This guidance has been reviewed by the Health and Care Information Governance Panel, including the ICO and NDG.

The panel exists to simplify information governance guidance. Have we done a good job? Let us know at england.IGPolicyTeam@nhs.net.

Using mobile messaging

Hand holding a mobile phone.jpg

Delivering a high standard of care relies on effective frontline communication. Mobile messaging is a useful tool in supporting the delivery of individual care, particularly in hospitals. This guidance will support the safe and secure use of mobile messaging. 



Guidance for patients and service users

This guidance is designed to help staff in health and care organisations use mobile messaging (including instant messaging) safely and securely to coordinate patient or service users’ care.


Guidance for healthcare workers

This is a quick guide to help staff in health and care organisations think through the IG considerations when using mobile messaging. 

It is fine to use mobile messaging to communicate with colleagues and patients/service users as needed. It is also fine to use commercial, off-the-shelf applications such as WhatsApp and Telegram where there is no practical alternative and the benefits outweigh the risk.  

Mobile messaging can be useful in health and care settings, particularly in emergency situations, but you should take sufficient steps to safeguard confidentiality. Below are a series of tips that will help you to use mobile messaging safely and keep information confidential.

Tips for using mobile messaging safely

  • Minimise the amount of personal/confidential patient information you communicate via mobile messaging.
  • The mobile messaging conversation does not replace the formal health and care record. Instead, keep separate health and care records, transfer any clinical decisions communicated via mobile messaging as soon as possible and delete the original messaging notes.
  • Remember that mobile messaging conversations may be subject to freedom of information (FOI) requests or subject access requests (SARs).
  • Do not allow anyone else to use your device.
  • Switch on additional security settings such as two-step verification.
  • Set your device to require a passcode immediately, and for it to lock out after a short period of not being used.
  • Disable message notifications on your device’s lock-screen.
  • Enable the remote-wipe feature in case your device is lost or stolen. You should be aware that if this happens, then everything is deleted from your phone, including contacts and photos.
  • Ensure you are communicating with the correct person or group, especially if you have many similar names stored in your personal device’s address book.
  • If you are a mobile messaging group administrator, take great care when selecting the membership of the group, and review the membership regularly.
  • Separate your social groups on mobile messaging from any groups that share clinical or operational information.
  • Review any links to other apps that may be included with the mobile messaging software and consider whether they are best switched off.
  • Unlink the app from your photo library.
  • Be sure to follow your organisation’s policies in relation to mobile devices and mobile messaging.
  • Remember that if you’re using your own device losing it will now have professional as well as personal ramifications.

Guidance for IG professionals

Mobile messaging apps can offer benefits to staff in health and care organisations. IG professionals should develop clear policies to support staff in knowing whether and in what circumstances they can use these tools. It should be possible to manage any risks associated with using mobile messaging apps to ensure that the benefits to care can be delivered. A Data Protection Impact Assessment (DPIA) can support you to do this. A DPIA must be carried out before implementing the use of an app including due diligence on the provider, trackers and permissions embossed in the app.

There are some important data protection considerations surrounding the use of mobile messaging systems, including: 

  • the transfer of special category data across unregulated servers outside the UK - if servers are held abroad, you will need to comply with the rules and regulations of the country where the server is held
  • compliance with data protection requirements regarding transparency, individuals’ rights, and records management
  • data protection security risks, including bringing your own device (BYOD) to work
Hand holding a mobile phone.jpg