Over the past few months, one of the most significant shifts we’ve seen in primary care is the move towards GP practices becoming commissioners of their own IT software and digital systems. On paper, this sounds empowering: local autonomy, the freedom to choose systems that truly meet our needs, and the potential to innovate at the practice / PCN / federation levels.
But as many of us discussed during my two recent conference presentations at Best Practice Birmingham, the reality feels far more complicated, and I don't just mean how do we fund it!
Where’s the Guidance?
While NHS England continues to stress the importance of having a Digital Clinical Safety Officer (DCSO) in every organisation, the availability of this essential training is minimal. If you go digging on NHS England’s Digital Clinical Safety training page, you'll see there are only a handful of online or face-to-face training sessions (currently priced at £475). However, at the time this blog was written, they were all fully booked!
The difficulty here is that whilst there has always been a need for a Clinical Safety Officer (CSO), the digital aspect is becoming increasingly important. It can be difficult for ICBs to navigate this landscape, let alone individual practices.
In my research for this blog, I was made aware of at least one ICB that is unable to sign off on anything AI-related because they do not know how to assess it accurately. Whilst this was shocking to hear at first, on reflection, I fully understand that decision.
This lack of definition leaves commissioners (including practices) caught in the middle, expected to take on greater responsibility but without the necessary infrastructure or governance to back it.
A Generation Behind
New staff to practices nowadays may not know a world pre the modern internet. To them, social media has always existed, and we can get an instant weather report by speaking to a smart device! This brings a unique outlook to our workplaces, where staff want to engage in technology far greater than ever before.
As a result, it’s not that practices are reluctant to move forward; quite the opposite. Many of us are eager to embrace new technologies, explore AI-assisted tools, and modernise our digital systems. But it often feels like the governance around these tools belongs to a different era.
Take Copilot, for example - now embedded within the NHS’s Microsoft 365 accounts. Naturally, practice teams are curious: can we use it to help streamline administrative work, summarise documents, or draft patient letters?
Whilst some guidance is available, it seems to be buried! For example, a question was recently raised to me about whether we can reference sensitive protected data when using Copilot (e.g., patient-identifiable data). For instance, a practice wishes to review their frequent DNAd appointments and ask Coplot to organise the data so that the frequent attendees are shown for each appointment type.
My initial thoughts were that, as Copilot runs on the same Microsoft platform we’ve safely used for years to manage and process patient information, it shouldn’t be a problem. Besides all this, NHS England was the one who added Copilot to our Office 365 programmes, so it must be fine, right?
However, buried in the Copilot documents is the M365 Copilot Acceptable Use Policy. This document goes on to advise that we should NOT include sensitive information when using Copilot. Whilst it does expand on this further, there is a risk that practices will wrongly presume that, as the tool is there, it is safe to use!
This highlights a deeper issue for me: technology is evolving faster than our digital governance frameworks. We have always known this, but now we face a significant risk of making an innocent administrative mistake with our software (and, in this case, the software we have been provided). As a result of these mistakes, our practices could be exposed to a data breach or, worse still, patient harm.
The Need for Clarity and Collaboration
As practices step into this new world, there’s a real need for national clarity, shared learning, and practical guidance. Otherwise, each practice risks reinventing the wheel, or worse, being penalised later for making well-intentioned but non-compliant decisions in the absence of clear rules.
I’ve come across a lot of guidance advising to speak to your local area team, but as highlighted above, we are now in a postcode lottery for IT services and governance.
At Perfect Your Practices, we’ll continue to seek clarity from NHS England and share updates as soon as they become available. In the meantime, I’ll also be producing content through our social channels, especially on our new YouTube channel, where we’ll unpack what these changes mean for real-world GP practice management.
If you’ve faced similar challenges or uncertainties, I’d love to hear from you - because, as practices, we’re all navigating this new digital landscape together!
Comments ()