Privacy Lessons From the NHS Lanarkshire WhatsApp IncidentAttorney Jonathan Armstrong on Tackling Shadow IT at Large Organizations
U.K. authorities recently reprimanded health service provider NHS Lanarkshire after staff members shared patients' personal data on messaging service WhatsApp hundreds of times. That privacy lapse demonstrates the risks of shadow IT and the legacy of stop-gap measures taken during the COVID-19 pandemic, said attorney Jonathan Armstrong of Cordery Compliance (see: Privacy Watchdog Slams Sharing of Patient Data Via WhatsApp).
The problem with messaging applications such as WhatsApp, Signal and Telegram is that most people think they're encrypted and are safe for sharing confidential information, but they don't think about the information collected by web tracking cookies, Armstrong said. "If you're sharing data with WhatsApp, do you know what happens to it once it's in the WhatsApp platform? Is that going to be sweated for data to enrich advertising?" he asked.
Training is essential in these cases, and organizations should speak to staff directly and find what tools they need to do their jobs - and to avoid shadow IT. "Make sure that your conventional systems are fit for purpose," he said. "Often we find that people go to shadow IT or alternative means of communication or processing data because the system that they're given isn't fit for purpose."
"AI will be another example," Armstrong said. "Unless we think of a way of giving employees the ability to harness some elements of AI in a friendly and safe environment, they'll go off and do it anyway."
In this video interview with Information Security Media Group, Armstrong discussed:
- The reason behind the U.K. data protection authority's decision to reprimand NHS Lanarkshire;
- How data protection laws such as GDPR apply to situations in which staff use messaging apps for work-related communications;
- Lessons other healthcare providers and organizations can learn from this incident to prevent similar breaches.
Armstrong, an experienced lawyer with Cordery in London, is an expert on data protection and data security law. He advises multinational companies on risk, compliance and technology.