Page 25

25LEGAL MEDICOMAGAZINESponsored by:law and with us regardless of what happens with Brexit – will classify the transmission of patient identifiable data via servers that are not geographically based solely in the European Economic Area (EEA) as a data breach. On top of that, the rules demand that all data breaches be reported, and that fines of up to 4% of the offending Trust’s, surgery’s or medical business’s annual turnover be levied on those who do not comply. Since WhatsApp, iMessage, Slack, Telegram, Snapchat and all the other commonly used messaging apps will just as likely pass your data via North America as via Europe, using these apps to send any data relating to a patient is pretty much guaranteed to put you – or the institution you work for – in breach of the GDPR, regardless of whether or not the data has ended up in the wrong hands, and regardless of whether or not the data has been encrypted,There are other issues too – the need to provide for patient access requests is one example that counts these tools out for use in the health industry. As NHS England points out in its Information Governance bulletin[http://webarchive.nationalarchives.gov.uk/20160603154026/https://www.england.nhs.uk/wp-content/uploads/2015/01/ig-bull-21.pdf], "Whatever the other merits of WhatsApp, it should never be used for the sending of information in the professional healthcare environment. WhatsApp, which is owned by Facebook, is a consumer service, which does not have a service level agreement with users and has no relevant data security certification. There is no valid reason for its use within the NHS."The NHS is already the worst performing public-sector body when it comes to data breaches and has been fined £1.3m by the ICO for data transgressions over the past few years. Once GDPR outlaws WhatsApp, the fines are likely to get worse, and it’s only a matter of time before a medical negligence or personal injury claim based on either unauthorised use of messaging or a failure of the existing communications infrastructure is brought against a Trust.The upshot is that the one industry in which fast and efficient communication is quite literally a life-or-death issue is the one industry which cannot take advantage of the plethora of virtually free communication tools that the vast majority of us keep in our pockets, take entirely for granted, and use every day.It’s not all bad news however. The GDPR – the same set of rules that’s about to scare the pants off everyone – may also prove to be the set of rules that allows the situation to improve, and improve rapidly. Its arrival has allowed the Information Commissioner’s Office (ICO) to reformulate UK legislation into a coherent rubric that is relatively free of many of the paradoxes of the past. Since similar clarity in the form of the HiPAA guidelines was introduced to the US in 1996, a marketplace of digital health apps has been able to thrive secure in the knowledge that there are best data practice standards to which they can conform. So while in the short term GDPR compliance may bring some pain for those slow to stop using consumer grade tools inappropriately, it will also allow increasing innovation to take place in the market place, innovation that will unlock a wave of digital solutions for healthcare that inadequate, out-of-date and contradictory regulatory standards have managed to stifle for so long.James can be contacted on: jim@hospify.com Neville can be contacted on: neville@hospify.com