Using video conferencing and consultation tools guidance for IG professionals

It is important that organisations use video conferencing and consulting solutions safely, both for consultations with patients or service users and for communication between colleagues.

From an information governance (IG) perspective, any video conferencing or consulting tool can be used provided there has been an appropriate local risk assessment.  

GP practices should procure online and video consultation solutions through the Digital Services for Integrated Care Buying Catalogue, which ensures that all listed tools have met national regulatory, clinical safety, information governance, interoperability and accessibility standards.

At the point of procurement, commissioners also assess solutions against the Digital Technology Assessment Criteria (DTAC) to confirm technical and clinical assurance. Commissioners typically purchase licences on behalf of practices and provide a list of compliant tools that have met these requirements, although practices and PCNs may select from any solution that meets the same compliance thresholds.

NHS trusts and foundation trusts procure video consultation platforms through their own established procurement routes in line with national procurement regulations.

A DPIA is a process to help identify data protection risks and should be in place before any video conferencing tool is used to support compliance with UK GDPR and Data Protection Act 2018. If your organisation is going to process and share personal or confidential patient information during the video consultation in ways not already covered by an existing DPIA, then a DPIA should be carried out. You should make an assessment on whether a DPIA is required. 

The DPIA should set out the activity being proposed; the data protection risks; whether the proposed activity is necessary and proportionate; the mitigating actions that can be put in place and a plan or confirmation that mitigation has been put in place. 

It is important to note that it is an organisation’s own responsibility to perform risk assessments on any products that are used. This should look at all risks whereas a Data Protection Impact Assessment (DPIA) will look at an individual's data privacy rights. Guidance issued by the National Cyber Security Centre (NCSC) may be used to support your decision making. The main considerations include:

• where is the app or tool sending the data
• are video calls encrypted end to end
• are people able to record meetings (with third party software) freely without authorisation from the host
• are there options for video consulting services that offer enhanced security or privacy features

You should take note of the recommendations below to support the safe use of video conferencing or consultation tools:

If your organisation has chosen to use free solutions, you are unlikely to have any contract or service level agreement in place with the provider. Using free solutions may mean you do not have any recourse to legal action in the event of system failure

Local policies should make it clear that only corporate devices or personal mobile devices that have been protected by adequate security should be used. This is typically achieved through network security controls and the use of mobile device management solutions

You must ensure that all necessary updates for your chosen video conferencing or consultation solution(s) are downloaded as they become available these can contain important security updates

You should ensure that staff are aware of privacy settings in any software you are supporting. For example, in Microsoft Teams, it is highly unlikely that anything should be shared as ‘Public’ if the privacy setting is changed from private to public this gives access to all 1.2 million NHSmail users which includes the ability to view or edit any files placed in that team.

If information is shared inappropriately, you should seek advice from your Caldicott Guardian, IG or senior staff.  

The product should support the health or care provider to initiate a video consultation with the patient or service user

Check that the product being used for the service does not record and store the consultation as a default

Be clear with patients when a video consultation may be offered and how it will take place. Privacy notices should include information about any third-party products you use to provide video consultation services, provide guidance on the secure use of your chosen solution and advise patients or service users if any personal or confidential patient information collected using these services is likely to be stored overseas.