A student received a photograph in his peer review group's WhatsApp chat. The photo was of an interesting clinical condition spotted by another member of the group whilst on placement earlier that day, which the sender was keen to discuss with the rest of the group.
The student noticed that, as well as appearing in the group chat, the photograph had automatically downloaded to the camera roll on his phone. He wondered if this might be a breach of confidentiality as, even if the patient had consented to the picture being taken, they might not have expected the photograph to be shared with a group of people, and to inadvertently appear on a number of personal devices.
The student contacted the MDU for advice on whether he should raise the issue with his colleague and peer review group.
The GMC says that you must only take photographs if the patient gives their consent.
Taking photographs or making audio or video recordings for a purpose other than direct patient care is classified as making the recordings for secondary purposes. Secondary purposes include teaching, research and assessments. Before taking such photographs you should tell patients:
- the purpose of the recording and how it will be used; you should explain what WhatsApp is and who has access to it.
- how long the recording will be kept and how it will be stored.
- that they can withdraw consent at any time and that this will not affect their clinical care.
You should not use the photograph beyond the scope of the original consent without further consent.
If the patient has consented to anonymised images being shared with other students you should be aware that it is not enough just to remove their name and address. The identity of the patient may be determined by piecing other information together, for example if the condition that the patient suffers from is extremely unusual, if the photograph also contains other features such as tattoos or jewellery or if the date and location of the photograph is clear. That information might be pieced together to identify the particular patient.
The identity of the patient may be determined by piecing information together, for example if the condition the patient suffers from is extremely unusual.
Storage of photographs
The Data Protection Act 1998 says that personal data should be stored securely and protected against accidental loss. The Information Commissioner recognises the growing use of personal mobile devices to store personal data, but states that the owner of the device should consider where the information is stored.
The guidance from the ICO says that you should take appropriate measures to protect the data against unlawful access if your mobile phone is lost or stolen. These measures can include controlling access to the data or device by using a password, PIN number or encryption. You should also consider if you are able to remotely delete data if you lose or have your phone stolen.
The GMC and NHS recognise that people are increasingly using social media, including WhatsApp to communicate. The GMC says that you must not use social media to discuss individual patients or their care. NHS Digital says that you should not put patient information on social media.
Whilst WhatsApp is not as open as other media, you need to be very careful that you know who is in your group and that they have agreed not to forward any patient information, including photographs, to third parties. Your medical school will also probably have a policy on the use of social media and patient information and you should adhere to that policy.
Be very careful that you know who is in your group and that they have agreed not to forward any patient information, including photographs, to third parties.
MDU adviser's advice
The MDU adviser suggested that the medical student contact the student who had taken the photograph to see what consent he had taken from the patient, if any. The adviser also suggested that the WhatsApp group review the medical school policy on photographs and social media and adhere to it.
If there was inadequate consent taken or if taking the photographs was contrary to university policy, or if the mobile devices used by group members did not reach the level of security expected by the ICO, the photograph should be permanently deleted from the device and anywhere else it might be stored, such as The Cloud or an SD card.
The adviser recommended that the student who had taken the photo discuss the matter with the medical school. The WhatsApp group should also agree about how the group should be used.