As a doctor, you have an ethical, legal and contractual duty to protect patient confidentiality.
- Under data protection law, those responsible for patient data are legally obliged to store it securely and protect it from unauthorised or unlawful processing.
- The GMC's guidance on confidentiality states that 'you must make sure any personal information about patients that you hold or control is effectively protected at all times against improper access, disclosure or loss'.
You must make sure that identifiable patient data is not improperly disclosed in any circumstances. An inadvertent breach of patient confidentiality could result in you facing patient complaints or even a trust disciplinary or GMC investigation.
Communicating via mobile apps
NHS guidance for doctors using mobile apps which lack proper security features – such as WhatsApp – advises that 'it should never be used for the sending of information in the professional healthcare environment.'
The guidance warns that, as a consumer service, WhatsApp 'does not have a service level agreement with users and has no relevant data security certification' and, as such, should not be used to send patient information or details of clinical cases to colleagues.
Data storage on portable devices
When used with care, portable storage devices are a valuable and convenient way to store and transfer data.
However, since mobile devices are particularly vulnerable to loss or theft, security and best practice should be your first priority.
- Avoid storing identifiable personal data on personal mobile devices, such as memory sticks, laptops or personal mobile phones, which risk being misplaced or accessed by other people.
- Familiarise yourself with your trust's information security policy and the name of the person in charge of data security. Always follow trust procedures on the use of mobile devices, laptops and portable data storage.
- If you are worried about whether you should use a portable storage device at work, talk to your trust information officer for advice. Encryption and password protection of data held on mobile devices would be considered to be standard practice.
- Make sure you only transfer or store information in line with your trust's information security policies, and take care not to mix professional and personal data. There can be particular dangers where doctors use the same devices for both professional and personal use.
- Follow relevant GMC and NHS guidance and get to know your legal requirements under data protection law.
- If you lose any data, report the incident to the nominated senior person in your organisation immediately. They can then take appropriate action and inform patients, if necessary.
This guidance was correct at publication 21/05/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.