The NHS needs best practice guidelines on instant messaging, and it needs them fast

Hospify’s recent Freedom of Information request reveals that only 2% of NHS Trusts have appropriate policies in place for staff use of instant messaging

As I’ve  written previously  in this blog the recent news coverage about the Facebook/Cambridge Analytica scandal has left no one in any doubt about the extent to which the internet giants are abusing and misusing their users’ data. However, recent surveys have found that 43% of all NHS staff and as much as 89% of doctors are regularly using consumer tools like the Facebook-owned WhatsApp to communicate at work about patients.

Instant messaging apps like WhatsApp are popular with healthcare professionals wanting to keep in touch with their teams using their smartphones in the fast-paced environment of a hospital. But these apps do not comply with NHS Information Governance guidelines or the European General Data Protection Regulation (GDPR), which comes into force in the UK, er that’s right: today!

I’m CEO of an increasingly busy start-up called Hospify, which I co-founded with two surgeons in order to help hospitals and other medical institutions deal with the data compliance pile-up that was going to happen when all those clinicians merrily speeding along in WhatsApp drove smack into the wall of GDPR.

When we started very few people knew what we were talking about; and even if they did, for the most part they didn’t really care. But over the last year, as a catalogue of data security issues from the WannaCry attack to Mark Zuckerberg’s congressional confessions has danced across the news bulletins, that’s changed. Everyone now knows what the issues are, and everyone now cares — even if we only care to the extent of wanting to rid ourselves of all the wretched GDPR privacy permissions currently clogging up our inboxes.

Given this shift in sentiment, and given our vested interest, over at Hospify we wanted to find out what guidance there is to help healthcare staff use instant messaging in a safe and compliant manner. We looked first at the policies issued by professional bodies and found that guidance for instant messaging was limited —we couldn’t find anything really specific, and what guidance did exist was generally concerned posting on forums, blogs and social networks.

We then contacted NHS England and NHS Scotland who both told us they had no centralised instant messaging policy, and that policy should defined by each Trust. So, not to be defeated, a couple of months ago we sent 175 NHS Trusts a freedom of information (FOI) request to find out if they had a specific policies for instant messaging in place.

The results were extremely worrying. Many Trusts pointed to their existing social media policies and the ones from various professional bodies that we’d already looked at as if they also covered instant messaging, but the vast majority of these were actually concerned with best practice around the publishing of content on social media networks.

Instant messaging, with its real-time conversations, is more akin to a phone call than a social media post, and mostly takes place in healthcare during a patient’s treatment. Given the nature of the subject matter in these conversations, sensitive medical information is often shared and discussed — information that can then easily end up stored on unregulated servers in countries outside the European Economic Area, where it is vulnerable to abuse and sits beyond the reach of subject data access requests.

While 60% of the NHS Trusts that we contacted with our FOI request told us they did not have yet have a policy in place for the use of instant messaging by staff, only 2% of Trusts had actually issued specific and relevant guidance. The other 38% seemed for the most part to be under the impression that their existing policies requiring patient details to be anonymised when posting to social media covered off all data protection issues, without really appreciating that when it comes to instant messaging, anonymisation is very difficult to do in an effective way — and that even when done correctly introduces significant risk of patient misidentification into staff communications and so creates other liabilities.

The Information Commissioner’s Office (ICO) has given clear guidance on the use of messaging apps, but the guidelines from the Department of Health, NHS England and NHS Digital remain confused. GDPR is finally here, and if clinical staff are to avoid disciplinary action over inappropriate use of messaging and Trusts are to avoid fines of up to 4% of their annual turnover for any messaging mishap that can be classified as a data breach, clearly much more needs to be done to get appropriate instant messaging policies in place and disseminate best practice guidelines.