NHS Lanarkshire (the Trust) have been issued with a reprimand in relation to sharing patients’ personal data on WhatsApp. In 2020, a WhatsApp group of 26 staff members was created in which staff shared patient personal data. 533 pieces of data which included (adult and child) patient names, phone numbers, dates of birth and addresses were shared in the group. A small number of images, videos and screenshots were shared, which included special category data in the form of clinical information. At one point, an individual was added to the group in error and therefore had unauthorised access to some of the information. Whilst some use of WhatsApp was permitted within the Trust, this was only for “basic information”.
The ICO outlined a number of failings by the Trust which led them to conclude that the Trust had breached the GDPR in relation to its security obligations.
The ICO stated that the following measures would have likely reduced the risk of the issue arising:
- The completion of a risk assessment prior to making WhatsApp available to its staff through its portal.
- The issue of communications to staff when WhatsApp was made available to outline expectations regarding the handling of personal data via official and approved channels i.e. email.
- The development of either standard operating procedures/guidance/policies for WhatsApp use or the amendment of existing documentation to include these.
- The issue of communications at the outset of the pandemic dealing with remote working and the handling of personal data.
The reprimand details remedial steps taken by the Trust and further steps which the ICO is requiring the Trust to take, which are also interesting reading. The ICO is clearly not glossing over the COVID era, there may be allowances made for the unprecedented nature of the times, however, they will by no means excuse all action taken during that time. This case also highlights the importance of making staff aware of which forms of communication can be used for personal data and which cannot.
The reprimand can be found here.
If you think it is time to refresh your data protection policies, get in touch with your usual contact or email us at email@example.com