Taking Action to Protect Patient Data: The NHS Lanarkshire Case study

NHS Lanarkshire has been reprimanded by the Information Commissioner's Office (ICO) for not having appropriate policies and guidance in place to protect patient data. This came after it was discovered that 26 staff members had access to a WhatsApp group where patient data was shared, without NHS Lanarkshire’s knowledge. The group included personal information such as names, phone numbers, addresses, images, videos, and screenshots with clinical information. A non-staff member was also inadvertently added to the group. The ICO highlighted that NHS Lanarkshire did not undertake any risk assessments prior to allowing personnel access to this form of messaging app, which put patient data at risk of being accessed by unauthorised personnel. John Edwards, Information Commissioner, stated “Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare and other vital services, people need to trust that their data is in safe hands. Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients. We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again.” In response, the ICO instructed NHS Lanarkshire to take appropriate action to ensure compliance with data protection law within six months of the reprimand being issued - including creating and enforcing clear policies and guidance for staff; carrying out risk assessments prior to using messaging apps; and training staff members on these matters.