Privacy and mobile health: how to reduce our apptimism*

* an unrealistic belief that apps solve every health problem

Prof Jeremy Wyatt, University of Leeds

Acknowledgements: Prof Justin Keen & Dr Jon Fistein

Outline

1. Our data and why “anonymised” no longer means much

2. How did we share our data in the pre-mobile era ?3. How do social media & mobile change this ?4. Does this “mHealth privacy gap” matter ?5. How professionals & the NHS manage your data6. What options do you have if this worries you ?7. Conclusions

1. What is “Our data” ?

Information about us which: We feel is ours If revealed without permission could make us

feel bad Could also affect our reputation or prospects -

of education, a job, social status, insurance, marriage…

Some views about who controls my data

It’s all mine and no-one can touch it unless I say so – not even researchers, security services etc.

It’s mine and I don’t want it published, but if society needs access it can look - as long as it takes care

There is no personal data: all data belong to the State

Guess who said this:

“We’re … opening up the vast amounts of data generated in our health service. From this month huge amounts of new data are going to be released online. We’re going to consult on actually changing the NHS constitution so that the default setting is for patients’ data to be used for research unless of course they want to opt out. Now let me be clear, this does not threaten privacy, it doesn’t mean anyone can look at your health records but it does mean using anonymous data to make new medical breakthroughs... Now the end result will be… that every time you use the NHS you’re playing a part in the fight against disease at home and around the world.”

David

Cam

eron

, Speec

h on Li

fe S

cience

s and

Openin

g Up th

e NHS, 6

Dec

ember

2011.

http://

bit.ly/

s4hXEG)

Open personal data

Voter registration House prices Care.data – health HMRC tax records

“Companies… are going to know m

ore about us

than we know ourselves. This is state wide

identity th

eft” – D

avid Davis, MP

How easy is it to identify you with no name ?

87% of US residents can be identified from age (not dob), sex, zip code (5 digits)

HES contains all hospital admissions from 2001, partial postcode, sex and dob !

Personal fitness data eg. Fitbit – can infer height, weight, gender from data; adding location makes it 100% unique,

2. Ways we already share data with companies

Loyalty cards Motor insurance Mailing lists & census data Web searches and mobile phones

Loyalty cards

We trade very small benefits for big companies knowing all about our shopping habits: They know our fruit & veg, alcohol, contraceptive, OTC

medicine purchases, clothing sizes, kid’s ages… Man who discovered daughter was pregnant from

supermarket vouchers What use do they make of this knowledge – as

well as putting the pasta sauce next to spaghetti ?

Motor insurance

They know our driving history, type of car, miles per year, names of extended family, accidents

Telemetric insurance – box under bonnet measures location, speed, acceleration, braking, time of day / night to calculate risk & monthly premium

Industry share data “to prevent fraud”

How our data is shared in the information age

Google searches Gmail - adverts Web cookies – just adverts ? Social media - adverts Location of our phone Apps

Google flu trends

How do Google traffic maps work ?

Cambridge traffic at 0600, 12-3-14Since 2012, Google captures GPS data from Android phones, then processes it to give average speeds

http://googleblog.blogspot.co.uk/2009/08/bright-side-of-sitting-in-traffic.html

3. Smart phone apps and beyond

https://openclipart.org/detail/182175/white-iphone-5-by-barrettward-182175

Apple’s App store contains > 1,000,000 apps 32,000 lifestyle & 25,000 medical apps http://148apps.biz/app-store-metrics/?mpage=catcount

3,000,000,000 downloads in December 2013, costing $1,000,000,000 http://www.apple.com/pr/library/2014/01/07App-Store-Sales-Top-10-Billion-in-2013.htmli

Privacy and mHealth apps

Permissions requested: use accounts, modify USB, read phone ID, find files, full net access, view connections…

Our study of 80 apps: average of 4 clear privacy breaches for health apps, only 1 for medical apps

We know that - we read the Terms & Conditions ! (this one only 1200 words, but many much longer…)

Firs

t Fo

lio A

s Yo

u L

ike It

Public

Dom

ain

Photo

take

n

by C

ow

ard

ly L

ion -

 Folio

Soci

ety

edit

ion o

f 1996

With Hannah Panayiotou & Anam Noel, Leeds medical students

Data brokers

“Even as you’re reading this, your smart phone can reveal your location… data brokers are going to know more about us than we know ourselves”. – Madhumita Venkataraman, Wired Nov 2014

Data you are currently sharing

Any phone – call data record (unique phone ID, phone no. called, time, location – every 7 seconds)

Smart phone: Wifi networks – unique MAC id (Viasense wifi sniffers) Apps: everything you browse (WebMD); pregnancy

due date (MyPregnancyToday), name, email, height, weight (Fitbit)

The data market

Smart phone

Credit agencyOpen data

(electoral roll etc.)

Social media

Data aggregatorsData sources

Insurance data brokers Health services ?

Data users

Advertising

Financial services

Insurance industry

Marketing agency

Your

purchases

and

behavio

ur

Browsing history

Purchase history (online, point of

sale)

4. Does it matter - how companies use your data

Tailored mailings (everyone), tailored vouchers (eg. Tesco Clubcard)

Tailored adverts on web (Doubleclick, Eyeota, Experian…), Tailored adverts in shopfronts – Tesco, Godiva

(Shoppertrak instore wifi sensors) Tailored products shown on websites, eg. CapitalOne

cards – [x+1] website tracker product (200mS to generate your profile)

Tailored critical illness insurance – Inst of Actuaries, based on HES data

Make money – Facebook make £4 & Google £12 selling your cookie data to advertisers

Total US interactive advertising market 2013: $43Bn

The Amscreen technology

TV camera TV screen

Quividi algorithm

Shop’s product database

You stand outside a shop

your age,

gender

time, location, stock levels

images of suitable items, given age, gender, location,

time

you want to enter

shop

5. Health data: professional ethics

GMC and other professional bodies: obligation on clinicians to protect all personal data to best of their ability

Exceptions: Notifiable diseases High risk of immediate harm to others

How your GP and hospital manage your data

Personal data captured by GPs & hospitals is governed by Caldicott 2 principles

All data for management, research, quality improvement etc. must be stripped of identifiers

Caldicott Guardians help resolve grey areas Central data returns to HSCIC:

National Hospital Episode Statistics Many national audits on specific diseases GPs may have to send in their data soon

Caldicott 2 principles

Justify the purpose(s) Don't use patient identifiable information unless it is

necessary Use the minimum necessary patient-identifiable information Access to patient identifiable information should be on a

strict need-to-know basis Everyone with access to patient identifiable information

should be aware of their responsibilities Understand and comply with the law The duty to share information can be as important as the

duty to protect patient confidentiality.

Three categories of data the NHS recognises

Category of data

Example How NHS manages it

1. Personal level identifiable data

My diagnosis, blood results

Access by health professionals with a smart ID card and “legitimate relationship” only; audit trail of access

2. Aggregated data

Average waiting time; rate of anaemia

Open publication - NHSChoices etc.

3. Everything else – ie. anonymised personal level data

Blood results for the last 1000 patients

Secure “safe haven” to which researchers must log in after getting ethical approval, & where their actions are monitored

6. What options do you have if this worries you ?

Option Pros Cons

1. Do nothing, ignore it, it’ll go away

Simple You get manipulated & your life choices may reduce

2. Take an informed, sceptical approach to apps & data sharing

Should improve your life a bit

Untidy, never know if it’s helping or not

3. Explore user controlled data schemes

Empowers you by controlling your data

Few organisations can cope with it yet

4. Become a complete data recluse

No erosion of privacy No smart phone, apps, social media…

Some questions to ask of any app before using it

1. Who published this app ?2. Who is it for, and what is the purpose ?3.Where does my data go after it

leaves the app ?4. Where did the content come from, and

when ?5. Is its advice accurate ?6. Is there any evidence that it actually

works ?

(work of Leeds, Warwick & Coventry Universities & UCL, in collaboration with the Royal College of Physicians, London)

Our Data Mutual - www.ourdatamutual.org

OUR MANIFESTO

ONEOur data has a value. We want a cut of that value - and a say in how it's used.

TWOWe want our data to be used for good.

THREENo one is responsible for protecting us from abuse of our data, so we're creating 'our data

mutual' to protect ourselves.

Sponsors

: Open D

ata In

stitu

te +

Blo

om

mark

eting a

gency…

MyDex

We provide you with a hyper-secure storage area so you can manage your personal data your way, from any aspect of your life. 

This includes text, numbers, images, video, certificates and sound.

No-one but the individual can access or see the data

https://mydex.org/ - a social enterprise

Patients know best www.patientsknowbest.com

We put patients in control of their medical records. Everyone benefits, including clinicians, researchers and charities

We are a social enterprise, and our mission is that patients know best

BMJ online poll: 58% of 667 responders voted in favour of giving patients control of their records

MiData www.midatalab.org.uk/midata-explained

Midata programme (from BIS) encourages companies to hand personal transaction data they hold back to customers in machine readable format so they can use the data for their own purposes 

MiData means every individual can get not just their personal data back but also valuable proof of relationships - ID Assurance

ID Assurance means using third-party evidence to prove claims, for example of name or address.

In paper world we do this with documents such as a passport or electricity bill. Midata delivers electronic versions of these.

Properly encrypted and signed, these help build up to a trustworthy online identity people can use to get things done.

7. Conclusions1. We knowingly (?) trade off our privacy for

benefits2. Your GP and hospital work hard to protect your

data3. Google, Facebook, Experian and now HSCIC don’t 4. They trade your data as a commodity in a

$43Bn+ global business5. The EU is tightening up data protection law soon,

which may help a bit6. Meanwhile, you have several options to protect

your data, including (soon) to control all your data yourself

The Law

EU Data Protection Directive now UK Data Protection Act EU Data Protection Regulation from

2015 Human Rights Act right to privacy

Current UK law

Eight data protection principles:1. Fair processing: consent, vital interests or legal

requirement to process data2. Obtained only for specified purpose3. Relevant, not excessive for purpose4. Accurate and kept up to date5. Not kept longer than needed6. Processed according to rights of data subjects7. Protection against unauthorised access or loss of data8. Not transferred outside EU

Additional requirements for processing sensitive data

Explicit consent* Necessary to comply with law, or in course of legal proceedings Necessary to protect vital interests of individual or another person Carried out by not for profit & not disclosed elsewhere Individual has published their data Necessary for statutory or government functions (eg. RIP), carried out by

health professional & necessary for medical purposes Necessary to monitor equal opportunity

* …”any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.

EU General Data Protection Regulation 2015

Data controllers must be able to prove consent (opt-in – eg. cookies must ask for permission)

Consent may be withdrawn Limited consent: scope and timescale Right to erasure (replaced right to be forgotten) Privacy by design; privacy defaults to highest

setting Sanctions: fine of up to 100M EUR or 5% of annual

worldwide turnover, whichever is greater Data Protection Impact Assessments to be

conducted when specific risks may occur to rights or freedoms of data subjects