ICO concerned by mass health data-sharing with advertisers

The distribution of special category data has set data protection alarm bells ringing

The UK's data regulator has expressed deep concerns over reports that some of the most popular health websites are sharing sensitive data with advertisers across the world.

The majority of prominent health websites embed tracking cookies in users' browsers without explicit consent to allow third-party companies to track them while surfing the internet, according to a Financial Times (FT) investigation. The probe examined 100 health sites, including WebMD and Bupa, and found 79% used such techniques.

This data is then transmitted to a swathe of advertising platforms including Amazon and Facebook, with the majority of data sent to Google's DoubleClick targeted ad platform. This includes information like medical symptoms, diagnoses, drug names and fertility information.

The incident has raised clear General Data Protection Regulation (GDPR) concerns, and the Information Commissioner's Office (ICO) has reiterated past warnings that special category data, such as personal health information, must have greater protections.

"This investigation by the Financial Times further highlights the ICO's concerns about the processing of special category data in online advertising, as well as the role that site owners and publishers play in this ecosystem," the ICO's executive director for technology policy and innovation, Simon McDougall, told IT Pro.

Advertisement - Article continues below
Advertisement - Article continues below

"Under data protection law, organisations have to ensure that their processing is fair, lawful and transparent and that appropriate security is in place.

"In addition, special category data – such as health information – requires greater protection because of its sensitivity and the increased risk of harm to or discrimination against individuals. Organisations have to recognise this and take additional steps to address these risks."

McDougall also highlighted the ICO's own investigations into the adtech industry, published earlier this year, which claimed that companies in this space are actively violating data protection laws.

The report highlighted, in particular, a mechanism known as real-time bidding (RTB), which allows advertisers to compete for available digital space by automatically populating webpages and apps with billions of ads.

Related Resource

Fraud detection in healthcare

A step-by-step guide to incorporating machine learning

Download now

For a handful of websites examined in closer detail, investigators found the privacy policies did not adequately outline that sensitive health data would be shared with third-parties.

Advertisement - Article continues below

In eight cases out of ten, the reporters also found a specific identifier that was transmitted, which could allow information to be tied to an individual, with tracker cookies dropped before consent was provided.

"The interesting point is the British Heart Foundation (BHF) justification in the FT piece, where they admit it's personal data and they're doing it anyway," medConfidential coordinator Sam Smith told IT Pro.

The BHF insisted it does not share or sell personal information that could directly identify an individual, and said it would review how it used cookies and how it seeks consent, with changes implemented in the coming months.

Smith continued: "Facebook are assumed to sell out their users for cash, we don't expect charities with public trust to do the same.

"The FT picked up a bunch of high profile sites, but a bunch of others are probably reconsidering whether the small amount of money they get is worth the price in terms of public trust."

The ICO added that it will assess the information provided by the FT before considering whether this warrants any further investigation.

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

Most Popular


Patch issued for critical Windows bug

11 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019

Buy IT to grow, not slow, your business

25 Nov 2019