Protecting patient data

Be mindful of how and where you store identifiable patient information.

As a doctor, you have a legal and ethical duty to protect patient confidentiality.

  • Under data protection law, those responsible for patient's sensitive, personal data are legally obliged to store it securely and protect it from unauthorised or unlawful processing.
  • The GMC's guidance on confidentiality states that 'you must make sure any personal information about patients that you hold or control is effectively protected at all times against improper access, disclosure or loss'.

You must make sure that identifiable patient data is not improperly disclosed in any circumstances. An inadvertent breach of patient confidentiality could result in you facing a patient complaint, a disciplinary investigation by your employer or a GMC investigation.

Communicating via mobile apps

Mobile messaging is a useful tool for communicating with colleagues and patients, when needed. NHS England suggests taking sufficient steps to safeguard confidentiality, particularly when using ‘commercial, off-the-shelf’ applications such as WhatsApp and Telegram. It says these apps are fine to use ‘when there is no practical alternative and the benefits outweigh the risks’.

There is no official national NHS guidance on the use of certain apps or mobile messaging, other than tips for using mobile messaging safely and taking precautions where possible. Your employer should have its own information security policy with information about the use of mobiles and messaging apps.

Data storage on portable devices

When used with care, portable storage devices are a valuable and convenient way to store and transfer data.

However, since mobile devices are particularly vulnerable to loss or theft, security and best practice should be your first priority.

  • Never store identifiable patient data on personal mobile devices, such as memory sticks, laptops or personal mobile phones, which risk being misplaced or accessed by other people.
  • Familiarise yourself with your employer's information security policy and the name of the person in charge of data security. Always follow your employer's procedures on the use of mobile devices, laptops and portable data storage.
  • Check if your employer's information security policy allows or prohibits exchanging messages with fellow employees about the care of patients via online messaging apps, including, but not restricted to, WhatsApp.
  • If you're worried about whether you should use a portable storage device at work, talk to your employer's information officer for advice. Using encryption and password-protected patient data on mobile devices would be considered standard practice.
  • Make sure you only transfer or store information in line with your employer's information security policies, and take care not to mix professional and personal data. There can be particular dangers where doctors use the same devices for both professional and personal use.
  • Follow relevant GMC and NHS guidance and get to know your legal requirements under data protection law in England, Scotland and Wales.
  • If you lose any data, report the incident to the nominated senior person in your employing organisation immediately. They can then take appropriate action and inform patients, if necessary.

This page was correct at publication on 28/10/2022. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.


Login to comment

Be the first to comment