NHS Lanarkshire has been reprimanded by the UK Information Commissioner’s Office (ICO) after findings that staff had been sharing patients’ personal data over WhatsApp for a two-year period.
Photo: ICO
Between April 2020 and April 2022, patients’ data was added over 500 times in a message group that 26 staff members at NHS Lanarkshire had access to. The shared data contained patients’ names, phone numbers and addresses, and both images, videos and screenshots, which included clinical information.
“Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare and other vital services, people need to trust that their data is in safe hands,” said John Edwards, Information Commissioner.
On one occasion, a non-staff member was also added into the group.
Data sharing
While the app was available for work communication, it was not approved to handle patient data, and the data was shared without the company’s knowledge. Once NHS Lanarkshire learned about data sharing after two years, they self-reported the incident to the ICO.
“We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic but there is no excuse for letting data protection standards slip,” Edwards said.
“Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare and other vital services, people need to trust that their data is in safe hands.”
John Edwards, Information Commissioner
In the ICO’s investigation, it was found that NHS Lanarkshire did not have the proper policies, or clear guidance or processes in place when WhatsApp was made available. There was also no assessment of the potential risks with the app regarding sharing patient data.
Data protection law
With the reprimand, the ICO also recommended that NHS Lanarkshire take action to be compliant with data protection law by:
- considering implementing a secure clinical image transfer system;
- reviewing the risks relating to personal data before using new apps, and including the requirements to assess and mitigate the risks;
- making sure that explicit communications, instructions or guidance are issued to staff on their data protection responsibilities when new apps are deployed;
- reviewing all policies and procedures connected to this incident and amend where’s needed;
- ensuring that all employees are aware of their responsibilities to report personal data breaches internally.
NHS Lanarkshire has also been asked to provide an update of what actions they have taken within six months.
“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients. We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again,” Edwards added.