An NHS trust has been reprimanded by the UK’s data protection regulator after it was discovered that staff had been sharing patient details on an unapproved app for two years.
Some 26 staff at NHS Lanarkshire accessed the WhatsApp group between April 2020 and April 2022, entering sensitive patient data including names, phone numbers, addresses, images, videos, screenshots and clinical information, according to the Information Commissioner’s Office (ICO).
The WhatsApp group was initially set up to help staff communicate during the early days of the pandemic. However, it was not approved for processing patient data, which is classed by the GDPR as a “special category” of personal data. Article 9 of the law provides special protection for this category of data.
The staff apparently began using the group for the sharing of this data without the trust’s knowledge. One non-staff member was accidentally added to the group, resulting in inappropriate disclosure of personal information to them, the ICO claimed, highlighting the dangers of shadow IT.
The trust reported the incident to the ICO as soon as it became aware, although by then, patient data had been entered into the app on more than 500 occasions, the regulator said.
A subsequent investigation concluded that the trust didn’t have appropriate policies, guidance or processes in place at the point WhatsApp was made available to download. No risk assessment was made at the time, for example.
Information commissioner, John Edwards, said patient data must be treated “carefully and securely” so that people can trust their information is in safe hands.
“We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic but there is no excuse for letting data protection standards slip,” he added.
“Every healthcare organization should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients. We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again.”