ICO concerned by mass health data-sharing with advertisers

The distribution of special category data has set data protection alarm bells ringing

The UK's data regulator has expressed deep concerns over reports that some of the most popular health websites are sharing sensitive data with advertisers across the world.

The majority of prominent health websites embed tracking cookies in users' browsers without explicit consent to allow third-party companies to track them while surfing the internet, according to a Financial Times (FT) investigation. The probe examined 100 health sites, including WebMD and Bupa, and found 79% used such techniques.

Advertisement - Article continues below

This data is then transmitted to a swathe of advertising platforms including Amazon and Facebook, with the majority of data sent to Google's DoubleClick targeted ad platform. This includes information like medical symptoms, diagnoses, drug names and fertility information.

The incident has raised clear General Data Protection Regulation (GDPR) concerns, and the Information Commissioner's Office (ICO) has reiterated past warnings that special category data, such as personal health information, must have greater protections.

"This investigation by the Financial Times further highlights the ICO's concerns about the processing of special category data in online advertising, as well as the role that site owners and publishers play in this ecosystem," the ICO's executive director for technology policy and innovation, Simon McDougall, told IT Pro.

Advertisement - Article continues below

"Under data protection law, organisations have to ensure that their processing is fair, lawful and transparent and that appropriate security is in place.

"In addition, special category data – such as health information – requires greater protection because of its sensitivity and the increased risk of harm to or discrimination against individuals. Organisations have to recognise this and take additional steps to address these risks."

Advertisement - Article continues below

McDougall also highlighted the ICO's own investigations into the adtech industry, published earlier this year, which claimed that companies in this space are actively violating data protection laws.

The report highlighted, in particular, a mechanism known as real-time bidding (RTB), which allows advertisers to compete for available digital space by automatically populating webpages and apps with billions of ads.

Related Resource

Fraud detection in healthcare

A step-by-step guide to incorporating machine learning

Download now

For a handful of websites examined in closer detail, investigators found the privacy policies did not adequately outline that sensitive health data would be shared with third-parties.

In eight cases out of ten, the reporters also found a specific identifier that was transmitted, which could allow information to be tied to an individual, with tracker cookies dropped before consent was provided.

"The interesting point is the British Heart Foundation (BHF) justification in the FT piece, where they admit it's personal data and they're doing it anyway," medConfidential coordinator Sam Smith told IT Pro.

Advertisement - Article continues below

The BHF insisted it does not share or sell personal information that could directly identify an individual, and said it would review how it used cookies and how it seeks consent, with changes implemented in the coming months.

Smith continued: "Facebook are assumed to sell out their users for cash, we don't expect charities with public trust to do the same.

"The FT picked up a bunch of high profile sites, but a bunch of others are probably reconsidering whether the small amount of money they get is worth the price in terms of public trust."

The ICO added that it will assess the information provided by the FT before considering whether this warrants any further investigation.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020