From a quirky 'selfie' to images of a good night out with friends, digital photography has made it easier than ever to capture a memorable picture and share it with others.
According to the photosharing site Instagram, more than 16bn photos have been shared by its users and new images are being uploaded at a rate of 55m every day.1
With many GPs now owning smartphones and tablets with internet access, it may be tempting to make use of popular or more niche filesharing apps and websites, to share photographs with colleagues.
Although this may seem a useful way to discuss medical conditions with other doctors or to seek another professional opinion, the medico-legal risks might outweigh the benefits. Before you share any clinical image, it is essential to ensure you have the patient's consent and have done everything possible to protect their confidentiality.
Patient consent
If an image has been taken as part of a patient's care, perhaps to trace the progress of their condition over time, you should have already obtained their consent, setting out how it will assist in their care and confirming it will be stored securely.2
If practicable, the GMC would usually expect you to explain if the images may be used in anonymised form for a secondary purpose. When patients do not want their image to be used for any other reason, this should be noted in their record.
If, however, you want to take a picture of an unusual presentation to share with colleagues or for research or teaching, you need the patient's explicit consent, whether or not you believe they are identifiable.
It is your responsibility to do this in a way the patient can understand, telling them the purpose of taking the picture, how long it will be kept and how it will be stored.
At the same time, reassure them that they can withdraw consent while the picture is being taken or immediately afterwards, without this affecting the quality of care they receive. Again, the patient's consent should be recorded in their notes.
When the patient is a child who is not Gillick competent, or an adult without capacity, you must obtain permission from someone with authority to act on their behalf.
If the image is not required as part of the patient's care, you and the patient's representative must be satisfied it is necessary, is in the patient's best interests and the purpose cannot be achieved another way.
Bear in mind that as young patients mature, you will need to seek their consent to use images taken in previous years.
If you want to share or disclose an image of a patient who has since died, you should follow their known wishes. If the patient is identifiable, you may need to consider obtaining further authority from their executor or family before the picture appears in the public domain.
Storage and security
The MDU advises doctors to be extremely wary of taking pictures of patients using their own smartphone or tablet.
A digital photograph of a patient will need to be protected in the same way as other clinical records or recordings and this will be more difficult if you use the phone outside work, or other family members or friends have access to it.
Photosharing apps that automatically upload images to the internet are another potential risk.
We recommend that data controllers in GP practices address the possible use of personal devices by staff in their data protection policies. This reflects recent advice from the Information Commissioner's Office (ICO), which warned organisations to be clear about which types of personal data may be processed on personal devices.
The ICO guidance, Bring your own device,3 includes the need for strong passwords, encryption and automatic locks when a password is entered incorrectly too many times.
It also advises registering devices with a remote 'locate and wipe' facility to maintain confidentiality of the data in the event of any loss or theft.
The MDU strongly advises doctors not to store identifiable patient images on unencrypted mobile devices. Not only is this against DH guidance, which states that 'any data to be stored on a ... portable device such as a laptop, PDA or mobile phone, should be encrypted',4 but if your phone was stolen or mislaid, it would be difficult to argue that you had taken all reasonable steps to protect its security.
If the smartphone you use to take a picture is not encrypted, you should download the images to a device that is encrypted and permanently delete the original image.
Social media
The GMC states that you must be careful not to share identifiable information about patients online, even if the site is not accessible to the general public.5
Even if you think you have removed the identifying details, it may still be possible for the patient or someone close to them to recognise the image from an apparently insignificant detail.
The GMC also warns doctors to think very carefully about the amount of information they are revealing, in case multiple posts allow other users to piece the details together and identify the patient.
- Dr Chu is a medico-legal adviser at the MDU.
References
1. Instagram.com
2. GMC. Making and using visual and audio recordings of patients. London, GMC, April 2011.
3. ICO. Bring your own device.
London, ICO, October 2013.
4. Swindells M. 'Dear colleague' letter, 30 January 2008.
5. GMC. Doctors' use of social media. London, GMC, 25 March 2013.
