Instant Messaging Apps

The request was successful.

Dear London North West University Healthcare NHS Trust,

1. Does the Trust use (or allow) the use of instant messaging apps for the processing of patient identifiable data?

If yes

2. Which messaging app(s) do you use?

3. Has a DPIA been completed? (if yes please include a copy in your response)

4. Has a risk assessment been completed? (if yes please include a copy in your response)

5. Please include any policies or SOPs that detail how the apps are used

For the avoidance of doubt the term processing matches the European Commission definition of "any activity that includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data."

Instant messaging apps may include WhatsApp, Facebook Messenger, Signal, Telegram, Hospify or any similar service.

Yours faithfully,

Samuel Weller

FOI (LONDON NORTH WEST UNIVERSITY HEALTHCARE NHS TRUST), London North West University Healthcare NHS Trust

1 Attachment

Dear Mr Weller,

 

FOI Ref: 2708-20 (*Please quote this reference number on all
correspondence)

 

Please find below the response to your Freedom of Information request to
London North West University Healthcare NHS Trust.

 

You may re-use this information (except for logos) under the terms of the
Open Government Licence^1.  If you would prefer to receive the information
in an alternative electronic format, please let us know.

 

Please let us know if you require more details or further clarification. 
You can find out more about the Trust and our publication scheme at our
website^2.

 

I am now in a position to respond to your noted questions/query as
follows;

 

Instant Messaging Apps

 

1.       Does the Trust use (or allow) the use of instant messaging apps
for the processing of patient identifiable data?

If yes

2.       Which messaging app(s) do you use?

3.       Has a DPIA been completed? (if yes please include a copy in your
response)

4.       Has a risk assessment been completed? (if yes please include a
copy in your response)

5.       Please include any policies or SOPs that detail how the apps are
used

 

Please find attached a copy of the Trust’s ‘Digital Policy’, which
contains information on the ‘acceptable use’ of instant messaging services
(apps)

 

However, with regard to DPIA (Data Protection Impact Assessment) access,
the Trust has engaged section 40(2) of the Act, as disclosure of
documentation such as DPIAs may constitute disclosure of personal
identifiable data, owing to the type of data recorded within DPIAs.

 

In addition, the Trust has also engaged section 31(1) (a) of the Act,
which exempts information if its disclosure is likely to prejudice the
prevention or detection of crime. 

 

The Trust disclosing any risk assessments carried out (Inc. DPIAS) in an
attempt to identify and reduce any potential data security breaches (Inc.
the type of security training staff receive) may jeopardise the Trust’s
security systems and harm the detection of both data and cyber-crime,
which a malicious party may choose to exploit.

 

The Trust has a duty (*and is currently in the process of) publishing (via
Trust Website) any FOI requests the Trust may receive.  Therefore, the
Trust would be obliged to publish any data we may disclose under FOI,
which as aforementioned, which may pose a potential risk to our internal
security systems, which includes staff data security training.

I hope this information helps, however, should you be dissatisfied with
our response, please use our FOI review process by contacting
[1][email address] or writing to:

Information Governance Manager (FOI Review)

Information Governance

Northwick Park Hospital

P Block

Watford Road

Harrow

HA1 3UJ

 

Please be aware that reviews will not be conducted via public forum, and
we will require your name and contact address in order to respond.

 

If you remain dissatisfied after a review, you have the right under s50 of
the Act to apply to the Information Commissioner’s Office for a decision.

 

Further details about this and the Act can be found on their website^3.

 

^1 Either version 3 or, at your discretion, any later version –
[2]http://www.nationalarchives.gov.uk/doc/o...

^2 [3]https://www.lnwh.nhs.uk/about-us/freedom...

^3 [4]http://www.ico.org.uk

 

FOI Team

London North West University Healthcare NHS Trust

[5][email address]

 

 

show quoted sections