IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

ICO concerned by mass health data-sharing with advertisers

The distribution of special category data has set data protection alarm bells ringing

A touchscreen display showing information in line graphs

The UK's data regulator has expressed deep concerns over reports that some of the most popular health websites are sharing sensitive data with advertisers across the world.

The majority of prominent health websites embed tracking cookies in users' browsers without explicit consent to allow third-party companies to track them while surfing the internet, according to a Financial Times (FT) investigation. The probe examined 100 health sites, including WebMD and Bupa, and found 79% used such techniques.

This data is then transmitted to a swathe of advertising platforms including Amazon and Facebook, with the majority of data sent to Google's DoubleClick targeted ad platform. This includes information like medical symptoms, diagnoses, drug names and fertility information.

The incident has raised clear General Data Protection Regulation (GDPR) concerns, and the Information Commissioner's Office (ICO) has reiterated past warnings that special category data, such as personal health information, must have greater protections.

"This investigation by the Financial Times further highlights the ICO's concerns about the processing of special category data in online advertising, as well as the role that site owners and publishers play in this ecosystem," the ICO's executive director for technology policy and innovation, Simon McDougall, told IT Pro.

"Under data protection law, organisations have to ensure that their processing is fair, lawful and transparent and that appropriate security is in place.

"In addition, special category data – such as health information – requires greater protection because of its sensitivity and the increased risk of harm to or discrimination against individuals. Organisations have to recognise this and take additional steps to address these risks."

McDougall also highlighted the ICO's own investigations into the adtech industry, published earlier this year, which claimed that companies in this space are actively violating data protection laws.

The report highlighted, in particular, a mechanism known as real-time bidding (RTB), which allows advertisers to compete for available digital space by automatically populating webpages and apps with billions of ads.

Related Resource

Fraud detection in healthcare

A step-by-step guide to incorporating machine learning

Download now

For a handful of websites examined in closer detail, investigators found the privacy policies did not adequately outline that sensitive health data would be shared with third-parties.

In eight cases out of ten, the reporters also found a specific identifier that was transmitted, which could allow information to be tied to an individual, with tracker cookies dropped before consent was provided.

"The interesting point is the British Heart Foundation (BHF) justification in the FT piece, where they admit it's personal data and they're doing it anyway," medConfidential coordinator Sam Smith told IT Pro.

The BHF insisted it does not share or sell personal information that could directly identify an individual, and said it would review how it used cookies and how it seeks consent, with changes implemented in the coming months.

Smith continued: "Facebook are assumed to sell out their users for cash, we don't expect charities with public trust to do the same.

"The FT picked up a bunch of high profile sites, but a bunch of others are probably reconsidering whether the small amount of money they get is worth the price in terms of public trust."

The ICO added that it will assess the information provided by the FT before considering whether this warrants any further investigation.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Why India wants to become a chipmaking powerhouse

Why India wants to become a chipmaking powerhouse

28 Jun 2022