Is this normal? Nhs employees

[Chiefspidercatcher]

I don't think it is. Or it shouldn't be.

I work in a GP practice. Not long started.

I've witnessed a newbie given a 'spare' smart card (which belonged to a colleague on leave, a spare for them sonehow the practice manager has) to access eg emis while training before newbies own smart card arrived.
So colleague was on leave but there's logged actions throughout the system that they eg ordered prescriptions, blood tests etc as their smart card was used.

I had a patient complain earlier this week about a request not done from a week prior. I checked the system & was shocked to see my own name logged as the person cancelling their request. I didn't remember doing this & am v careful. When I got home later I checked my shifts & I wasn't in work when it was done so someone must have a spare smart card for me & be accessing the system using my profile.

I feel like the risks & ramifications are huge.

Am I overreacting? Does this go on?

I'm trying to decide how to proceed. I'm concerned about patient security & confidentiality being compromised. Also the risk of reputational damage to me or anyone else whose card is being used by someone else for goodness knows what.

I think the PM is likely the one who has the spares & letting certain ppl access them. However we are a small practice & she'd also be my point of contact to raise issues to so I'm not sure which way to move forward. ICO suggested whistleblowing. Has anyone else been in a similar position?

It's absolutely not normal. Huge breach of information governance.

I'm very surprised that 2 smart cards can be active at the same time for same person!
Yes this is complete no no. I've once had to add notes for a colleague as she was called out of work on an emergency but managing to email them to me to add to record, but I very clearly explained in the electronic notes that I did not see the pt but was just adding the notes.

I'm really surprised too. But I can assure you it must be possible because I've seen the newbie using the persons on leave, and saw the persons name who was on leave all over the system (tasks, bloods, prescription req). And my own name against an action I didn't do at a time I wasn't working.

I'd be in major difficulty if someone used it to do something bad when I was in work. I'm not sure it'd be possible to fully prove it wasn't me in that scenario.

I would assume that the pass code has to match the login id being used for that card at that time? I would change anything you can and not to anything others could guess. I'd hope that would render the other card useless.

Also, I know you said it takes 14 weeks to get an investigation going but if that means it wouldn't start till after you'd gone, that might actually be helpful. I would be looking for a new job you could start ASAP in any case.

This is not right. Check if you have a named ‘Freedom to Speak Up’ guardian. If you have one speaking to them would be a good place to start

It's a great idea & I already have a new job offer! Just waiting for due diligence to complete before I can hand my notice in.

Every contact for everything is the PM. Where do you go when they are the problem.

Found this
https://digital.nhs.uk/services/care-identity-service/smartcard-and-authentication-users/change-your-smartcard-passcode#:~:text=To%20change%20your%20passcode%2C%20put,boxes%20and%20select%20'Confirm'.
to change passcode so will do that nxt time I'm in & hope it covers all access.

This sounds extremely dodgy. I'd be majorly freaked out.

There should be an IT department for the CCG who deal with this, not an IT department at the surgery. Could you phone the emis helpline number which is on your desktop homescreen and see if they can help put you in touch with IT. If it was me I wouldn't care if the other receptionist knew that I have done this.

I know you are leaving soon but as everything is auditable there will be entries etc under your log in. I haven't used emis for a few years but I think there may be an icon on your desktop for changing your smartcard log in pin, I could be thinking of something else though.

Sorry cross posted. I'm pleased you have found how to change your pin.

Can you “lose” your card so the PM has to give you your spare?

Personally I’d ask her about the prescription cancellation, say you didn’t cancel it (you weren’t working) and yet it shows as cancelled by yourself? There must be a second card in use by someone else and so you'd like to take it so that you have both your cards in your possession.

I think actually this is commonplace although it’s absolutely against policy and you can very much whistleblow about it and you should be taken seriously. A friend has been disciplined for something similar (not GPs) although she is adamant it’s commonplace in order to be more efficient.

EX NHS manager here who used to work with GP's a lot. Not normal or right but did you know that GP's are not NHS employees? So far as I am aware, all practices are privately owned. GP's are contractors. The person you'd normally go to about this would be the practice manager but it sounds like that won't help. The only thing I can suggest is that you try and contact someone in data management from one of the hospitals used by your patients. The person who is at the top of the responsibility tree is called the Caldecott Guardian and a letter or email to them or their office should set a bomb off. Google How to to contact a Caldecott Guardian for more info.

That’s what I was thinking.

At least then you could keep it with you at all times and know you were “safe” until you leave.

Phone IT yourself there isn't one in the practice but all IT is run through the health board (or equivalent where you are) . In Scotland our system didn't have smart cards but all individual log ins. We were not allowed to share. Sometimes locums spent ages in the phone to IT if their logins failed to work. IT would not tell PM your code.
Tell senior partner. I used to have this role and my door was always open to staff with concerns.

That's awful!!! That's a huge breach - definitely whistleblowing territory I'm afraid.

Definitely, 100% not ok. Given accessing patient data without cause is a criminal offence and there are records of who’s viewed what it also opens whoever’s card it is up to risk if someone uses their card to look at something they aren’t supposed to.

There may be a IT service desk that covers the local area. In the trust I work for, the contact details are on everyone's desktop background.

It's definitely wrong and needs flagging above the practice manager.

Are you able to get evidence that this is happening?

This is awful and would be gross misconduct where i work.

And that’s without even considering WHY someone has used YOUR login to anonymously cancel a request against a patient’s wishes?! Something very suspect there. Could anyone know you’re leaving and have it in for you??

@Chiefspidercatcher using someone else’s credentials to login is fraudulent. In most places it would be a sackable offence/gross misconduct.

Perhaps the way to handle it is to ask ‘how come these transactions are recorded against my ID when I wasn’t in the office, wasn’t working and had my card in my possession?’

@Chiefspidercatcher what @godmum56 said

This is against all NHS GDPR, information governance and data security policies. You need to report it. I would also suggest you ask for the spare smart card that is in your name so that it can’t be used again. If there’s a patient incident and your names if flagged then unless you can prove you weren’t on shift then you could find yourself in a sticky situation (although I’m unsure how they are using it without your password/PIN number).

This is massive. You do need to report to protect yourself, and need to report as duty of care within your role. You need to be defensive in how you do this.

In an NHS Trust you would definitely use freedom to speak up guardian for whistleblowing.

You could email (so in writing) the PM copying in senior partners and your union rep. This would mean you have followed correct procedure but also means it cannot be covered up by the PM. Include precise dates and times as your evidence (screenshots may not be possible) as this is how an HR investigation would be conducted. Be utterly factual, do not include supposition or hearsay, but just state the known facts about your own case (evidence things were entered under your name whilst your were away, precise dates and times, you can name the patient this happened for - they will search the system for this evidence after).

We are all given a passcode when PM sets us up with smart card that relates to the long number on the card. So we can all use each others in effect by reading the digits we all know the PM uses to set up, unless others have changed their codes.