NHS Lanarkshire rapped over patient data shared on WhatsApp
Information Commissioner’s Office (ICO) issues formal reprimand to the Scottish health board after patients’ names, phone numbers, images and video were shared more than 500 times.
NHS Lanarkshire did not have the appropriate policies, clear guidance or processes in place in using the messaging service WhatsApp, the ICO concludes in a full, eight-page reprimand that sets out exactly what occurred – and what data laws were breached. The reprimand has been made in accordance with Article 58 (2)(b) of the UK General Data Protection Regulation (the UK GDPR).
Photo by tungnguyen0905
Over a two-year period up to April 2022, some 26 staff at NHS Lanarkshire had access to the WhatsApp group on which confidential patient data was entered on at least 533 occasions. This data included names, addresses and phone numbers and addresses. Images and video were also included, such as screenshots containing clinical information.
At the start of the Covid 19 pandemic, authorisation was given to use WhatsApp to share basic information about patients, supporting the delivery of health services during lockdown. But staff members were not authorised to use the app to share data of more confidential nature and did so without the authority or knowledge of NHS Lanarkshire health board.
The result was three specific breaches of UK GDPR:
- Article 5 (1)(f), where personal data must be ‘processed in a manner that ensures appropriate security’
- Article 25 (1), where the ‘controller’ of such data must ‘implement appropriate technical and organisational measures’ for sharing and use
- Article 32 (1), where ‘appropriate technical and organisational measures’ must be implemented ‘to ensure a level of security appropriate to the risk’
The ICO also noted a delay in the issue being reported. What’s more, someone who was not a member of staff at the health board was accidentally added to the WhatsApp group. This resulted in the inappropriate disclosure of personal information to an unauthorised individual.
Faults were identified in the wider organisation, such as that there had been no assessment of potential risks in sharing patient data in this way.
The ICO recommends that NHS Lanarkshire take action to ensure their compliance with data protection law. This includes:
- Review of all organisational policies and procedures relevant to this incident
- Implementation of a secure system for the transfer of clinical images and wider exploration of how images and videos are stored within a care setting
- Risk assessment relating to personal date before new apps are deployed, including the ability to assess and mitigate risks in any approval process
- Explicit communications, instructions or guidance for employees on their data protection responsibilities when such apps are deployed
- Ensuring all staff are aware of responsibilities to report personal data breaches without delay
NHS Lanarkshire is expected to report on the actions it has taken over the next six months.
John Edwards, Information Commissioner, says: ‘Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare and other vital services, people need to trust that their data is in safe hands.
‘We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic but there is no excuse for letting data protection standards slip.
‘Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients. We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again.’
In related news:
Opinion: It’s time for managed services to start delivering for users
Leave a Reply