The reprimand is not about the technology
In my opinion, the issue here is about the lack of control over implementation and ongoing use of the technology, rather than about the technology itself.
If NHS had done a proper risk assessment, then with controls such as the following, they MAY have considered it appropriate to proceed with pre-nominated classifications of data.
Data in transit:
- analysis of the messaging service to ensure that encryption meets strength requirements, that keys are managed appropriately, that data remains encrypted between user endpoints and that encrypted blocks are not persisted along the way
Data at rest:
- configuration of Mobile Device Mgt infrastructure so that the app and its data reside in an encrypted image managed by the MDM client
- appropriate settings of the messaging app enforced by MDM to eliminate off-device, cloud backups etc
- configuration of the MDM to disable screenshotting
- audited human process to clear chats of data which is no longer current
- appropriately managed and audited MDM access control
- tightly controlled and audited human processes for provisioning access and re-attesting ongoing access to the chat group to the necessary staff only and only via MDM controlled devices
Once these sort of controls (and I’ve no doubt left out some really obvious ones) were possible and in place, then really the only data leak should come through loss or misuse (eg. taking a photo) of a legitimate device whilst in session and the NHS would need to decide as part of its pre-implementation risk assessment whether human-dependent policies and training were sufficient mitigation and the residual risk acceptable.