UK’s data protection regulator issues recommendations and formal warning to health service organisation after investigation finds that sensitive information was shared via non-compliant channels – including with an unauthorised third party  

Staff at NHS Lanarkshire breached data-protection rules by sharing information about patients through messages sent via a WhatsApp group, the Information Commissioner’s Office has found. 

Personal data such as names, phone numbers and addresses of patients was shared by 26 members of staff over 500 times, as well as images and videos including clinical information.  A non-staff member was also added to the group by accident, meaning personal information was disclosed to an unauthorised third-party individual. 

The Scottish health board has apologised for the data leak that took place between April 2020 and April 2022. 

WhatsApp is an approved way for NHS staff to engage in basic communication. However, there is no such approval for sharing sensitive data. 

Related content

• ICO keeping an eye on new iris-scanning cryptocurrency and digital ID
• ‘This case is out of the ordinary, but we must follow our usual processes’ – ICO head on Farage complaint
• ICO: Instead of massive fines, regulation works best when we work alongside organisations

After being made aware of the WhatsApp group, NHS Lanarkshire reported the incident to the ICO, which conducted an investigation, concluding that the health board did not have the organisation policies, clear guidance, or processes in place when WhatsApp was made available to staff members during the pandemic. 

Trudi Marshall, nurse director at Health & Social Care North Lanarkshire, confirmed it had received a formal reprimand for the use of WhatsApp by one of its community teams. 

She said: “We have received a formal reprimand from the ICO for the use of WhatsApp by one of our community teams to exchange personal patient data during the pandemic. We recognise that the team took this approach as a substitute for communications that would have normally taken place in either a clinical or office setting but was not possible at that time due to Covid restrictions. However, the use of WhatsApp was never intended for processing patient data. We offer our sincere apologies to anyone whose personal details were shared through this group. 

“We have already taken a number of steps including looking at alternative apps that can be introduced for the transfer and storage of images and videos within a care setting. This is being taken forward while considering the risks relating to the storage of any personal data.” 

John Edwards, UK information commissioner, said: “Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare and other vital services, people need to trust that their data is in safe hands. We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic but there is no excuse for letting data protection standards slip. Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients. We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again.” 

The ICO has now recommended actions for NHS Lanarkshire to take to prevent similar future occurrences. 

One of the suggestions is that the health board should implement a secure clinical image transfer system for images and videos in a care setting. NHS Lanarkshire must also “consider the risks” about personal data and sure staff are “aware of their responsibilities to report personal data breaches internally without delay to the relevant team”. The health board has been asked to provide an update on the action taken within the first six months of the reprimand being issued. 

The UK government recently updated its guidance for the first time in a decade to prohibit ministers and civil servants from using WhatsApp and private email accounts for sharing anything beyond the lowest tier of security classification. Even in this case, those using non-corporate message or email systems were warned that they should “be prepared to defend your choices”.