Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Hospitals in England should carry out spot checks on doctors’ and nurses’ phones to ensure they are safely using WhatsApp to discuss patient care, the head of the data watchdog has said.
John Edwards, Information Commissioner, told the Financial Times that use of the messaging app could be “hugely problematic” for NHS staff and patients if not used “properly”.
His intervention came after the FT reported last month that frontline health service workers routinely use WhatsApp on personal phones to share confidential patient details, test results and medical documents, prompting experts to warn of a “wild west” for data.
“We have to recognise that [the use of WhatsApp] is a reality,” Edwards said in an interview, but “it needs to occur out in the open and in a way that is in accordance with policies and procedures”.
Citing the Russian proverb “trust but verify”, Edwards added: “I am a big fan of audit and particularly random audit. So from time to time, you just go and say to somebody: ‘I need to look at your WhatsApp, I need to check the settings.’ That’s going to remind people.”
After years of uncertainty around the use of WhatsApp, the most popular messaging app in the UK, NHS England published official guidance for staff in 2020. It allows the use of mobile messaging to discuss patients but warns that staff “should take sufficient steps to safeguard confidentiality”.
The guidance states that any clinical decisions made on a messaging app must be added to a patient’s formal health record “as soon as possible” and that staff should “delete the original messaging notes”.
Healthcare workers are also advised to unlink the app from their phone’s photo library and disable message notifications when the screen is locked.
Frontline health workers said WhatsApp was an efficient workaround for official systems that were often siloed, making it difficult to access information quickly. However, they also conceded that not all staff followed the guidance at all times and that there was little oversight.
In its guidance for public authorities, the Information Commissioner’s Office says “records management policy should set out mitigating measures for staff if they use non-corporate communications channels for official business”.
For example, if “staff use instant messaging services, then auto-delete options should be in line with the retention policies of your official systems”.
Asked if hospital management should be able to look at staff phones if they were being used to share NHS patient data, Edwards said: “I am sure that they can say ‘I need to check NHS data on your system and you need to show it to me’.”
Used correctly, WhatsApp’s end-to-end encryption may “be more secure than many official systems or sanctioned systems” to share data, Edwards noted, since it allows only the sender and recipients to read messages.
“Two things can be true at the same time,” he added. “These technologies can be used safely and these technologies can create significant risks.”
NHS England has previously said individual trusts must assume responsibility for their own policies on the use of mobile apps, and that they should take “sufficient steps” to safeguard confidentiality.
“My expectation of a trust is that they need to have the policies and they need to be reminding staff of them regularly,” Edwards said.
“Just as they don’t grab hold of any new medical device and start using it on patients without having a process of checking and regulation, [clinicians and trusts] need also to be satisfying themselves that new communications and record-keeping channels can be used safely, before doing it,” he added.
NHS England said trusts were “responsible for their own policies on the use of communication tools, including mobile apps, and should take sufficient steps to safeguard confidentiality through regular training and staff reminders around good practice, including current ICO guidance”.