04 August, 2023
The Information Commissioner's Office (ICO) has published details of a reprimand issued to NHS Lanarkshire, following staff's unauthorised use of WhatsApp to share the personal details of patients, over the course of two years.
The reprimand is difficult to read in places as it is heavily redacted. However, it states that an ICO investigation has found that between April 2020 and April 2022 a WhatsApp group was used by a team at NHS Lanarkshire. During the course of the conversations, at least 533 entries were made that included patient names, telephone numbers, dates of birth and patient and clinical data.
It appears that an individual has been added to the WhatsApp group in error resulting in an inappropriate disclosure of patient data to an unauthorised individual. An internal investigation commenced and it was discovered that the WhatsApp group had been adopted by the team during the pandemic as a substitute for communications that would have taken place in the clinical office.
As a result of the creation of this WhatsApp group, patient data was shared by unauthorised means and an inappropriate disclosure was made when an individual was added to the WhatsApp group in error.
Once NHS Lanarkshire became aware of the incident where an individual had been added to the WhatsApp group in error, it approached the ICO and reported the incident. The ICO conducted an investigation and has found that NHS Lanarkshire breached the following provisions of the UK GDPR:
The ICO concluded that NHS Lanarkshire did not have in place the appropriate policies, clear guidance, and processes in place when WhatsApp was made available to download. NHS Lanarkshire failed to conduct a data protection impact assessment of the potential risks that were associated with sharing patient data in this manner.
The ICO recommended that NHS Lanarkshire should take immediate action to ensure that they are compliant with data protection legislation. The ICO put forward the following recommendations for them to implement:
The ICO has requested that NHS Lanarkshire provide an update of actions it has took within six months of the reprimand being issued.
A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.
From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.
Your organisation should ensure that all internal data protection policies are up to date and are reviewed on a regular basis. Training should be provided to members of staff to ensure that they are aware of their data protection duties. When you or your organisation take decision to implement a new application, a data protection impact assessment should be conducted to assist in identifying any potential risks and ensuring compliance with data protection legislation.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here