ICO Issues Reprimand for Use of WhatsApp by NHS Trust
Published: August 4th, 2023
7 min read
The Information Commissioner's Office (ICO) has published details of a reprimand issued to NHS Lanarkshire, following staff's unauthorised use of WhatsApp to share the personal details of patients, over the course of two years.
Background
The reprimand is difficult to read in places as it is heavily redacted. However, it states that an ICO investigation has found that between April 2020 and April 2022 a WhatsApp group was used by a team at NHS Lanarkshire. During the course of the conversations, at least 533 entries were made that included patient names, telephone numbers, dates of birth and patient and clinical data.
It appears that an individual has been added to the WhatsApp group in error resulting in an inappropriate disclosure of patient data to an unauthorised individual. An internal investigation commenced and it was discovered that the WhatsApp group had been adopted by the team during the pandemic as a substitute for communications that would have taken place in the clinical office.
As a result of the creation of this WhatsApp group, patient data was shared by unauthorised means and an inappropriate disclosure was made when an individual was added to the WhatsApp group in error.
Findings
Once NHS Lanarkshire became aware of the incident where an individual had been added to the WhatsApp group in error, it approached the ICO and reported the incident. The ICO conducted an investigation and has found that NHS Lanarkshire breached the following provisions of the UK GDPR:
Article 5 (1)(f) - Data security principle
Article 25 - Technical and organisational measures must be implemented to protect personal data
Article 32 - Appropriate technical and organisational measures must be implemented to ensure a level of security appropriate to the risk of the processing.
The ICO concluded that NHS Lanarkshire did not have in place the appropriate policies, clear guidance, and processes in place when WhatsApp was made available to download. NHS Lanarkshire failed to conduct a data protection impact assessment of the potential risks that were associated with sharing patient data in this manner.
ICO recommendations
The ICO recommended that NHS Lanarkshire should take immediate action to ensure that they are compliant with data protection legislation. The ICO put forward the following recommendations for them to implement:
The ICO encouraged NHS Lanarkshire to implement a secure "clinical image transfer system" regarding the storage of images and videos within the care setting.
Staff should be aware of their responsibilities and report personal data breaches internally.
All polices and procedures should be reviewed and where necessary should be amended.
Before the implementation of new applications, the organisation should consider any potential risks relating to personal data and include the requirement to assess and mitigate these risks in any approval process.
All explicit communications, instructions or guidance should be issued to all employees to ensure they are aware of their data protection responsibilities when new applications are implemented.
The ICO has requested that NHS Lanarkshire provide an update of actions it has took within six months of the reprimand being issued.
Consequences of a Reprimand
A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.
From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.
Conclusion
Your organisation should ensure that all internal data protection policies are up to date and are reviewed on a regular basis. Training should be provided to members of staff to ensure that they are aware of their data protection duties. When you or your organisation take decision to implement a new application, a data protection impact assessment should be conducted to assist in identifying any potential risks and ensuring compliance with data protection legislation.