In an era where digital communication is ubiquitous, it’s imperative for schools to be vigilant about the platforms they use and the manner in which they’re used. The recent reprimand issued by the Information Commissioner’s Office (ICO) to NHS Lanarkshire serves as a timely reminder of the potential pitfalls of using popular messaging apps like WhatsApp without clear protocols and guidance.

The Incident

Between April 2020 and April 2022, 26 staff at NHS Lanarkshire utilised a WhatsApp group to share patient data on more than 500 occasions. This data included names, phone numbers, addresses, images, videos, and screenshots containing clinical information. Alarmingly, a non-staff member was inadvertently added to this group, leading to the unintentional disclosure of personal information to an unauthorised individual. 

Lessons for Schools

While this incident unfolded within the healthcare sector, its implications are far-reaching and hold significant lessons for educational institutions. The ICO’s investigation highlighted that NHS Lanarkshire lacked the necessary policies, guidance, and processes when WhatsApp was introduced. This oversight resulted in the unsafe and unauthorised dissemination of sensitive data.

Clear Guidance and Protocols

It’s paramount for schools to establish clear protocols and guidance for using communication platforms like WhatsApp. Staff must be unequivocally informed that personal WhatsApp accounts are not to be used for sharing organisational data. This encompasses student data, staff information, or any other confidential school-related details.

Risk Assessment

Before introducing new apps or communication tools, schools should undertake a comprehensive risk assessment (known as a DPIA) concerning personal data. This involves examination of the app’s privacy protocols, security measures, and data management practices. The ICO recently underscored the importance of this, stating the need to “consider the risks relating to personal data before deploying new apps.”

Training and Awareness

Continuous training is essential. Schools should ensure that all staff members are well-versed in data protection laws, school policies, and procedures. They should be acutely aware of their responsibilities, especially when it comes to reporting personal data breaches promptly.

Recommendations from the ICO

Drawing from the ICO’s own recommendations, schools should consider the following:

  • Secure Data Transfer:
    If schools need to transfer images or any other form of data, they should consider implementing a secure transfer system. This ensures that sensitive data is shared in a protected environment, reducing the risk of breaches.
  • App Deployment:
    Before introducing any new apps, schools should evaluate the potential risks associated with personal data. This includes understanding how the app stores, processes, and shares data.
  • Clear Communication:
    Whenever a new app is introduced, schools should provide explicit communications, instructions, or guidance to staff. This ensures that everyone understands their data protection responsibilities.
  • Policy Review:
    In light of any incident or new guidance, schools should periodically review and update all organisational policies and procedures related to data protection.
  • Breach Reporting:
    All staff members should be trained and reminded of their responsibilities to report personal data breaches internally without delay.


The unauthorised use of WhatsApp by NHS Lanarkshire staff serves as a potent reminder of the potential dangers of data sharing without clear guidelines. Schools must heed this warning and ensure they have robust protocols and guidance in place for using communication platforms. By doing so, they can safeguard sensitive data, adhere to data protection laws, and maintain the trust of students, parents, and staff.

If you have any other questions about this or any other data protection topic, please contact us at

Stay safe and healthy,

The SchoolPro TLC Team


SchoolPro TLC Ltd (2023)

SchoolPro TLC guidance does not constitute legal advice.

SchoolPro TLC is not responsible for the content of external websites.