ICO issues reprimand for NHS WhatsApp group breaching the UK GDPR rules

Recently, the UK Information Commissioner’s Office (the ICO) reported that it has issued a reprimand to NHS Lanarkshire, following the set-up of a WhatsApp group in which staff shared patient data and images.

NHS Lanarkshire was reprimanded due to the WhatsApp group involving the sharing of personal data of patients by unauthorised means and for a disclosure of personal data.

The ICO’s published reprimand is redacted in parts, meaning the full depths of the ICO decision is difficult to gauge. However, we have commented on some of the key issues which organisations should be aware of following this action.

The full reprimand is available to read, here.

For background, a reprimand means a decision issued by the ICO following an investigation, stating that an organisation hasn’t complied with the UK GDPR. Reprimands can lead to serious reputational damage for organisations and should be taken extremely seriously. For information on reprimands and their importance, see our article.

What happened?

The ICO found that between April 2020 to 2022, a team at NHS Lanarkshire had shared at least 533 entries on WhatsApp which included patient names, telephone numbers, dates of birth and patient and clinical data in the WhatsApp group.  The group also contained personal data about children, which is treated as highly sensitive under the UK GDPR. 

Additionally, the patient data was disclosed to an unauthorised individual who was added to the group by mistake. The group had been created during the pandemic, to make conversations for the colleagues in the NHS team easier.

NHS Lanarkshire itself did not approve this processing of its patient data in a WhatsApp group and stated that this was done by staff, without its knowledge.

A key issue in this case appeared to be the use of the WhatsApp group to share highly sensitive information, which could put the personal data of patients at risk.

John Edwards, Information Commissioner, commented as follows in the ICO’s blog post:

Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare and other vital services, people need to trust that their data is in safe hands.

We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic but there is no excuse for letting data protection standards slip.

Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients. We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again.

The ICO’s investigation into the WhatsApp group found several shortcomings, such as:

• NHS Lanarkshire had breached the UK GDPR principles of data security and the need to have in place appropriate technical and organisational measures to protect personal data.
• NHS Lanarkshire did not have in place appropriate policies, guidance or processes and failed to conduct appropriate risk assessments needed around the sharing of personal data in the WhatsApp group.

The ICO made various recommendations for NHS Lanarkshire to implement, including the need to ensure that staff are aware of their responsibilities, to report personal breaches without delay and to review all organisational policies and procedures relevant to the incident.

What can we learn from the ICO’s reprimand?

A key lesson here is how badly things can go wrong when staff are not properly trained on UK GDPR and its rules. In this case, the staff’s innocent use of WhatsApp still put personal data at risk. The incident seems to demonstrate that the staff in the NHS team did not understand basic data protection law issues, particularly around data security and preventing data breaches.

Unfortunately, many businesses fail to train their staff on compliance with data protection laws and therefore most personal data breaches are a result of staff error. If you would like further information on training your staff on the UK GDPR rules.

Key tips when using WhatsApp for business purposes

Although this case related to the use of patient data by an NHS trust, there are some key takeaways which all organisations using WhatsApp can follow:

• Ensure you have policies and procedures in place to govern the use of WhatsApp and similar technologies by staff. Ask your staff to carefully review and confirm they have read and understood these policies, by signing the documents.

• Train your staff on UK GDPR rules and how important they are. This incident shows what can wrong if staff actions fall in breach of the stringent UK GDPR rules, even accidentally. Whenever a new technology for communications is implemented, such as a social messaging services, remind staff of the UK GDPR rules to follow in relation to those technologies.

• Where you are using technology (such as an app) to share personal data, make sure you first consider carrying out a Data Protection Impact Assessment to assess the risk to personal data when using the technology and how to mitigate it. This is particularly important where the personal data being shared is sensitive, such as health data or data concerning children.  

• Always implement appropriate data security measures when using any apps for business conversations, for example implementing the requirement to use secure devices.

Although this list is not exhaustive, measures like these could reduce the chances of personal data breaches occurring when personal data is processed on WhatsApp.

Conclusion

WhatsApp (and WhatsApp groups) are commonly used by organisations in the UK and therefore the ICO’s reprimand provides serious warnings on use of this platform, which should not be ignored.

The use of WhatsApp presents several risks from a data protection and security perspective – for example, an individual’s phone could be stolen or hacked and personal data on WhatsApp could be exposed to third parties.

Please contact us if you would like advice on this topic and the specific rules your organisation should follow when using WhatsApp or similar technologies for business purposes.