What’s this all about?
The UK data protection regulator the Information Commissioner’s Office (ICO) recently issued an official reprimand under UK GDPR to the health service provider NHS Lanarkshire (Scotland) following the unauthorized use of WhatsApp by staff to share patients’ personal data. It’s an interesting case looking at so-called ‘ShadowIT’ and the legacy of emergency measures during the pandemic.
What’s the background?
Over a two-year period between 2020 and 2022, 26 staff at NHS Lanarkshire had access to a WhatsApp group where there were a minimum of 533 entries that included patient names (of adults and children). Of those entries, a minimum of 215 included phone numbers, 96 included date of birth and 28 included addresses. 15 images, 3 videos, and 4 screenshots were also shared, which included personal data of patients and clinical information, i.e. so-called “special category” health data. Other data to the WhatsApp group was also added in error. Other communications were also identified where the staff in question had used WhatsApp.
WhatsApp was not approved by NHS Lanarkshire for processing personal data of patients. The use of WhatsApp was an approach adopted by the staff involved without organisational knowledge. It was used by the staff in question as a substitute for communications that would have taken place in the clinical office but didn’t after staff reduced office attendance due to the COVID-19 pandemic. No Data Protection Impact Assessment was in place and no risk assessment relating to personal data processing was completed concerning WhatsApp, as WhatsApp was not approved by NHS Lanarkshire for the sharing of personal data relating to patients.
NHS Lanarkshire undertook an internal investigation and reported this matter to the ICO.
What did the ICO decide?
The ICO’s investigation concluded that NHS Lanarkshire did not have the appropriate policies, clear guidance and processes in place when WhatsApp was made available to download. For example, there was no assessment of the potential risks relating to sharing patient data in this way. The ICO concluded that there had been a number of infringements of UK GDPR, not the least being not implementing appropriate technical and organisational measures (TOMs) to ensure the security of the personal data involved, as a consequence of which personal data was shared via an unauthorized means and an inappropriate disclosure occurred.
There was also a failure to report this matter (i.e. as a data breach) to the ICO in time. Affected data subjects were not informed about this matter but the ICO considered that there was “potential for distress to be caused to data subjects if they were to be made aware of this matter i.e. concerns that their personal data has been processed inappropriately and a lack of trust with the [staff concerned] and NHS Lanarkshire overall, which could discourage them from using its services.”
The ICO also noted in NHS Lanarkshire’s favour that, in terms of remedial action, “NHS Lanarkshire contacted staff regarding this matter and […] communications were sent to both all staff and [the staff concerned] with the instruction not to use WhatsApp for sharing personal data. NHS Lanarkshire subsequently seized the phones of staff involved […]. All phones were deprovisioned which NHS Lanarkshire confirmed deleted the chat and staff have been issued with new phones.”
The ICO recommended that NHS Lanarkshire should take action to ensure their compliance with data protection law, including:
- Considering implementing a secure clinical image transfer system, as part of NHS Lanarkshire’s exploration regarding the storage of images and videos within a care setting;
- Before deploying new apps, consideration of the risks relating to personal data and including the requirement to assess and mitigate these risks in any approval process;
- Ensuring that explicit communications, instructions or guidance are issued to employees on their data protection responsibilities when new apps are deployed;
- Reviewing all organisational policies and procedures relevant to this matter and amending them where appropriate; and,
- Ensuring that all staff are aware of their responsibilities to report personal data breaches internally without delay to the relevant team.
In light of the remedial steps and mitigating factors the ICO issued an official reprimand – a fine has not yet been imposed. The ICO also asked NHS Lanarkshire to provide an update of actions taken within six months of the reprimand being issued.
We’ve seen a heavy reliance by people on using WhatsApp and other messaging applications for workplace communications. At a recent conference in London one organization said that more than 60% of data relevant to workplace investigations is now found in alternative platforms – email is no longer the single source of truth. Whilst people may think that this usage doesn’t fall within the scope of data protection rules, it clearly does. Because people might not think that their messaging is subject to scrutiny under privacy rules they may be tempted to say things there that they might not say in a work email. This may result in “difficult” messaging later coming to light, for example following a Subject Access Request.
Organizations should consider the following areas of practical compliance:
- Because people think WhatsApp and other messaging applications are encrypted, are less careful than they should be etc. they need to be informed through a workplace communications policy and training that their workplace communications are subject to privacy rules;
- Discouraging so-called “shadow IT” (using IT for your job that your IT department hasn’t approved) – if there’s an unmet need people tend to consider other options so see what you can do to add workplace communications with WhatsApp-like functionality with in-house systems which are likely to be lower risk. From our experience it’s often a good idea to involve more junior & tech savvy staff in this exercise as they may be the ones more likely to find alternatives to your existing systems ;
- Making sure that conventional IT systems are fit for purpose;
- Re-evaluating/doing an audit of any COVID workarounds that might still be in place and consideration of disabling systems used as a workaround or back-fill compliance. Undertaking a Data Protection Impact Assessment would help focus on possible problems and how to mitigate their effects. Include meeting platforms like Teams and Zoom in this exercise too;
- Working from home may have become the standard for the organization for some or all of the working week so make sure that the organization’s systems reflect that;
- As a greater percentage of the working population becomes digital natives we’re going to see more and more of the types of issues that occurred in this matter. The tech savvy use different tools to get the job done and so there is a need for an organization to understand that and build it into its plans;
- Making sure that the organization has processes in place to be able to report data breaches in time (and communicate with affected data subjects); and,
- Last but certainly by no means least, making sure that personal data is being kept firmly secure – an organization must undertake regular reviews of its systems to ensure this.
Jonathan talked to DataBreach Today about this case here where there’s more background https://www.databreachtoday.com/privacy-watchdog-slams-sharing-patient-data-via-whatsapp-a-22717?.
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The official ICO reprimand can be found here: https://ico.org.uk/action-weve-taken/enforcement/nhs-lanarkshire/, and the ICO press release can be found here: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/08/ico-reprimands-nhs-lanarkshire-for-sharing-patient-data-via-whatsapp/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|
Photo Credit : South Lanarkshire Leisure and Culture SCIO (SLLC)