* Full Disclaimer: I am not a lawyer, but I am a healthy sceptic/critic of privacy policies. My PhD research focuses on notions of informed consent and data trade-offs.
I recently read this post by Jen that reviews the Gut Health Storylines app. A mobile application by Self Care Catalysts (SCC) for people living with Inflammatory Bowel Disease and Irritable Bowel Syndrome or any other gut-related conditions for that matter. It enables users to update the app with medication, diet, symptoms, mood and stool types. The app looks clean, easy to use and appears to have great functionality, important aspects for an app to support someone manage a chronic health condition.
Now, I am all for people taking an active role in their health and including technology to help support the process, however, when I see that an app is ‘free’ I am sceptical. Especially when it comes to health data. When I look at all the different logging options this app potentially can hold far more sensitive information than official hospital records do. If a company isn’t profiting from my money, then it certainly is from my data.
Companies and applications that are not acting as a “covered entity” (Braithwaite et al, 1999) for a healthcare provider (i.e. hospitals, doctors surgeries etc), do not have to comply with the same data protection regulations as what the health sector has to. Despite handling (what at least I would consider) health data. Therefore, the sharing/selling of user information is permitted without your informed consent for each exchange.
Now, I took a look at the Privacy Policy which is unsurprisingly vague and hasn’t been updated since 21st October 2014. Since then privacy laws have changed somewhat, for instance Safe Harbor was declared invalid in October 2015 being replaced with Privacy Shield.
Here is a breakdown of the policy:
- Partners include: “pharmaceutical companies, medical device companies, non-profit organizations”
Unfortunately it is pretty common that partners aren’t named.
- Personal Information is defined as: “any information that can be used to identify an individual, and may include, but is not limited to, the person’s name, email address, postal or other physical address, gender, marital status, occupation…”
- The Restricted Data that isn’t shared with third-parties or partners is outlined as “your name and email address”
While your name and email address is sensitive information, I am surprised that these are the only two that appear to be restricted.
- Shared data (or bundled data from lots of users) will be shared with third-parties or partners but will be “impossible to identify any individual User or his/her Restricted Data”
- Biographical information, e.g., gender, age, location (city, state and country), general notes;
- Condition/disease information, e.g., diagnosis date, first symptom, family history;
- Treatment information, e.g., treatment start dates, stop dates, dosages, side effects, treatment evaluations;
- Symptom information, e.g., severity, duration; and
- Aggregated survey responses.
I have some real issues with the guarantee that it will be “impossible” to identify someone from a shared data set. For instance triangulating this information will mean that users can be identified, especially with a multi-faceted condition such as IBD where many people’s medication-cocktails alone are personalised. It’s also ironic that the policy itself suggests that age, gender, marital status etc does qualify as personally identifiable information, yet it is “impossible” to identify someone from this information, hmm. Further still, it is not clear how the information is shared with third parties: what does “aggregated reports” actually mean?
- “Shared Data will be used in market research and other areas to better understand the patient experience in order to improve treatment options and health outcomes”
So, does this mean that the information is being shared with pharmaceutical companies who will ultimately profit no matter?
- SCC “employs contractual and other means to ensure that Partners and third parties protect Personal Information to the same extent as SCC.”
But are they still at liberty to share that information with another party who might be more interested in re-identification: a health insurance broker, for instance?
- Third parties may want to contact you and SCC will ask for informed consent before allowing them to do so. They will also ask for informed consent should SCC wish to obtain official medical records.
- It explains what cookies are, but does not identify what information is being collected through them, whether that’s IP address, device type, duration, app activity etc.
Worryingly, the policy neglects to disclose where their servers are kept (and therefore under what laws they abide by). It also provides no indication of how someone can remove their information. Both of these feel a bit tricky when the General Data Protection Regulation is coming in for the EU in 2018.
I guess, like anything, we have to weigh up the threats and risks of what can come of using any service. But when it comes to an application, any application, that is going to be storing my sensitive health information, I want to have the information clearly available so I can make a rational and informed choice. Although there does seem to be some attention to protecting user privacy, I think I would want a lot more transparency of how my data is being handled; where it is stored; and naming the partners/third-parties that my data will be shared with. Until a policy is transparent about that, I’m afraid I am going to remain dubious and stick to jotting down what I eat, how I poop and how I feel in a notebook.
💩
Braithwaite, D., Waldron, V., Finn, J. (1999). Communication of Social Support in Computer-Mediated Groups for People with Disabilities. Health Communication 11(2), 123-151