jeremy wyatt's presentation on privacy for the mhealthhabitat heart of the habitat breakfast...
TRANSCRIPT
Privacy and mobile health: how to reduce our apptimism*
* an unrealistic belief that apps solve every health problem
Prof Jeremy Wyatt, University of Leeds
Acknowledgements: Prof Justin Keen & Dr Jon Fistein
Outline
1. Our data and why “anonymised” no longer means much
2. How did we share our data in the pre-mobile era ?3. How do social media & mobile change this ?4. Does this “mHealth privacy gap” matter ?5. How professionals & the NHS manage your data6. What options do you have if this worries you ?7. Conclusions
1. What is “Our data” ?
Information about us which: We feel is ours If revealed without permission could make us
feel bad Could also affect our reputation or prospects -
of education, a job, social status, insurance, marriage…
Some views about who controls my data
It’s all mine and no-one can touch it unless I say so – not even researchers, security services etc.
It’s mine and I don’t want it published, but if society needs access it can look - as long as it takes care
There is no personal data: all data belong to the State
Guess who said this:
“We’re … opening up the vast amounts of data generated in our health service. From this month huge amounts of new data are going to be released online. We’re going to consult on actually changing the NHS constitution so that the default setting is for patients’ data to be used for research unless of course they want to opt out. Now let me be clear, this does not threaten privacy, it doesn’t mean anyone can look at your health records but it does mean using anonymous data to make new medical breakthroughs... Now the end result will be… that every time you use the NHS you’re playing a part in the fight against disease at home and around the world.”
David
Cam
eron
, Speec
h on Li
fe S
cience
s and
Openin
g Up th
e NHS, 6
Dec
ember
2011.
http://
bit.ly/
s4hXEG)
Open personal data
Voter registration House prices Care.data – health HMRC tax records
“Companies… are going to know m
ore about us
than we know ourselves. This is state wide
identity th
eft” – D
avid Davis, MP
How easy is it to identify you with no name ?
87% of US residents can be identified from age (not dob), sex, zip code (5 digits)
HES contains all hospital admissions from 2001, partial postcode, sex and dob !
Personal fitness data eg. Fitbit – can infer height, weight, gender from data; adding location makes it 100% unique,
2. Ways we already share data with companies
Loyalty cards Motor insurance Mailing lists & census data Web searches and mobile phones
Loyalty cards
We trade very small benefits for big companies knowing all about our shopping habits: They know our fruit & veg, alcohol, contraceptive, OTC
medicine purchases, clothing sizes, kid’s ages… Man who discovered daughter was pregnant from
supermarket vouchers What use do they make of this knowledge – as
well as putting the pasta sauce next to spaghetti ?
Motor insurance
They know our driving history, type of car, miles per year, names of extended family, accidents
Telemetric insurance – box under bonnet measures location, speed, acceleration, braking, time of day / night to calculate risk & monthly premium
Industry share data “to prevent fraud”
How our data is shared in the information age
Google searches Gmail - adverts Web cookies – just adverts ? Social media - adverts Location of our phone Apps
How do Google traffic maps work ?
Cambridge traffic at 0600, 12-3-14Since 2012, Google captures GPS data from Android phones, then processes it to give average speeds
http://googleblog.blogspot.co.uk/2009/08/bright-side-of-sitting-in-traffic.html
3. Smart phone apps and beyond
https://openclipart.org/detail/182175/white-iphone-5-by-barrettward-182175
Apple’s App store contains > 1,000,000 apps 32,000 lifestyle & 25,000 medical apps http://148apps.biz/app-store-metrics/?mpage=catcount
3,000,000,000 downloads in December 2013, costing $1,000,000,000 http://www.apple.com/pr/library/2014/01/07App-Store-Sales-Top-10-Billion-in-2013.htmli
Privacy and mHealth apps
Permissions requested: use accounts, modify USB, read phone ID, find files, full net access, view connections…
Our study of 80 apps: average of 4 clear privacy breaches for health apps, only 1 for medical apps
We know that - we read the Terms & Conditions ! (this one only 1200 words, but many much longer…)
Firs
t Fo
lio A
s Yo
u L
ike It
Public
Dom
ain
Photo
take
n
by C
ow
ard
ly L
ion -
Folio
Soci
ety
edit
ion o
f 1996
With Hannah Panayiotou & Anam Noel, Leeds medical students
Data brokers
“Even as you’re reading this, your smart phone can reveal your location… data brokers are going to know more about us than we know ourselves”. – Madhumita Venkataraman, Wired Nov 2014
Data you are currently sharing
Any phone – call data record (unique phone ID, phone no. called, time, location – every 7 seconds)
Smart phone: Wifi networks – unique MAC id (Viasense wifi sniffers) Apps: everything you browse (WebMD); pregnancy
due date (MyPregnancyToday), name, email, height, weight (Fitbit)
The data market
Smart phone
Credit agencyOpen data
(electoral roll etc.)
Social media
Data aggregatorsData sources
Insurance data brokers Health services ?
Data users
Advertising
Financial services
Insurance industry
Marketing agency
Your
purchases
and
behavio
ur
Browsing history
Purchase history (online, point of
sale)
4. Does it matter - how companies use your data
Tailored mailings (everyone), tailored vouchers (eg. Tesco Clubcard)
Tailored adverts on web (Doubleclick, Eyeota, Experian…), Tailored adverts in shopfronts – Tesco, Godiva
(Shoppertrak instore wifi sensors) Tailored products shown on websites, eg. CapitalOne
cards – [x+1] website tracker product (200mS to generate your profile)
Tailored critical illness insurance – Inst of Actuaries, based on HES data
Make money – Facebook make £4 & Google £12 selling your cookie data to advertisers
Total US interactive advertising market 2013: $43Bn
The Amscreen technology
TV camera TV screen
Quividi algorithm
Shop’s product database
You stand outside a shop
your age,
gender
time, location, stock levels
images of suitable items, given age, gender, location,
time
you want to enter
shop
5. Health data: professional ethics
GMC and other professional bodies: obligation on clinicians to protect all personal data to best of their ability
Exceptions: Notifiable diseases High risk of immediate harm to others
How your GP and hospital manage your data
Personal data captured by GPs & hospitals is governed by Caldicott 2 principles
All data for management, research, quality improvement etc. must be stripped of identifiers
Caldicott Guardians help resolve grey areas Central data returns to HSCIC:
National Hospital Episode Statistics Many national audits on specific diseases GPs may have to send in their data soon
Caldicott 2 principles
Justify the purpose(s) Don't use patient identifiable information unless it is
necessary Use the minimum necessary patient-identifiable information Access to patient identifiable information should be on a
strict need-to-know basis Everyone with access to patient identifiable information
should be aware of their responsibilities Understand and comply with the law The duty to share information can be as important as the
duty to protect patient confidentiality.
Three categories of data the NHS recognises
Category of data
Example How NHS manages it
1. Personal level identifiable data
My diagnosis, blood results
Access by health professionals with a smart ID card and “legitimate relationship” only; audit trail of access
2. Aggregated data
Average waiting time; rate of anaemia
Open publication - NHSChoices etc.
3. Everything else – ie. anonymised personal level data
Blood results for the last 1000 patients
Secure “safe haven” to which researchers must log in after getting ethical approval, & where their actions are monitored
6. What options do you have if this worries you ?
Option Pros Cons
1. Do nothing, ignore it, it’ll go away
Simple You get manipulated & your life choices may reduce
2. Take an informed, sceptical approach to apps & data sharing
Should improve your life a bit
Untidy, never know if it’s helping or not
3. Explore user controlled data schemes
Empowers you by controlling your data
Few organisations can cope with it yet
4. Become a complete data recluse
No erosion of privacy No smart phone, apps, social media…
Some questions to ask of any app before using it
1. Who published this app ?2. Who is it for, and what is the purpose ?3.Where does my data go after it
leaves the app ?4. Where did the content come from, and
when ?5. Is its advice accurate ?6. Is there any evidence that it actually
works ?
(work of Leeds, Warwick & Coventry Universities & UCL, in collaboration with the Royal College of Physicians, London)
Our Data Mutual - www.ourdatamutual.org
OUR MANIFESTO
ONEOur data has a value. We want a cut of that value - and a say in how it's used.
TWOWe want our data to be used for good.
THREENo one is responsible for protecting us from abuse of our data, so we're creating 'our data
mutual' to protect ourselves.
Sponsors
: Open D
ata In
stitu
te +
Blo
om
mark
eting a
gency…
MyDex
We provide you with a hyper-secure storage area so you can manage your personal data your way, from any aspect of your life.
This includes text, numbers, images, video, certificates and sound.
No-one but the individual can access or see the data
https://mydex.org/ - a social enterprise
Patients know best www.patientsknowbest.com
We put patients in control of their medical records. Everyone benefits, including clinicians, researchers and charities
We are a social enterprise, and our mission is that patients know best
BMJ online poll: 58% of 667 responders voted in favour of giving patients control of their records
MiData www.midatalab.org.uk/midata-explained
Midata programme (from BIS) encourages companies to hand personal transaction data they hold back to customers in machine readable format so they can use the data for their own purposes
MiData means every individual can get not just their personal data back but also valuable proof of relationships - ID Assurance
ID Assurance means using third-party evidence to prove claims, for example of name or address.
In paper world we do this with documents such as a passport or electricity bill. Midata delivers electronic versions of these.
Properly encrypted and signed, these help build up to a trustworthy online identity people can use to get things done.
7. Conclusions1. We knowingly (?) trade off our privacy for
benefits2. Your GP and hospital work hard to protect your
data3. Google, Facebook, Experian and now HSCIC don’t 4. They trade your data as a commodity in a
$43Bn+ global business5. The EU is tightening up data protection law soon,
which may help a bit6. Meanwhile, you have several options to protect
your data, including (soon) to control all your data yourself
The Law
EU Data Protection Directive now UK Data Protection Act EU Data Protection Regulation from
2015 Human Rights Act right to privacy
Current UK law
Eight data protection principles:1. Fair processing: consent, vital interests or legal
requirement to process data2. Obtained only for specified purpose3. Relevant, not excessive for purpose4. Accurate and kept up to date5. Not kept longer than needed6. Processed according to rights of data subjects7. Protection against unauthorised access or loss of data8. Not transferred outside EU
Additional requirements for processing sensitive data
Explicit consent* Necessary to comply with law, or in course of legal proceedings Necessary to protect vital interests of individual or another person Carried out by not for profit & not disclosed elsewhere Individual has published their data Necessary for statutory or government functions (eg. RIP), carried out by
health professional & necessary for medical purposes Necessary to monitor equal opportunity
* …”any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.
EU General Data Protection Regulation 2015
Data controllers must be able to prove consent (opt-in – eg. cookies must ask for permission)
Consent may be withdrawn Limited consent: scope and timescale Right to erasure (replaced right to be forgotten) Privacy by design; privacy defaults to highest
setting Sanctions: fine of up to 100M EUR or 5% of annual
worldwide turnover, whichever is greater Data Protection Impact Assessments to be
conducted when specific risks may occur to rights or freedoms of data subjects