Following the recent BBC News article quoting us about the widespread use of WhatsApp in NHS there has been a huge conversation on twitter about what does compliant actually mean?
If a technology is compliant to be used in the NHS then it meets all the NHS England's Information Governance requirements and all applicable UK laws, such as the UK Data Protection act. Importantly, this means that it is developed to the right standard for use by any health and care worker in the UK, if approved by each worker's care provider.
Confidential health and care information should not be shared through non-compliant technologies unless it is completely anonymised. This is made clear in NHS Digital's Use of Social Media User Guide issued on 23rd May 2017, which states:
"Don't put patient, sensitive or security classified information on social media [including messaging apps like WhatsApp]; this would breach data protection laws or patient confidentiality and result in a security incident.”
What if you use non-compliant technology?
In simple terms, if the data is not completely anonymised, then there may already have been a breach. For example, an image shared on WhatsApp will be stored on their servers in the US. If you do not have the patient's explicit consent to do this, then you might be found in breach of the UK Data Protection Act.
Using WhatsApp might be in breach of Principle 8 of the Act because the USA does not provide adequate protection of personal data unless the recipient of the data has certified compliance with the PrivacyShield framework.
Whatsapp is owned by WhatsApp Inc, and WhatsApp Inc does not appear on the Privacy Shield list. WhatsApp’s parent company, Facebook Inc, is certified on Privacy Shield, but our understanding is that US subsidiaries are required to have their own certificate or be specifically named on their parent’s registration.
What do you mean by 'completely anonymised'?
While referring to the Information Commissioner's Office (ICO), the General Medical Council (GMC) Guidance on Anonymised Information "considers data to be anonymised if it does not itself identify any individual, and if it is unlikely to allow any individual to be identified through its combination with other data. Simply removing the patient’s name, age, address or other personal identifiers is unlikely to be enough to anonymise information to this standard." The GMC also clarifies that the level of anonymisation required can vary by the type of data, the size of the dataset, the method of sharing and other factors.
What must I do?
Health and care workers are extensively using non-compliant technology such as WhatsApp, this means that any health and care worker can switch to medCrowd to ensure that they are not breaking the law.
After switching to medCrowd, the next step is to secure your care provider's approval for using medCrowd at work.
We recommend switching away from non-compliant technology first to ensure that you can show you have made the right professional decision to protect your patients' data, as clearly continuing to use non-compliant technology is a risky business.