Is this normal? Nhs employees

[Chiefspidercatcher]

I don't think it is. Or it shouldn't be.

I work in a GP practice. Not long started.

I've witnessed a newbie given a 'spare' smart card (which belonged to a colleague on leave, a spare for them sonehow the practice manager has) to access eg emis while training before newbies own smart card arrived.
So colleague was on leave but there's logged actions throughout the system that they eg ordered prescriptions, blood tests etc as their smart card was used.

I had a patient complain earlier this week about a request not done from a week prior. I checked the system & was shocked to see my own name logged as the person cancelling their request. I didn't remember doing this & am v careful. When I got home later I checked my shifts & I wasn't in work when it was done so someone must have a spare smart card for me & be accessing the system using my profile.

I feel like the risks & ramifications are huge.

Am I overreacting? Does this go on?

I'm trying to decide how to proceed. I'm concerned about patient security & confidentiality being compromised. Also the risk of reputational damage to me or anyone else whose card is being used by someone else for goodness knows what.

I think the PM is likely the one who has the spares & letting certain ppl access them. However we are a small practice & she'd also be my point of contact to raise issues to so I'm not sure which way to move forward. ICO suggested whistleblowing. Has anyone else been in a similar position?

I'm an nhs podiatrist and I can tell you that this is ABSOLUTELY not allowed and needs to be reported.

You really need to get that passcode changed a when mine was set up I was asked to put a code in whilst the person setting it up looked the other way so no body knows my passcode or has any reason to.

That is awful. When I have worked with smart cards the first swipe of the day still needs a name and a password used. It has then worked as fast access into the system multiple times that day (sometimes requiring a password input if you have been away for too long. )
The same smart card could absolutely be used by someone else a different day. But they would need to enter a user name and password at the start again.
You should 100% never be in a situation that someone can log in as you though. That risks massive privacy breaches that would land in your lap.
Good luck figuring it out.

This passcode practice also needs reporting.

It's scary how lax the behaviour is.

Every practice is obliged to have a data protection officer. That person is usually supplies by your local ICB.

If you contact your ICB's data protection team they will be able to locate the relevant person for you. You can often do this through an FOI email address if you can't find anyone else as they tend to sit in adjacent teams if not the same team.

As a HCP in a GP practice this is an absolute and utter no go. If needs escalating. If they're doing that, god knows what else is going on!

Reading back through this is absolutely and utterly wrong on so many levels.

No one should ever be able to use your smart card or know your login pin.

Please, please whistle blow. For the patients sake.

Log it as a whistleblower - at least there will be a paper trail. Also if in England the Cqc could be advised.