All client systems monitored 24/7
Sheffield, UK  //  Est. 2006
01433 377 977

WhatsApp, AI and Patient Data: The Compliance Trap

WhatsApp, AI and Patient Data: The Compliance Trap

If your team uses WhatsApp, or anyone in the practice uses free AI tools to help with day to day work, there is a good chance you are breaching UK data protection law without realising it. That sounds dramatic, but it is a genuinely common situation, and the good news is that it is very fixable once you know where the line sits.

We are not lawyers, and this is not legal advice. But we look after IT and compliance for dental practices every day, and this is one of the areas we see people get wrong most often. So let us walk through it plainly.

The WhatsApp problem

WhatsApp is everywhere, and lots of practice teams have drifted into using it for work chat. The messages are encrypted in transit, which lulls people into thinking it must be fine for anything. It is not, and the regulator has already made the point.

In 2024 the Information Commissioner's Office reprimanded NHS Lanarkshire for staff using WhatsApp to process patient data, including clinical information and images. You can read the ICO reprimand itself if you want the detail. The principle it sets out applies just as much to a dental practice as to a health board: personal messaging apps are not an appropriate place to handle patient information.

Where the line actually sits

This is not a case of "never touch WhatsApp". There are right and wrong ways to use it, and the difference is about what data goes into it.

Things that are generally fine:

  • Messaging patients directly, with their consent, for reminders, enquiries and follow ups. That is a normal, reasonable use, and we set exactly this sort of thing up properly for practices. We wrote about our own approach in Dental IT is now on WhatsApp.
  • Light internal chat that contains no patient information at all: who is in tomorrow, the rota, "can you grab milk", that kind of thing.

Things that are not fine, and cannot be made fine on WhatsApp:

  • Naming or discussing any patient in a thread.
  • Sending x-rays, photos, forms, referrals or medical histories.
  • Complaints, clinical advice, or any discussion about someone's treatment.

The key point is that WhatsApp cannot be made compliant for the second list. It is not a matter of turning on the right setting. The platform itself is not built to give a practice the control, isolation and accountability that patient data requires, so the answer is not to configure it better but to keep that data off it entirely.

What to use instead

So what do you do when the team genuinely needs to message about patients? You use a business messaging platform that runs in your own private area of the cloud, known as a tenant. That means the data sits in space that is controlled by your organisation, with proper administration, security and audit behind it.

In practice that usually means one of:

  • Microsoft Teams, which most practices already have access to through their Microsoft subscription.
  • Slack, on a paid business plan.
  • Zoom's workplace chat.

It absolutely can be done, and done well. The catch is simply that it is not free, and it needs setting up correctly rather than just installed. But it turns "messaging about patients" from a compliance risk into a properly controlled part of your practice.

And the same trap with AI

Exactly the same thinking applies to artificial intelligence, and this is the one catching people out right now.

The free, consumer versions of AI tools give you no real guarantees about where your data goes, whether it is kept isolated to you, or whether it might be used to train the model or be visible outside your context. So the moment someone pastes a patient email, a set of notes, or anything identifiable into a free chatbot to "tidy it up", that is a potential breach, in the same way the WhatsApp message was.

To be clear, we are not anti AI, quite the opposite. We think most practices should be using it, and we have written about using AI well and safely. The difference is entirely about which version you use. The paid, business grade tools, Microsoft Copilot being the obvious one for practices already on Microsoft 365, come with proper commitments about data storage and isolation. Interestingly, we meet a lot of practices who talk about using AI but have never actually licensed Copilot for their Microsoft tenant, which means whatever they are using is almost certainly not the compliant option.

The simple rule: you can, and probably should, use Copilot. You should not be using the free version of ChatGPT or any other free chatbot for emails, notes or anything that is not a completely anonymous template.

Getting it right

None of this means going without modern tools. It means using the right versions, set up properly, so you get the benefits without quietly sitting on a data protection problem. For most practices that is a Microsoft 365 setup with Teams for internal messaging and Copilot for AI, both configured correctly, plus a sensible WhatsApp setup for patient facing reminders only.

If you are not sure whether your current WhatsApp and AI habits are on the right side of the line, that is exactly the kind of thing we sort out for practices, and it is part of the wider cybersecurity and compliance work we do. Get in touch and we will help you set it up properly, without the jargon and without the panic.

Book your free IT health check.

We'll examine your network, tell you exactly where you stand, and what we'd fix. No commitment, no sales patter.

WhatsApp us any time on 01433 377 977or text 07488 890826