This paper is frightening but is extremely well timed given that most organisatons should be busily working on their GDPR compliance. 

Think of the extremely sensitive personal data that is being shared by these medical professionals on WhatsApp. Think of the amount of times people use their phone or download apps that can take information from their phone. Is all this sensitive personal data belonging to patients now sitting in someone's personal cloud storage? Think of the amount of times that phones are lost or stolen. If you are properly considering GDPR then you should be considering all of this and more! 

This study is a good example of why GDPR is actually so important. The study shows a real disconnect between those medical interns own concerns around privacy and the reality of using the easiest communication tool. 

I wonder is there any BYOD policy within the relevant healthcare organisation? I wonder has it been communicated to staff that this is not an acceptable mechanism for sharing sensitive patient data? It certainly cannot be said that this practice is GDPR compliant. 

The articles finishes on the following note:

"The authors said a solution and suitable platform for modern communication was needed and that 85 per cent of interns felt they should be provided with a Health Service Executive-approved instant messaging solution.

Several firms have already developed secure messaging applications for medical staff, which could see them move away from the potential risks of consumer-driven commercial apps."

This advice should be considered by all organisations where personal data could be shared by employees on WhatsApp groups or by other risky means. GDPR means being accountable for what our organisations do with personal data and how we manage personal data. As part of our GDPR audits we need to document the personal data life-cycle. If it transpires that there are unacceptable uses of personal data within that life-cycle we need to deal with them and find other more suitable solutions. We need to make an individual's right to privacy the heart of any processing we carry out.   

If you need advice on data protection and GDPR compliance please contact a member of our Employment Law & Data Protection Team:

http://leman.ie/the-4-departments/employment/

Disclaimer: This article is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Leman Solicitors for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.