Personal Data, the NHS and Snapchat
Doctors have been in the news because an NHS report that found they are using social media platform Snapchat to send patient scans to each other. Harry Partridge, an associate at law firm Cripps considers the implications.
Not only is Snapchat unlikely to be an NHS-approved method of communication, but this also highlights broader issues with data sharing in the health service, particularly about how the NHS treats patient data.
The main data protection legislation is the Data Protection Act 1998 (DPA) but in May 2018 the General Data Protection Regulations (GDPR) come into force, imposing greater obligations on all organisations that collect and process the personal data of EU citizens. Much of the data held by the NHS will be sensitive personal data, because it relates to physical or mental health.
The processing of sensitive personal data is prohibited unless it falls within exclusions, one of which being where processing is for “legitimate interests”. Getting explicit consent from patients is likely to be the most common legitimate interest within healthcare. An alternative is where processing is necessary for the provision of health treatment within either the framework of EU and UK law or in relation to a contract with a health professional.
Processing for the provision of health treatment is subject to it being carried out under the responsibility of a professional. Doctors are an obvious example of such a professional, but hospital administration staff and GP receptionists are among those included. This means the doctors would usually be allowed to share the scans with each other, because this would fall within the legitimate interest grounds – but it’s not as simple as that.
Risk to patient data
There are a number of problems with sharing data using an application like Snapchat. Organisations (and their employees) which handle sensitive personal information must have particular means of collecting the data which are designed to minimise the risk of a breach of confidence (e.g. through anonymisation). A mobile phone is unlikely to incorporate the technical security measures (such as encryption of the data) required to ensure a level of security appropriate to the risk. By sharing sensitive personal data on a public app, the doctors risk the information getting into the wrong hands.
In addition to encryption, the GDPR outlines a range of other security measures that organisations must apply, including the integrity of systems and the organisation’s ability to monitor and test their effectiveness. A survey from the British Medical Journal of 600 hospital doctors found 92% use their personal mobile phone for hospital-related work. The NHS would have no way of monitoring what photos are being taken by whom and with whom they are being shared, dramatically increasing the risk to the security of patient data.
NHS technology infrastructure
Another important aspect of the GDPR is privacy by design. The doctors’ actions suggest Snapchat was an easy way for them to share the patient scans, which implies the available alternatives are not as user friendly and another option may need to be established. However, any new system would need to be designed with data protection compliance considered from the start of the process. It is not sufficient to attempt to bolt on data protection measures at the end of the project because, under the GDPR, the NHS and its suppliers would have to be able to prove a privacy by design approach had been applied from the outset.
These are important considerations for GPs and all organisations that deal with sensitive personal data.
This article first appeared in Practice Business, September 2017.