The AHSN Network Supporting the Health and Care Reset logo

The AHSN Network’s new Digital & AI report: ‘Lessons and Legacy from the COVID-19 Pandemic in Health and Care’ as part of the NHS Reset Campaign highlights key findings from a research study to understand how technology has helped reduce the care burden during the pandemic, and to identify what should be sustained in the ‘new normal’ longer-term.

The findings highlight the importance of treating health as our greatest national asset to nurture and protect, with preventative health requiring more attention in the long-term. James Flint, CEO of Hospify Healthcare Messenger, was involved in the study and shares his thoughts:

At the peak of the COVID-19 crisis in the UK in early April 2020 there were over 1,000 COVID-related deaths per day, an estimated 90,000 people in the UK were carrying the virus. Hospitals were inundated with coronavirus patients, NHS England was preparing seven critical care Nightingale Hospitals, the Glasgow’s SEC Centre was being transformed into the NHS Louisa Jordan, and NHS Wales was preparing the Millennium Stadium and a series of regional locations as pandemic treatment centres. By mid-April nearly half of UK doctors were suffering burnout, depression or anxiety.

To help meet the enormous challenges that the COVID-19 crisis presented and to keep a country functioning in lockdown and with social distancing, extraordinary measures were required. Beyond the largest population lockdown in British history and a financial package which would ultimately support over nine million people on furlough, it was clear that rapid innovation beyond physical and regulatory measures would be needed to stem the spread of the disease.

The crisis therefore presented an opportunity for innovation, forcing as it did new ways of working upon health institutions and staff. And the sector duly responded: the introduction of technical solutions to clinical workflows was seen as vital to support and coordinate activity during the crisis, new purchasing frameworks were hurried through and communication platforms were considered.

But introducing technology into healthcare is not a rapid process. Lengthy purchasing procedures must be navigated by both buyers and by sellers, stringent compliance regulations must be met, and an army of end users must be won over to a new way of working.

Anticipating such hurdles in the area of digital communications, the Information Commissioner’s Office (ICO) relaxed its regulatory approach towards popular consumer mobile apps such as WhatsApp and Skype, which as many as 600,000 NHS clinicians were already using in the workplace despite the fact that such apps clearly breached NHS and indeed UK Data Protection Act rules for the handling of patient identifiable data (PID).

But exceptional crises demand exceptional responses and so on March 12th – the same day that the UK’s Chief Medical Officer raised the COVID-19 risk level from medium to high – the ICO published a statement recognising the extraordinary nature of the COVID-19 pandemic and the need to act outside its normal ambit in the interests of public safety.

“The ICO is a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern,” the statement read. “Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency. The safety and security of the public remains our primary concern.”

Within a week NHSX had followed the ICO’s statement with advice that made allowances for healthcare professionals to use messaging tools such as Microsoft’s Skype, Facebook’s WhatsApp and Apple’s FaceTime in the course of carrying out their duties.

Clinicians reading the headlines that followed might have been forgiven for thinking that all NHS Information Governance and GDPR restrictions had been lifted, and that they were now free to discuss patient cases with colleagues on WhatsApp.

However, when the guidance was examined more closely, it became clear that it contained certain caveats. Not only was permission not extended to the storage of PID using these consumer tools and the restriction of its transmission to instances of absolute necessity, but there was also an insistence that strong passwords and other data protection measures were used.

In fact, it appears that the exemptions were really only designed to allow clinicians to use consumer video conferencing solutions, which do not store data by default, rather than messaging solutions like WhatsApp and Facebook Messenger.

The NHSX advice also deferred to the ICO Working from Home Guidelines which specifically say that: “if you need to share PID with others then choose NHSMail, a secure messaging app or online document sharing system.”

So while the regulators did relax advice and enforcement during the pandemic in the interests of the greater public good, they did not give carte blanche to the storage or transmission of PID using consumer tools on unsecured devices.

The misinterpretation of this advice goes beyond individual clinicians. No less than Matt Hancock, the Secretary of State for Health and Social Care, tweeted that GDPR “has a clause excepting work in the overwhelming public interest,” without providing any clarifying detail.

In fact, the actual provision (as defined in Article 9 of the GDPR and in Schedule 1 Part 1 of the UK Data Protection Act 2018) is for work by public bodies empowered by enactment for specific purposes and does not apply to private organisations such as employers.

Unfortunately, the regulator has subsequently chosen not to carry out any visible enforcement action or to challenge the government’s position, which has allowed these misinterpretations of its advice to propagate.

While almost all organisations have seen their capacity greatly reduced during the lockdown, the ICO and other leaders urgently need to return to business as usual in as much as that is possible in our post-COVID world. Not only should the guidelines be clarified, but it must be clear to organisations and the public that they will be enforced.

It is not just for bureaucratic – or even legal – reasons that this clarity of regulation and visibility of enforcement is needed. If we are to recover from this still very present pandemic, public confidence in the handling of data is vital.

Already we have seen widespread concern over the use of the data collected by the track and trace app and witnessed how this concern greatly affects the efficacy of any technical measures that might be implemented. If members of the public is to be asked to hand over their data, they must be given the confidence that these data will be handled carefully, securely and used only for the purposes stated.

The EU’s General Data Protection Regulation of 2017 created a clear set of international standards for governments and businesses to follow when handling data of all kinds, PID included. This regulation is now incorporated into and implemented by national legislation through Europe, and these standards have also travelled further afield, with many counties on other continents, such as South America, using the GDPR as a template for overhauling their own data protection laws.

Health practitioners are well aware of these regulations and will have received extensive training on them – annual data protection training is now a requirement throughout the NHS, for example. Healthcare professionals should know their Information Governance (IG) and should be able to put into practice what they have learned.

Fortunately, the technology is also now there to support them in this. Even if working remotely or without the provision of a business laptop or phone, it is possible to operate in a compliant way using NHS-approved apps such as Hospify and other apps like it.

The regulations are there, it simply needs to be followed; the technology is available, it simply needs to be used. If it’s not, then we risk another privacy backlash like the one that derailed the Care.Data initiative in 2013. Except this time, the stakes are much higher: the credibility of an entire digital health industry – from comms and remote consultation tools to diagnostics and AI – that, partly as a result of COVID-19, is just taking flight.

This blog is an edited extract from the eBook “Data Protection in the era of Digital Health,” jointly published by Hospify and Securys in September 2020. The complete version is available for download from

Find out more about the launch of the Digital & AI report.