An NHS belief has been reprimanded by the UK’s knowledge safety regulator after it was found that employees had been sharing affected person particulars on an unapproved app for 2 years.
Some 26 employees at NHS Lanarkshire accessed the WhatsApp group between April 2020 and April 2022, coming into delicate affected person knowledge together with names, cellphone numbers, addresses, photographs, movies, screenshots and scientific data, in accordance with the Data Commissioner’s Workplace (ICO).
Learn extra on NHS knowledge leaks: Knowledge Leak Hits 1000’s of NHS Staff
The WhatsApp group was initially set as much as assist employees talk through the early days of the pandemic. Nonetheless, it was not accepted for processing affected person knowledge, which is classed by the GDPR as a “particular class” of non-public knowledge. Article 9 of the regulation supplies particular safety for this class of information.
The employees apparently started utilizing the group for the sharing of this knowledge with out the belief’s information. One non-staff member was by chance added to the group, leading to inappropriate disclosure of non-public data to them, the ICO claimed, highlighting the risks of shadow IT.
The belief reported the incident to the ICO as quickly because it turned conscious, though by then, affected person knowledge had been entered into the app on greater than 500 events, the regulator mentioned.
A subsequent investigation concluded that the belief didn’t have acceptable insurance policies, steering or processes in place on the level WhatsApp was made out there to obtain. No threat evaluation was made on the time, for instance.
Data commissioner, John Edwards, mentioned affected person knowledge have to be handled “fastidiously and securely” so that folks can belief their data is in secure arms.
“We respect that NHS Lanarkshire, like all healthcare suppliers, was underneath large stress through the pandemic however there isn’t any excuse for letting knowledge safety requirements slip,” he added.
“Each healthcare group ought to have a look at this case as a lesson discovered and think about their very own insurance policies in the case of each messaging apps and processing details about sufferers. We will likely be following up with NHS Lanarkshire to make sure that affected person knowledge will not be compromised once more.”
