Back in July it was reported that NHS doctors were using the social media platform Snapchat to send patient scans to one another. The DeepMind Health Independent Review Panel Annual Report 2017 concluded that this is, “…clearly an insecure, risky and non-auditable way of operating, and cannot continue”. Harry Partridge, an associate at law firm Cripps, considers the implications
Not only is Snapchat unlikely to be an NHS-approved method of communication but its use in this manner highlights broader issues with data-sharing in the health service, particularly how the NHS treats patient data.
The main data-protection legislation is the Data Protection Act 1998 (DPA) but in May 2018 the General Data Protection Regulations (GDPR) come into force, imposing greater obligations on all organisations that collect and process the personal data of EU citizens. Much of the data held by the NHS will be sensitive, personal data because it relates to physical or mental health.
The processing of sensitive, personal data is prohibited unless it falls within exclusions, one of which being where processing is for, ‘legitimate interests’. Getting explicit consent from patients is likely to be the most common, legitimate interest within healthcare. An alternative is where processing is necessary for the provision of health treatment within either the framework of EU and UK law or in relation to a contract with a health professional.
Processing for the provision of health treatment is subject to it being carried out under the responsibility of a professional. Doctors are an obvious example of such a professional, but hospital administration staff and GP receptionists are among those included. This means doctors would usually be allowed to share scans with each other, because this would fall within the legitimate interest grounds – but it’s not as simple as that.
Risk to patient data
There are a number of problems with sharing data using an application like Snapchat. Organisations – and their employees – which handle sensitive personal information must have particular means of collecting the data which are designed to minimise the risk of a breach of confidence, for example, through anonymisation. A mobile ‘phone is unlikely to incorporate the technical security measures – such as encryption of the data – required to ensure a level of security appropriate to the risk. By sharing sensitive personal data on a public app doctors risk the information getting into the wrong hands.
In addition to encryption the GDPR outlines a range of other security measures that organisations must apply, including the integrity of systems and the organisation’s ability to monitor and test their effectiveness. A survey of 600 hospital doctors in the British Medical Journal found 92% use their personal mobile ‘phones for hospital-related work. The NHS would have no way of monitoring what photos are being taken, by whom and with whom they are being shared – dramatically increasing the risk to the security of patient data.
NHS technology infrastructure
Another important aspect of the GDPR is ‘privacy by design’. The doctors’ actions suggest Snapchat was an easy way for them to share the patient scans – which implies the available alternatives are not as user-friendly and another option may need to be established.
However, any new system would need to be designed with data protection compliance considered from the start of the process. It’s not sufficient to attempt to ‘bolt-on’ data protection measures at the end of a project because, under the GDPR, the NHS and its suppliers would have to be able to prove that a ‘privacy by design’ approach had been applied from the outset.
These are important considerations for GPs and all organisations that deal with sensitive personal data.