Published on July 12 of last year in response to Dame Fiona Caldicott’s national data guardian review, a government report promised that an opt-out would be offered to patients who did not want their data shared beyond direct care. To be applied across health & social care, it is set to be an important step forward in patient empowerment – providing more direct control & discretion over how personal data is used in the healthcare system.
However, although this promise was made over 9 months ago, it has yet to be acted upon. But that’s likely to change. As recently reported by the Health Service Journal, the NHS will be expected to comply with the ruling from May of this year. Specifically, this means that from May onwards, patients will have the option to request that their health records are not used for research or planning purposes.
The timing of this deadline coincides with the introduction of new EU rules known as the General Data Protection Regulation (GDPR), which are expected have a significant impact on the health service. Trusts, service providers and suppliers alike have been working hard to ensure systems are compliant with both new sets of rules. However, there is still one glaringly obvious unaddressed point of weakness; WhatsApp.
The Extent of the NHS WhatsApp Problem
CommonTime’s latest research found that consumer instant messaging (IM) platforms, such as WhatsApp, are used by approximately 43% of NHS staff for work purposes; including facilitating shift handovers, sharing patient information and communicating directly with patients. This finding is disturbing enough in itself. However, it presents a particular challenge to the implementation of GDPR and single patient opt-out mechanisms. Knowledge of where data is stored.
NHS staff from all backgrounds, including front line, clinical support and administrative roles, are being driven to consumer messaging platforms by the lack of adequate IT systems provided to them. This is backed up by our finding that 28% more staff are satisfied by how well consumer messaging apps serve their work needs, compared to Trust provided alternatives.
Similarly, a Guardian Healthcare Network survey found that less than a quarter of workers thought health service IT was appropriate for the demands the NHS is required to meet.
Faced with these facts, it’s easy to see why so many are turning towards consumer messaging applications to facilitate day-to-day tasks. But unfortunately, simply understanding the reasons behind the problem doesn’t limit or reduce the challenge of overcoming it.
Finding and Deleting Data on Private Networks
The crux of the problem WhatsApp poses is that patient data is being removed from controlled clinical systems and shared instead on private, closed networks. On these networks, data becomes near impossible to find and delete as would be expected when complying with opt-out & GDPR policies.
Under both new sets of rules, it is the organisation’s responsibility to ensure that data is being handled in a responsible and transparent manner. Non-Trust approved channels act as a black spot and are likely to act as substitutes for official medical records. This is something that the NHS Digital guidelines on instant messaging attempt to address.
In a draft of the guidelines, staff were asked to avoid using instant messaging platforms as a substitute for health records. The final version states that workers should not “use the instant messaging conversation as the formal medical record” but should “keep separate clinical records and ensure original messaging notes are deleted.” Questions over the practicality of this can be raised, especially considering the same guidelines urge staff to “remember that instant messaging conversations may be subject to Subject Access Requests and potentially Freedom of Information requests.”
Clinical environments are fast paced, with healthcare professionals constantly under pressure to do more with less time. Given this fact, and that a driving factor behind the popularity of instant messaging is that it is removed from cumbersome, bureaucratic processes – it is unlikely that these suggestions will be stringently adhered to.
Further, the practicality of asking staff to hand over data on private conversations as part of Subject Access Requests and Freedom of Information requests has yet to be trialled and no precedent has been set. If current Trust access to such conversations is to be used as a benchmark, then such provisions are unlikely to be enforceable.
External Access to Data
Perhaps most concerning of all, and least addressable, is the control parent companies of consumer messaging apps have over the data that flows through them. Despite the request for messaging notes to be deleted from personal devices, for messages to be fully removed they would also need to be deleted from the recipient’s device.
Additionally, while WhatsApp (and many other consumer messaging providers) do not store copies of messages for extended periods of time – there is no guarantee that this will remain the case in the future.
Just this month, Facebook has been prevented from using data from UK citizens’ WhatsApp accounts for “purposes beyond the chat app itself.” Facebook has since promised not to access data in this way until it becomes GDPR compliant. Notably, however, the company is not giving up in its pursuit of this data. Though this does not encompass conversations themselves, it is indicative of private companies’ hunger for more data and the potential risks it poses to the individuals who rely on them to share sensitive information.
Ultimately, as both GDPR and opt-out policy roll-out dates march ever closer, it is clear that consumer messaging products pose an issue for the NHS. To put it bluntly; the health service has a WhatsApp problem. The current suggested measures will not only be difficult to enforce but cumbersome to those who do continue to use consumer IM.
Forward thinking Trusts are seeking not just to rely on this guidance, but provide staff with secure, reliable instant messaging tools designed around their specific needs. But these tools must offer staff value over and above what they already receive from WhatsApp and other consumer IM platforms to have any chance of revolutionising communication.
Read more about the complex relationship between instant messaging and modern healthcare delivery in the NHS in our latest research report.