WhatsApp in a clinical setting


There has long been controversy about using instant messaging in the NHS and introducing the EU’s General Data Protection Regulation (GDPR). 

In response to privacy and security concerns, NHS England, NHS Digital, Public Health England and the Department of Health and Social Care published joint guidance on instant messaging in November last year.

This sets out that staff should only use apps and messaging tools that meet the NHS encryption standard, disable notifications on a device’s lock-screen to protect data privacy, and should delete notes once they have been added to a patient’s medical record.

However, due to outdated communication tools like landlines, desktop email, faxes and bleeps, over 600,000 NHS professionals regularly use WhatsApp and other consumer messaging services to connect within the workplace.

The onset of GDPR back in May 2018 means that employees of healthcare institutions who use such consumer tools to handle identifiable patient data are liable for fines of up to 4% of their annual turnover. All health and social care organisations must comply with the National Data Opt Out by September 2020.

There is a clear need for an application designed to correspond with the compliance and security requirements of the NHS. So, with 1.5 billion active users across the globe, why is WhatsApp such a no-go in the healthcare industry?

WhatsApp Themselves Say “No” to Professional Use

WhatsApp may be easy and convenient, but using it for professional purposes is against the terms of service. To cover themselves against the risks that come with work-related communication, WhatsApp states explicitly:

“You will not use (or assist others in using) our Services in ways that:(f) involve any non-personal use of our Services unless otherwise authorised by us.”

Issues with GDPR Compliance

WhatsApp utilises user information to operate, understand, improve, customise, and support. It also accesses your address book and metadata to enable the exchange of messages between you and your contacts.

Any sector dealing with sensitive and confidential information deserves high-priority protection, and this is something that WhatsApp are unable to provide. In the healthcare industry, a significant cause for concern is the fact that any member of staff can add anyone else (including patients and suppliers) to a WhatsApp group without their consent. Suppose an employee provides WhatsApp with access to their phone contacts, and those contacts include other members of staff or patients. In that case, they essentially upload that data to Facebook without consent.

Of course, WhatsApp protects itself by making this “consent” the responsibility of individual users:

“You provide us, all in accordance with applicable laws, the phone numbers of WhatsApp users and your other contacts in your mobile address book on a regular basis, including for both the users of our Services and your other contacts.”

Official Data Can Be Lost or Stolen

If you are a healthcare professional and use WhatsApp to communicate at work, you run an enormous risk of your data being lost or stolen if you misplace your phone.

WhatsApp does not provide a security layer to prevent data loss or theft. As its user accounts have no data access control defined, confidential healthcare data may be accessed by others in case of mobile theft.

Messages in WhatsApp are End-to-End Encrypted

This means that it is not possible to audit conversations for regulatory purposes. It also means that accessing the contents or metadata from discussions for functional data analysis is impossible.

WhatsApp is Not a “Cross-Platform.”

It isn’t possible to have a desktop-only WhatsApp account, and desktop usage depends upon having a working and authenticated WhatsApp on a mobile device with a phone number. While a large number of healthcare workers use Smartphones, there are still some who do not.


“Alertive has allowed my virtual nurses to safely, securely and efficiently communicate with one another from their own homes. We use it to safely discuss patient care while improving our workflow.”

– Deputy Sister, Virtual Ward, NNUH

Assessment Face ID

Use Alertive to protect the privacy of communications within your organisation and create a complete, secure, auditable record of digital communications. The historical record provides customers with a better understanding of accountability, helps identify opportunities for improvements in how care is delivered and helps the organisation defend itself against costly fines. 

Key Features 

Manage access using biometrics, FaceID and secondary PINs.

Alertive are ISO27001, DTAC and DCB0129 (clinical risk) compliant and ensure that all data is encrypted in transit (TLD) and at rest (AES-256/GCM).

Access historical records of communication relating to individual patient cases.

Ban users from using Alertive if they pose a security risk.

Benefits Delivered

Compliment the EPR in creating a full, auditable record of patient care.

Raise standards associated with protecting sensitive patient information.

Reduce organisational risk by verifying care delivered and identifying areas of potential exposure.