Rules Navigator

New patient data bill brings NHS staff use of WhatsApp into focus

A hand holding a phone with the WhatsApp application.
Certain firms discourage using WhatsApp for official communication. Photo: Gado/Getty Images

Hameed Shuja

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Better communication within the NHS is a key challenge, but what of the balance between patient care and privacy?

A new bill aimed at making “patients’ data easily transferable across the NHS so that frontline staff can make better informed decisions for patients more quickly” was introduced to the British parliament on Wednesday 23 October. The move casts fresh light on staff use of WhatsApp to share patient data.

According to a government press release, the Data Use and Access Bill will help in “freeing up 140,000 hours of NHS staff time every year, speeding up care and improving patients’ health outcomes.”

The sorry state of affairs within the UK’s national health agency has been an achilles heel for most recent governments. Commenting on the bill, Health and Social Care Secretary Wes Streeting said: “The NHS is broken, but imagine its enormous potential if each part of the system communicated properly with each other.”

The proposed legislation reaches parliament at a time when the NHS has come under scrutiny due to staff using social media platforms such as WhatsApp for official communications.

Wild west for data

A recent report in the FT said, “NHS doctors and nurses routinely use WhatsApp to share confidential patient details, test results and medical documents, prompting experts to warn of a “wild west” for data.”

A senior consultant based in London is quoted as saying, “I’ve got nurses, junior doctors and senior consultants all in this one group, using WhatsApp on their personal phones to do the work we do.”

Staff have said the NHS’s existing IT systems are slow and outdated, which makes it difficult to complete certain tasks at a faster pace. The use of WhatsApp by NHS staff for work communications has remained an issue for a while now. Multiple breaches over the years have resulted in warnings and reprimands.

Messaging apps

In 2020, the government published guidelines allowing staff to use messaging apps “to discuss patients and in case of an emergency.” But they came with a warning that staff should always ensure confidentiality of personal data.

But just last year, the Information Commissioner’s Office (ICO) reprimanded a local NHS body for allowing “personal information such as patient names, phone numbers and addresses” to be shared by 26 staff members on more than 500 occasions.” The breaches took place at NHS Lanarkshire, according to reports.

An NHS doctor told the FT: “It will take one high-profile data breach, drug error or a patient death, for the public to learn how big the issue is, and to effect cultural change among medical professionals.” 

“If you’re a criminal who’s trying to steal a bit of money from just anybody, we’re a big chunk of that.”

NHS cybersecurity experts

With this new bill, the government says “data will only be shared to the most relevant staff and anybody using data must comply with strict security protocols.”

It will also “ensure important data flows safely and securely through the NHS, freeing up staff time and speeding up patient care.” For that to happen, everything will be stored in a single patient database on the NHS app.”

External risks

But concerns are not just limited to who has internal access to people’s data on the NHS system. In today’s digitally connected world external actors can also sometimes pose a threat, either directly or unintentionally.

Data privacy campaigners have warned that the creation of a single large database which holds key personal information about millions of people can be vulnerable to serious cyber attacks by criminals.

The NHS’s own cyber security experts have also highlighted such threats. They believe the agency is a high-value target for cyber criminals because it has “a large cyberattack surface,” is a large sector, employs a lot of people who use a lot of devices, and is therefore vulnerable.

According to one NHS expert: “If you’re a criminal who’s trying to steal a bit of money from just anybody, we’re a big chunk of that. They will just hit the system, take control and demand payment because we’re there, we’re connected and we’re vulnerable.”

The government says: “Vital safeguards will remain in place to track and monitor how personal data is used, giving peace of mind to patients and victims of crime.”

“The NHS is broken, but imagine its enormous potential if each part of the system communicated properly with each other.”

Wes Streeting, Health and Social Care Secretary

But some are against the very idea of the government or NHS having unrestricted access to or control over people’s personal data.

The Open Rights Group, a UK-based digital rights organization, says it wants to stop the government and private agencies from using the private data of millions of people “to prevent the harms that can result from data misuse.”

It has also criticised the Information Commissioner’s Office for the way it has dealt with data privacy breaches, accusing it of having “a poor track record of issuing weak reprimands instead of fines and acting as a critical friend to government.”

Time for crackdown?

Regulators around the world have already started their crackdown against the use of off-channel messaging apps for official communications. For example last year, “Wall Street paid $1.8 billion in fines after traders used banned messaging apps”, according to reports.

Other reports around this time last year suggested the UK’s FCA could be “mulling its own probe into how traders use tools like WhatsApp.”

And it seems like the UK government is also finally taking steps. As a start, the newly proposed bill comes with the suggestion of a “revamped Information Commissioner’s Office, with a new structure and powers of enforcement – ensuring people’s personal data will be protected to high standards.”

There are also proposals “to boost the UK’s approach to tackling online harms through a power to create a researcher data access regime.” The regime is meant to collect “evidence on the scale of online harms and the measures which are effective in tackling them,” according to the government’s press release.

There is a certain degree of backlash too. Two other recent pieces of legislation by the government, the Online Safety Act and the Investigatory Powers Act, have been criticised for posing a threat to the security of messaging apps. Doctors have also warned that banning messaging apps such as WhatsApp will mean “patient care will suffer.”

But at a time when NHS resources are being stretched to a breaking point, the government’s first priority is to handle that crisis first. As things stand, the urgency around treating patients seems to outweigh concerns about their personal data.

, , , , , , , , , , , ,

You may also like