Tag: WhatsApp

NHS Lanarkshire: Data Sharing via WhatsApp

This article covers a recent incident involving NHS Lanarkshire, which highlights the significance of careful data handling. 


The Incident in Brief 

The Information Commissioner’s Office (ICO) has taken action against NHS Lanarkshire for sharing patients’ personal data on WhatsApp without authorization. Over a two-year period, from April 2020 to April 2022, more than 500 instances of patient data were shared, including names, contact details, images, videos, and clinical information. 

Initially meant for basic communication during the pandemic’s onset, WhatsApp was not officially endorsed by NHS Lanarkshire for patient data processing. Surprisingly, the platform was used unknowingly, and even an outsider gained access, leading to unauthorised exposure of personal data. 

The ICO’s investigation exposed inadequacy in NHS Lanarkshire’s data protection practices. The organization lacked proper policies, guidance, and processes for WhatsApp usage, failing to evaluate the potential risks associated with sharing patient data this way. 


Lessons to Learn 

This incident offers essential takeaways when navigating through the at times, complex world of data protection: 

Implement Secure Solutions: Consider introducing a secure image transfer system to ensure safe data handling, including: 

  • Encryption: Images encrypted end-to-end. 
  • Protocols: HTTPS/SFTP for secure transfer. 
  • Integrity: Hashing for data verification. 
  • Authentication: Strong, multi-factor verification. 
  • Access Control: Limited, role-based access. 
  • Temporary Links: Time-limited access links. 
  • Watermarking: Traceable image identification. 
  • Logging: Detailed access records. 
  • Infrastructure: Secure hosting and updates. 
  • Multi-factor Auth: Extra layers of security. 
  • Geolocation Control: Limited access by location. 
  • Compression + Encryption: Secure transfer prep. 
  • Penetration Testing: Regular vulnerability checks. 

Assess App Risks: Evaluate data risks when introducing new applications and include risk assessment in the approval process. 

Clear Communication: Clearly communicate data protection responsibilities to your staff when implementing new apps. 

Policy Review: Regularly review and update your organizational policies and procedures to align with evolving data protection standards. 

Internal Reporting: Ensure all staff members understand their responsibility to report data breaches promptly. 


Moving Forward  

The NHS Lanarkshire incident serves as clear reminder that robust data protection practices are essential, particularly when processing sensitive data.


Is your organisation currently handling data via WhatsApp? For expert advice and consultation from our Data Protection Officer, contact us on dpo@tenintel.com


Lynsey Hanson

Written by

Lynsey Hanson | Data Protection Officer