The Information Governance Alliance (IGA) has drafted guidelines for clinicians using instant messaging for work purposes, hailing such systems as a ‘useful tool’ but highlighting the possibility of ‘serious’ data security concerns.

The guidance, published in February, confirms instant messaging services can be used to share clinical information.

But it adds clinicians should ‘minimise the amount of patient identifiable data’ they communicate through such instant messaging services and should be done so in the correct context.

Dr Felix Jackson, founder of clinical messaging app medCrowd, has previously commented to Digital Health on how instant messaging platforms, particularly WhatsApp, are widely used by doctors and clinical teams for quick and easy communications.

While the service is branded a ‘useful tool’ in emergency situations, the guidance is quick to remind clinicians that ‘there are some serious data protection concerns surrounding the use of these systems’ including ‘compliance with data protection requirements’.

“A proportionate approach is therefore needed. Clinicians need to balance these risks against the purpose for which they wish to use instant messaging (e.g. using it in an emergency versus as a general communication tool),” it adds.

The IGA is a partnership which includes NHS Digital, NHS England, the Department of Health and Social Care and Public Health England.

It acts as a source of advice and guidance about the rules on using and sharing information in health and care.

The full list of do’s and don’ts are as follows:


  • minimise the amount of patient identifiable data you communicate via instant messaging
  • set your device to require a passcode as soon as you start using it for this purpose
  • switch on additional security settings such as two-step verification
  • set message notifications to private and disable banners on your device’s lock-screen
  • ensure you are communicating with the correct person or group, especially if you have many similar names stored in your personal device’s address book
  • take care when selecting the membership of the group if you are an instant messaging group administrator, and review the membership periodically
  • separate groups that share clinical or operational information from social groups
  • review links to other apps that may be included with the Instant Messaging software and consider whether they are best switched off
  • follow your organisation’s policies in relation to mobile devices and instant messaging
  • remember that losing your phone now has professional ramifications as well as personal
  • remember that instant messaging conversations may be subject to Subject Access Requests and potentially Freedom of Information requests


  • use a standalone instant messaging application if your organisation provides a suitable alternative
  • use an instant messaging platform unless it meets advanced encryption standards
  • use the instant messaging conversation as the formal medical record: keep separate clinical records and ensure original messaging notes are deleted
  • allow anyone else to use your device at any time

Digital Health News understands the guidance is a draft and is subject to change.

An IGA spokesperson said: “We are currently preparing guidance to enable NHS organisations to implement policies balancing the potential risks to privacy against improvements in patient safety when using instant messaging technologies.”