ICO’s reprimand of NHS Lanarkshire: What can we learn?

Working closely with healthcare professionals operating on both the frontline and in leadership roles, Liam Cahill (Founder and Healthtech Advisor at Together Digital) provides insight and key learnings from the ICO's repremand of NHS Lanarkshire's use of WhatsApp to discuss and share information about patients. Originally published on Together Digital Partners.

In the most recent news around data security NHS Lanarkshire has received a reprimand from the Information Commissioner's Office (ICO) around the use of WhatsApp by staff to discuss and share information about patients between April 2020 and April 2022, during the COVID-19 pandemic, including one unauthorized individual being temporarily added to the group.

Whilst on the face of it, this is a story of policies not being properly created or adhered to, and of technological workarounds in the absence of suitable secure communications solutions, this case is arguably much more complex due to the challenging circumstances during the pandemic, the potential levels of skills and understanding around technology, human behavior, but also ICO guidance that could itself have led to misinterpretation. It also talks to the inevitable nature of data breaches when teams feel under pressure to work efficiently, securely and without access to suitable communication platforms. 

I should emphasize that since not all the facts are available around NHS Lanarkshire, this article isn’t intended to cast judgment or critique Lanarkshire or the ICO, but instead look at the incident (and similar incidents) from all angles, and to consider what we can learn from it. 

Unfortunately, too many data breaches result from “simple” mistakes, and whilst naturally human error (or non-cyber related incidents, according to the ICO) remains one of the leading causes of data incidents, often, error in judgment can also play a large role. In the case of NHS Lanarkshire, the conclusion infers the lack of an appropriate policy, and a specific group that didn’t follow or weren’t supported to follow such a policy. 

Whilst this is a very easy conclusion to draw, let’s consider the circumstances in late March 2020 and the ongoing period during which the pandemic dictated many actions, not solely isolated to the NHS, but across society in general. 

Firstly, in the initial months of the pandemic, many services were forced to find solutions to unique issues which had previously never been considered under BAU policy consideration; secondly, very few organisations were writing detailed policies, but rather putting their efforts into keeping some form of care continuity, often learning to work remotely for the first time. 

As it happens, in March 2020 the ICO and the then national digital arm of NHS England (NHSX) took the unprecedented step of allowing the use of WhatsApp (and other platforms) in clinical care “where the benefits outweigh the risk”. The Information Commissioner offered assurance to NHSX that she “cannot envisage a situation where she would take action against a health and care professional clearly trying to deliver care”. Whilst NHSX did not preside over Scotland, the ICO position would have likely been similarly interpreted in Scotland, and one can assume a similar position would have been taken.

In 2020, I was working closely with both NHSX and NHS England, but also working with a frontline community provider in order to solve care issues with digital, and on the board of another provider looking to balance risk and patient benefits. Through all of these avenues it was very clear that services across the board were taking the relaxation of information governance rules on board, in order to keep care running, with many examples of WhatsApp use in community services such as health visiting, but also in those services where multi-disciplinary teams or partners were working together to support individuals in need, when the IT infrastructure was not up to the job. In my work during COVID I lost count of distressed staff in services, struggling to help a particular patient in which the sharing of media such as a video or imagery was needed, as appears to be the case in the case in question. It’s easy to forget how intense the times were, but I can’t help but empathize with any team who may have taken similar steps in a moment in which there was no other alternative solution available to them other than risk letting down or even harming patients. 

During the summer of 2020, I supported a provider in the delivery of some education and discussion around secure communications, including helping clinical services to properly consider the risks and benefits of using WhatsApp, which, as was referenced in the ICO reprimand, is visibly labeled as encrypted. I clearly remember the surprise and consternation that the tool they believed to be secure and safe presented a number of risks that they had no idea about, with many moving away from WhatsApp even though many still lacked a secure alternative. Digital skills can often be limited, or at least were limited in 2020, and given the ICO / NHSX guidance, it is very easy to see how staff across different sites could believe that they were doing the right thing for their patients based on the information they had at the time.

My final point is a behavioral one. With the exception of the immediate behavioral changes around digital at the beginning of the pandemic, it is very difficult to undo something once in motion. Technical debt is a real thing: just ask people still using pagers and faxes. Anyone who has supported digital change in the NHS will know how difficult shifting away from something that is ‘doing the job’ can be. This is especially true when the superseding solution either doesn’t exist or is perceived to be less effective than the previous one.

The sad fact is that over three years on, many NHS providers still lack the tools to securely provide the convenient functionality that WhatsApp offered but in a secure way: 1. Sharing across different sites, especially those on different Microsoft Teams tenants, 2. Sharing video and images securely, and 3. Direct secure sharing with service users (which wasn’t, as far as I understand, the case with NHS Lanarkshire). NHS Lanarkshire, for example, is now in the process of exploring a solution

Ideally the response, and the response of other organizations seeking to not only respond to data breaches, but stop them happening in the first place, will cover the different scenarios around not only human error prevention, but also to help services serve their patients in a way that their judgment doesn’t become misjudgement and lead to consequences. Solutions such as Zivver that are built to provide the functionality and security needed to support and protect patients would have enabled clinical services to avoid this happening, especially considering the complex behavioral factors.

Whilst the ICO reprimand should hopefully drive helpful discussions around better policies, digital tools and support for services, it’s important to recognize that the NHS Lanarkshire scenario, and no doubt many unreported incidents, happened against a complex, challenging and confusing backdrop. I have little doubt that the services themselves felt their decision was in the interest of their patients, and that the “benefits outweighed the risk”. 

Learn more about how Zivver's solutions are empowering NHS trusts such as Royal Papworth NHS Foundation Trust by helping to drive innovation and enhancing data protection efforts.