - it shouldn't be freely handed out from the doctors surgery.
Renoir64
13th Mar
I used to work in an area of very sensitive information.
Data sharing agreements, particularly with children are long established practice. In fact they pre date GDPR legislation.
Also it may well be that the school nurse is a NHS employee and could have access to the same database legitimately anyway.

Data sharing is a vital part of child protection. This doesn't mean that your child's record isn't confidential but as a wider society we need to concern ourselves with the vulnerables welfare.

(For clarity I'm not suggesting that there are any issues around your children, rather the opposite I would imagine. From this question you seem to be happy to stand up for them and that is how it should be)
aLV426 Author
13th Mar
The point is I already filled out the form from the school detailing their vaccination levels - it appears the school has since lost those details. I don't know what is more concerning - the fact that they lost those details or the fact that they can simply ring up and ask for them...
The "school nurse" is not part of the NHS, in fact I think I may start questioning her credentials now.
anthea
13th Mar
If you haven't signed to keep your medical records private others outside agencies can access them without you knowing.
Medical Records have been sold to American firm so insurance etc get information on you
aLV426 Author
13th Mar
All data that is collected and shared is protected by strict rules around privacy, confidentiality and security.
Information: We never sell patient data or share it with insurance or marketing companies.

nhs.uk/usi…ds/

I guess I need to ask my question in a more informed forum.
smith2001uk
13th Mar
For fear of being told off for going off on a tangent.. Again. The answer to your question is NO.

No one should be able to call up a GP an get confidential medical records...... Unless they have a data sharing programme setup and you've agreed too. Whether or not the school ringing and GP have a way of authentication we'll never know. Until you go and ask them. (edited)
aLV426 Author
13th Mar
Again - that's not the point - there was no vetting done to the person who called up, thus defeating the whole point of having a process in place to grant permissions. I know this as when we rang up we where told that the school nurse had already asked for that detail - again information that should not have been shared...
tardytortoise
13th Mar
Huge big difference between privacy and secrecy. Medical records can be shared amongst health staff who have a need to know. I would not want some bureaucracy slowing down information exchange. If two people speak to each other regularly in a professional capacity then I am sure it is safe to assume they know each other's voices.
C0mm0d0re_K1d
14th Mar
I have no exact answer to this.

Correct me if im wrong. As far as i am aware, every company or organisation that holds anyones personal information or data are bound by uk data protection laws and gdpr (is only related to the internet, I believe). All personal data held by them can only be revealed to you or any person or organisation you have given permission to.

It seems the CHIS link looks to be how they have access to the information (which I wasn't aware of). If your not happy with that or anything else anyone has said. I would suggest you go and question your gp, the school, the nurse, or go and read data protection and gdpr rules. Alternatively speak to education authorities or citizens advice maybe.

Not all registered nurses work for the NHS, even though they might be registered with the royal college of nursing. My GP surgery uses nurses from an agency for instance. So the school nurse could also be from an agency?

As for NHS data being sold. The only things I'm aware of is that some data was given or sold to some part of Google, and some other organisations like babylon health (who matt handbook used to work for) through NHS Digital or NHS X setup by Matt handcock, when he was heath minister. Some data was sold to Palantir a US data analysis company owned by billionaire Peter Thiel. The government claimed all data was totally anonymised before being handed over, but we only have their word for that hahaha !

You can also go onto the NHS digital site and opt out of data sharing here...

digital.nhs.uk/ser…out (edited)