How to introduce third-party applications: Lessons from NHS Lanarkshire

The Information Commissioner’s Office (ICO) has issued a reprimand to NHS Lanarkshire for breaches of the UK General Data Protection Regulation (UK GDPR), arising from the sharing of patient personal data via WhatsApp. The case-study offers actionable insights for other data controllers into how to effectively manage the introduction of new applications (apps)into their organisations and the information governance risks relating to organisational change. Accordingly, this article first identifies how the use of third-party applications led to unlawful processing. It closes by outlining the steps organisations need to take to encourage compliance and enable innovation in times of change.

Using WhatsApp Unlawfully

In the early days of Coronavirus lockdown restrictions in England, the NHS Lanarkshire Executive determined that the WhatsApp messaging application would be made available on the organisation’s application portal for download. However, it was not approved for the purpose of sharing patient data. Nonetheless, once the application was made available for download, without the organisation’s knowledge staff created a WhatsApp group to facilitate communications that would have otherwise taken place onsite. Throughout the pandemic and beyond, staff shared patient names, contact details, birth dates, student identification numbers and clinical information.

Consequently, the ICO found three breaches of the UK GDPR: Articles 25(1), Art 32(1), and 5(1)(f).

1. Article 25(1) UK/EU GDPRs compels organisations to implement appropriate technical and organisational measures at the time of the determination of the means for processing, and at the time of the processing itself. Infringements of Article 25(1) UK GDPR arose because:

• The ICO found there was no formal process for IT to approve and provision app requests onto managed devices. When WhatsApp was made available on the hospital portal the app was not approved but was made available as an essential measure.
• The ICO also noted that there was no data protection impact assessment (DPIA) in place. There was no assessment of the potential risks of processing because WhatsApp was not approved by the hospital for sharing patient personal data.

1. Article 32(1) UK/EU GDPRs requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The ICO found that NHS Lanarkshire did not implement appropriate organisational measures to ensure the confidentiality of the data.

• The ICO found fault with the content, specificity and accessibility of the organisation’s policies. First, NHS Lanarkshire relied on national policies, but did not have a local policy specific to the hospital’s practices. Second, NHS Lanarkshire had general policies in place, such as a Use of Social Media Policy. The ICO found that the policies should have been more specific to prevent the risk of sharing patient data through messaging apps. Third, the ICO found that existing policies failed to consider smartphones as mediums for storing information. Fourth, the policies that did exist were difficult to find and did not clearly apply to the use of WhatsApp.
• The ICO also noted that there was no contract in place with WhatsApp to guarantee the security of shared data.
• According to the ICO findings, there was no assessment of the risks of staff’s use of the app prior to making it available to download on the portal.
• The ICO found that there were no communications issued to staff when the app was made available to download that outlined expectations in relation to sharing and storage of information.
• Finally, the ICO findings noted that there was no guidance, standard operating procedure, or policy in place to guide the use of the messaging app prior to its being made available to download.

1. Art 5(1)(f) requires that personal data be used in a manner that secures personal data against “unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” Incidentally, the confidentiality of the patients’ personal data was breached in two ways.

• The first breach occurred when information about patients was shared via unauthorised means, including sensitive health data.
• The second occurred when a non-staff member was added to the group in error, resulting in the inappropriate disclosure of personal information to an unauthorised individual.

Having found three infringements of the provisions of the GDPR, the ICO issued a reprimand and reserved fines, in line with its revised approach to public sector enforcement announced in June 2022.

How to introduce a new application in an organisation

The NHS Lanarkshire case study exemplifies the ways in which some organisations struggled to effectively adapt to the disruptive impact of the Coronavirus lockdown on data governance. However, beyond emergency data governance, there are lessons to be learned from the NHS Lanarkshire incident.

Beware shadow IT.  Shadow IT refers to the unknown devices and services that are used within an organisation for business purposes. Unapproved technologies are usually adopted by well-meaning staff facing barriers in using sanctioned tools or processes. In the NHS Lanarkshire case study, staff were incentivised to use the unapproved messaging app because of the absence of a secure clinical image transfer system. The issue is that shadow IT obscures the location of high-value data and circumvents robust risk identification and management. Central teams, such as Data Protection, Information Security, and Information Management, have no oversight of an application’s configuration, or the sensitivity of data being processed.

The National Cyber Security Centre (NCSC) has published guidance on managing unknown and unmanaged IT assets.  Once identified, organisations should consider why staff are using unsanctioned solutions, as this will surface high-risk personal data flows and allow for the creation of targeted policies, processes or guidance. The goal is not to eradicate risk, but rather to reduce the likelihood of the unlawful processing of personal data on the balance of probability.

Introduce new applications with a suite of appropriate technical and organisational measures. The ICO outlined steps that responsible data controllers should undertake when introducing new applications to an organisation. To satisfy the requirement to implement appropriate organisational measures, prior to making an application available to download, organisations should:

1. Complete a risk assessment to identify how using the application could be used to inappropriately collect, share or store personal data. Consider NCSC guidance on using third-party applications on devices and secure instant messaging.
2. Issue communications outlining expectations on how personal data should be handled, including explicit communications where applications are not approved for processing personal data.
3. Consider whether existing policies and procedures set out specific expectations regarding the application, or develop new guidance, procedures, or guidance.
4. Ask staff to confirm understanding of policies and procedures.

Create a change management action plan. The role of organisational change in the breakdown of organisational governance processes was a recurring theme in the NHS Lanarkshire case study. Adopting a new platform for managing mobile devices, implementing new processes, and transitioning to remote work increased the likelihood that staff would resort to shadow IT. An effective response to periods of change involves being aware of the impact of change on processing, regaining visibility over assets, data flows, and risks and reinforcing guidance to staff regarding appropriate uses of devices, systems and personal data.

Organisations are required to assess the risk of their activities involving personal data and implement technical and organisational safeguards to address the risk of personal data breaches and unlawful data use. Ensuring that appropriate policies, procedures and guidance is in place to support innovation is critical to avoiding the reputational and financial consequences of enforcement action. Contact Trilateral’s experienced advisors to manage data protection and cybersecurity compliance on your behalf.