Blog

Personal WhatsApp in care: the GDPR breach you have not noticed

Personal WhatsApp in care: the GDPR breach you have not noticed

If you run a care service, the most important communication tool in your business is probably a WhatsApp group on someone's personal phone. It works. It is fast. It is also, in the wrong circumstances, a published Information Commissioner's Office reprimand waiting to happen.

This is not a hypothetical. In 2023 the ICO publicly reprimanded NHS Lanarkshire after a staff WhatsApp group was found to have shared more than 500 entries of patient data over two years, including dates of birth, phone numbers, and clinical images, to a group that had also accidentally added a non-staff member.

This post is for the people who run rotas, registered managers, and operations leads in care, hospitality, and any setting where the work happens away from a desk. If you have ever said "we know it is not ideal but it is what works", this is for you.

"The personal phone is not a workaround. In care, it is the actual operating system of the business."

The compliance gap appears precisely because the tool is so good at its core job.

Why personal WhatsApp wins in care, every time

Care is mobile-first in a way most software is not built for. A care assistant on a domiciliary round, a nurse on a ward, a support worker between two clients — none of them are sitting at a desktop. The phone is in the pocket and the people they need to reach are on the same phone for everything else.

WhatsApp wins because:

  • Everyone already has it. There is no app to learn, no login to issue, no IT request.
  • It is reliable on poor connections, which matters in care home corridors and rural rounds.
  • It is free at the point of use. Nobody has to ask permission.
  • Voice notes work for handovers when typing is not realistic with gloves on.

The point is not that staff are doing something wrong. The point is that the tool is doing exactly what it was designed to do. The compliance gap appears precisely because the tool is so good at its core job.

What the ICO actually found at NHS Lanarkshire

This is the case that turned the abstract risk into a published, citable record. The headline numbers, taken straight from the ICO's January 2024 reprimand PDF:

  • 26 members of staff had access to a single WhatsApp group between April 2020 and April 2022.
  • At least 533 entries in the group included patient names. Children were among them.
  • Of those, at least 215 included phone numbers, 96 included dates of birth, and 28 included home addresses.
  • 15 images, 3 videos, and 4 screenshots were shared, including clinical images, which made this special category data under Article 9 of the UK GDPR.
  • One person who did not work for NHS Lanarkshire was added to the group by mistake. They saw all of it.

NHS Lanarkshire had not approved WhatsApp for this use. The ICO's finding was that policy alone is not enough. The organisation was reprimanded for failing to put in place "appropriate technical and organisational measures", the actual phrase in the UK GDPR, and for failing to assess the risk before staff began using the tool in the field.

Why the personal-phone bit is the real legal exposure

The temptation is to read the NHS Lanarkshire case as an NHS-specific problem. It is not. The ICO has separately confirmed in its own guidance for employers that if your staff are using personal accounts or devices to process information for work, that data can be in scope of a subject access request and the employer is the controller.

Translated for a care provider, that means:

  • If a service user, a former resident, or a relative submits a DSAR, you may be obliged to search staff personal phones for relevant messages.
  • You are responsible for the data even though the device, the SIM, and the WhatsApp account are personal property.
  • You have no admin panel, no audit log, no retention control, and no ability to revoke access when someone leaves.

That last bullet is the quiet one. When a care assistant resigns, their personal WhatsApp keeps every photograph of every wound chart, every voice note about every resident, every phone number ever shared in the group. You cannot wipe it. You cannot demand it. You can only ask politely.

The handover problem is not a WhatsApp problem

It is tempting to write this off as a "stop using WhatsApp" post. That is not the right answer either, because the underlying need is real. Shift handovers are mobile, fast, and rich with the kind of context that does not survive being typed into a clinical record. Voice notes and photographs are how care actually communicates.

The fix is not "do less". It is "do the same thing in a tool that is yours, not theirs". Specifically a tool where:

What care teams need Personal WhatsApp A managed work tool
Group chat with voice notes Yes Yes
Works on the phone in the pocket Yes Yes (if mobile-first)
Audit log of who saw what, when No Yes
Revocable access when someone leaves No Yes
Defined retention period No Yes
Separation of work and personal life No Yes
Defensible position with the ICO No Yes (with policy)

A managed messaging tool does not have to be a ten-thousand-pound clinical system. It has to be a place where the messages are owned by the organisation, not by the personal Meta account of whoever happens to be on shift.

What a defensible care messaging policy looks like

Three practical moves, in order. Most providers can do all three inside a quarter:

  1. Name the tool. Pick one work-owned messaging app and put its name in your data protection policy. Anything personal becomes "shadow IT" by default, which makes the disciplinary and DSAR position much easier.
  2. Move the worst categories first. You probably will not migrate every chat in week one. Start with the categories that hurt most in a breach: clinical images, medication queries, anything naming a service user. Get those off personal WhatsApp before you worry about "the kitchen rota chat".
  3. Set a retention period and an offboarding script. The ICO does not expect you to keep messages forever. It expects you to know how long you keep them and to be able to remove access when staff leave. Both are admin features in any work-owned tool. Neither is possible on personal WhatsApp.

WorkChats was built with this exact pattern in mind. It runs on the phone in the pocket, it carries voice notes, it has an admin panel, and the data is yours. If you want the deeper picture of how it fits care, see WorkChats for healthcare teams.

FAQ

Is WhatsApp GDPR compliant for care home communication?

WhatsApp itself is end-to-end encrypted, which is good. The compliance problem is not the encryption. It is the lack of admin control, the use of personal accounts and devices, and the inability to enforce retention. The ICO has reprimanded organisations for using WhatsApp this way.

Can care staff share patient information on WhatsApp?

Only if your organisation has formally approved WhatsApp for that purpose, completed a data protection impact assessment, has a written policy, and has trained staff on it. In practice almost no provider has all four, which is why the ICO's NHS Lanarkshire ruling applies broadly.

What did the ICO say about NHS Lanarkshire and WhatsApp?

The ICO issued a public reprimand in 2023 after finding that 26 staff had shared more than 533 entries of patient data, including 215 phone numbers, 96 dates of birth, and clinical images, in a WhatsApp group that had also added a non-staff member by mistake. NHS Lanarkshire had not approved the tool for that use.

Does a personal phone count as a work device under UK GDPR?

If staff use it to process personal data for work, then yes. The employer is the controller for that data, and the device may be in scope of a subject access request. This is the ICO's own published position.

What should a care home WhatsApp policy include?

At minimum: a named approved tool for work messaging, a list of categories of data that must never be shared on personal apps, a retention period, an offboarding step that removes access when staff leave, and evidence that staff have been trained on it. Without those, the policy is not defensible.

Get Early Access

If your shift handovers happen on the phone in the pocket, your work tool should too. WorkChats is built for it. Free for teams up to five, no credit card required. Get Early Access.

Your team deserves a simpler way to work together.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Free for teams up to 5.
No credit card needed.
Workchats icon

Workchats is a unified business communication platform that combines team messaging, voice and video meetings, file sharing, and cross-workspace search in a single application.

Product
All Features
Pricing
Request A Demo
Downloads
Sign In
Solutions
Distributed Teams
Field Teams
Studios & Agencies
Healthcare Teams
Features
Messaging
Video & Meetings
Files & Search
Social Feed
Coming Soon
Events
Coming Soon
Polls
Coming Soon
Company
About
Blog
FAQ
Contact
© 2026 Workchats Ltd
Terms & ConditionsPrivacy PolicyCookie Policy