ICO concerned by mass health data-sharing with advertisers

The distribution of special category data has set data protection alarm bells ringing

The UK's data regulator has expressed deep concerns over reports that some of the most popular health websites are sharing sensitive data with advertisers across the world.

The majority of prominent health websites embed tracking cookies in users' browsers without explicit consent to allow third-party companies to track them while surfing the internet, according to a Financial Times (FT) investigation. The probe examined 100 health sites, including WebMD and Bupa, and found 79% used such techniques.

This data is then transmitted to a swathe of advertising platforms including Amazon and Facebook, with the majority of data sent to Google's DoubleClick targeted ad platform. This includes information like medical symptoms, diagnoses, drug names and fertility information.

The incident has raised clear General Data Protection Regulation (GDPR) concerns, and the Information Commissioner's Office (ICO) has reiterated past warnings that special category data, such as personal health information, must have greater protections.

"This investigation by the Financial Times further highlights the ICO's concerns about the processing of special category data in online advertising, as well as the role that site owners and publishers play in this ecosystem," the ICO's executive director for technology policy and innovation, Simon McDougall, told IT Pro.

"Under data protection law, organisations have to ensure that their processing is fair, lawful and transparent and that appropriate security is in place.

"In addition, special category data – such as health information – requires greater protection because of its sensitivity and the increased risk of harm to or discrimination against individuals. Organisations have to recognise this and take additional steps to address these risks."

McDougall also highlighted the ICO's own investigations into the adtech industry, published earlier this year, which claimed that companies in this space are actively violating data protection laws.

The report highlighted, in particular, a mechanism known as real-time bidding (RTB), which allows advertisers to compete for available digital space by automatically populating webpages and apps with billions of ads.

Related Resource

Fraud detection in healthcare

A step-by-step guide to incorporating machine learning

Download now

For a handful of websites examined in closer detail, investigators found the privacy policies did not adequately outline that sensitive health data would be shared with third-parties.

In eight cases out of ten, the reporters also found a specific identifier that was transmitted, which could allow information to be tied to an individual, with tracker cookies dropped before consent was provided.

"The interesting point is the British Heart Foundation (BHF) justification in the FT piece, where they admit it's personal data and they're doing it anyway," medConfidential coordinator Sam Smith told IT Pro.

The BHF insisted it does not share or sell personal information that could directly identify an individual, and said it would review how it used cookies and how it seeks consent, with changes implemented in the coming months.

Smith continued: "Facebook are assumed to sell out their users for cash, we don't expect charities with public trust to do the same.

"The FT picked up a bunch of high profile sites, but a bunch of others are probably reconsidering whether the small amount of money they get is worth the price in terms of public trust."

The ICO added that it will assess the information provided by the FT before considering whether this warrants any further investigation.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Most Popular

Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020