Staff at NHS Lanarkshire – which serves over half a million Scottish residents – used WhatsApp to swap photos and personal info about patients, including children’s names and addresses.
Following a probe, the UK Information Commissioner’s Office (ICO) has now issued a heavily redacted official reprimand to the organization, which oversees three hospitals plus clinics and more across rural and urban Lanarkshire in the Central Lowlands of Scotland. It said a group chat created in March 2020 – just as the UK government issued the first COVID lockdown – was in breach of Article 58 of the UK GDPR.
It did not recommend a fine, but rather an overhaul of the healthcare group’s data protection practices, but the document, an official reprimand [PDF], is nonetheless eye-opening.
Information was shared between 26 staff for more than two years – from 1 April 2020 to 25 April 2022 – over hundreds of entries within the WhatsApp group that included adult and child patients’ names, plus hundreds of patients’ phone numbers, many dates of birth, and at least 28 home addresses, “15 images, three videos, and four screenshots.” Some of this info included clinical information, and therefore “special category” data in breach of Article 9 of the UK GDPR.
The staffers were using copies of WhatsApp downloaded directly via NHS Lanarkshire’s portal on their work phones, it emerged, but someone, whose name was redacted, was added to the group “in error.” That “unauthorised individual” was given access to “four students’ names and student numbers, one child’s name, and two children’s names and addresses.”
The ICO noted that since WhatsApp stated it was an encrypted platform, staff thought it would be secure. This, the watchdog said, “demonstrates that information governance expectations regarding WhatsApp were not understood by staff involved in the WhatsApp Group.”
Staff were using WhatsApp from their work-issued phones, which were subject to security controls. At the heart of COVID-19 lockdowns, clinicians trying to exchange info to treat their patients could hardly be comparable certain prime ministers saying they’ve forgotten their iPhone passcodes or bankers discussing trades off the books on forbidden platforms. Nevertheless the ICO considered that NHS Lanarkshire’s policies “should have been more specific to prevent an incident such as this occurring.”
As mitigation, the document also states that “in terms of photographs and videos, no staff would have access to this in normal practice as there is no secure clinical image transfer system in NHS Lanarkshire and no screenshots of clinical records are permitted.”
Many of the staff concerned were working remotely because of COVID lockdowns.
The watchdog said policies did not clearly reference messaging apps like WhatsApp and “there was no specific policy in place directly for WhatsApp.”
The ICO said the organization should have completed a “risk assessment prior to making WhatsApp available to download via NHS Lanarkshire’s portal, to identify any potential risks relating to personal data such as the risk that staff use the application to inappropriately share personal data.”
Ever suspected bankers used WhatsApp comms at work? $1.8b says you’re right
The ICO said the organization should “consider whether it is necessary and/or required to implement a secure clinical image transfer system.”
We’ve asked NHS Lanarkshire for comment, including on whether it planned to put a secure clinical image transfer system into place in the near future.
In a statement sent to The Reg, Trudi Marshall, Nurse Director Health & Social Care North Lanarkshire, said: “We have received a formal reprimand from the ICO for the use of WhatsApp by one of our community teams to exchange personal patient data during the pandemic.
“We recognise that the team took this approach as a substitute for communications that would have normally taken place in either a clinical or office setting, but was not possible at that time due to Covid restrictions. However, the use of Whatsapp was never intended for processing patient data.
“We offer our sincere apologies to anyone whose personal details were shared through this group.” She added: “We have already taken a number of steps including looking at alternative apps that can be introduced for the transfer and storage of images and videos within a care setting. This is being taken forward while considering the risks relating to the storage of any personal data.”
The Information Commissioner, incidentally, is another aspect of regulatory oversight that will be impacted if the UK government overhauls the post-Brexit data regime in the way it wishes to do so with the DPDI II bill. The bill, a controversial proposed replacement for the UK GDPR, currently going through the House of Commons, proposes to “abolish the office” of Information Commissioner, and replace the function with a new board, the “Information Commission.”
According to the latest draft, the Secretary of State can use a statutory instrument to change, add or remove “the databases which the Board is required to oversee,” rename the Board; or “require or authorise the Board to issue a code of practice or guidance” – a situation which would undermine the regulator’s independence and influence its guidance and priorities. ®