Just under two-thirds of NHS Trusts surveyed do not have a policy regarding the use of messaging apps, a freedom of information act (FOI) has revealed.

Hospify, a company that provides a secure mobile messaging service compliant for use in healthcare, sent FOI requests to 152 trusts in England earlier this year, asking a number of questions regarding their instant messaging guidelines.

As part of the request, hospitals were asked whether they had a policy regarding the use of messaging apps by their staff, and whether or not non-compliant apps were actively prohibited from use.

Of the 113 trusts that responded, 62% said they did not have a policy regarding the use of such messaging apps.

Emma Dastur, Hospify’s head of marketing, said she was “surprised” at the general attitude of complacency, especially given the fact that there were no official guidelines from NHS England on the issue.

“Some of the more proactive trusts are have actually written their own policies,” she added.

“To my mind that shows that these are the ones keen to support their staff in the use of new technology.”

One example is Alder Hey Children’s NHS Foundation Trust, which has issued specific guidelines for the use of WhatsApp and other non-health complaint consumer messaging services.

The trust’s policy states that if “tools like text messaging, WhatsApp, Viber and Skype are used for any business purpose, [staff should] remember the principles of information governance (IG) still apply.”

However, the trust also states that its preferred platform, should instant messaging be needed for business use, is WhatsApp.

“This seems completely extraordinary, as WhatsApp contravenes multiple aspects of NHS information governance, UK data protection legislation, and the European General Data Protection Regulation that came into force in May,” Dastur said.

For any group messaging activities, Alder Hey staff are told that group administrators must ensure that:

  • Group membership is appropriate for the purpose of the conversation
  • All members recognise their IG responsibilities; particularly when sending messages e.g. no identifiable information should be included. Admins should remind members regularly of this fact
  • Content is monitored for IG concerns and issues must be acted upon immediately
  • Groups should be closed when there is no further need for them to remain open
  • The group is being used appropriately and in line with this and other Trust policies.
  • Any concerns are voiced to attendees of the group and acted upon appropriately

A spokesman for Alder Hey said: “All trust staff undertake information governance training and we provide clear guidelines within our social media policy, which forbids the sharing, or insecure communication of identifiable patient or staff information.

“However we also encourage them to make use of today’s technology to help them communicate more effectively.”

Though there were examples of good practice identified by the FOI request, other trusts besides Alder Hey gave the impression that they believed instant messaging guidelines could be covered by social media policies, email and SMS and/or information security policies.

However, Hospify argues that these policies do not cover instant messaging because of the very different manner in which messages are handled by these services.

Hospify believes therefore that “messaging warrants its own policies and guidelines for use in order to properly protect staff, patients and trusts from breaches of data protection and other kinds of misuse.”

At the time of writing there are no official guidelines on the use of instant messaging in the NHS published by NHS England, though Digital Health News reported in March 2018 that the Information Governance Alliance (IGA) has drafted guidelines for clinicians using consumer messaging apps for work purposes, hailing such systems as a “useful tool” but highlighting the possibility of “serious” data security concerns.

Digital Health News has contacted NHS England for a comment.