Governance & Risk Management , Healthcare , Industry Specific

Privacy Lessons From the NHS Lanarkshire WhatsApp Incident

Attorney Jonathan Armstrong on Tackling Shadow IT at Large Organizations
Jonathan Armstrong, partner, Cordery Compliance

U.K. authorities recently reprimanded health service provider NHS Lanarkshire after staff members shared patients' personal data on messaging service WhatsApp hundreds of times. That privacy lapse demonstrates the risks of shadow IT and the legacy of stop-gap measures taken during the COVID-19 pandemic, said attorney Jonathan Armstrong of Cordery Compliance (see: Privacy Watchdog Slams Sharing of Patient Data Via WhatsApp).

See Also: Post-Transformation: Building a Culture of Security

The problem with messaging applications such as WhatsApp, Signal and Telegram is that most people think they're encrypted and are safe for sharing confidential information, but they don't think about the information collected by web tracking cookies, Armstrong said. "If you're sharing data with WhatsApp, do you know what happens to it once it's in the WhatsApp platform? Is that going to be sweated for data to enrich advertising?" he asked.

Training is essential in these cases, and organizations should speak to staff directly and find what tools they need to do their jobs - and to avoid shadow IT. "Make sure that your conventional systems are fit for purpose," he said. "Often we find that people go to shadow IT or alternative means of communication or processing data because the system that they're given isn't fit for purpose."

"AI will be another example," Armstrong said. "Unless we think of a way of giving employees the ability to harness some elements of AI in a friendly and safe environment, they'll go off and do it anyway."

In this video interview with Information Security Media Group, Armstrong discussed:

  • The reason behind the U.K. data protection authority's decision to reprimand NHS Lanarkshire;
  • How data protection laws such as GDPR apply to situations in which staff use messaging apps for work-related communications;
  • Lessons other healthcare providers and organizations can learn from this incident to prevent similar breaches.

Armstrong, an experienced lawyer with Cordery in London, is an expert on data protection and data security law. He advises multinational companies on risk, compliance and technology.

About the Author

Anna Delaney

Anna Delaney

Director, ISMG Productions

An experienced broadcast journalist, Delaney conducts interviews with senior cybersecurity leaders around the world. Previously, she was editor-in-chief of the website for The European Information Security Summit, or TEISS. Earlier, she worked at Levant TV and Resonance FM and served as a researcher at the BBC and ITV in their documentary and factual TV departments.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.