This document summarizes key points about privacy and mobile health apps from a presentation given by Professor Jeremy Wyatt. It discusses how easily personal data can be identified even when anonymized, and how social media and mobile apps have increased data sharing. While health professionals are bound by ethics to protect patient data, companies freely trade personal data as a commodity. The document outlines some options for individuals to better control their personal data, and concludes that laws are tightening but individuals still need ways to protect their privacy in the digital era.

1. Privacy and mobile health: how to
reduce our apptimism*
* an unrealistic belief that apps solve every health problem
Prof Jeremy Wyatt, University of Leeds
Acknowledgements: Prof Justin Keen & Dr Jon Fistein

2. Outline
1. Our data and why “anonymised” no longer means
much
2. How did we share our data in the pre-mobile era ?
3. How do social media & mobile change this ?
4. Does this “mHealth privacy gap” matter ?
5. How professionals & the NHS manage your data
6. What options do you have if this worries you ?
7. Conclusions

3. 1. What is “Our data” ?
Information about us which:
 We feel is ours
 If revealed without permission could make us feel
bad
 Could also affect our reputation or prospects - of
education, a job, social status, insurance,
marriage…

4. Some views about who controls my data
 It’s all mine and no-one can touch it unless I say
so – not even researchers, security services etc.
 It’s mine and I don’t want it published, but if
society needs access it can look - as long as it
takes care
 There is no personal data: all data belong to the
State

5. Guess who said this:
“We’re … opening up the vast amounts of data generated in
our health service. From this month huge amounts of new data
are going to be released online. We’re going to consult on
actually changing the NHS constitution so that the default
setting is for patients’ data to be used for research unless of
course they want to opt out. Now let me be clear, this does not
threaten privacy, it doesn’t mean anyone can look at your
health records but it does mean using anonymous data to
make new medical breakthroughs... Now the end result will
be… that every time you use the NHS you’re playing a part in
the fight against disease at home and around the world.”

6. Open personal data
 Voter registration
 House prices
 Care.data – health
 HMRC tax records

7. How easy is it to identify you with no name ?
 87% of US residents can be identified from
age (not dob), sex, zip code (5 digits)
 HES contains all hospital admissions from
2001, partial postcode, sex and dob !
 Personal fitness data eg. Fitbit – can infer
height, weight, gender from data; adding
location makes it 100% unique,

8. 2. Ways we already share data with companies
 Loyalty cards
 Motor insurance
 Mailing lists & census data
Web searches and mobile phones

9. Loyalty cards
 We trade very small benefits for big companies
knowing all about our shopping habits:
 They know our fruit & veg, alcohol, contraceptive,
OTC medicine purchases, clothing sizes, kid’s
ages…
 Man who discovered daughter was pregnant from
supermarket vouchers
 What use do they make of this knowledge – as
well as putting the pasta sauce next to spaghetti
?

10. Motor insurance
 They know our driving history, type of car,
miles per year, names of extended family,
accidents
 Telemetric insurance – box under bonnet
measures location, speed, acceleration,
braking, time of day / night to calculate risk &
monthly premium
 Industry share data “to prevent fraud”

11. How our data is shared in the information age
 Google searches
 Gmail - adverts
Web cookies – just adverts ?
 Social media - adverts
 Location of our phone
 Apps

12. Google flu trends

13. How do Google traffic maps work ?
Cambridge traffic at 0600, 12-3-
Since 2012, Google 14
captures GPS data from
Android phones, then
processes it to give
average speeds
http://googleblog.blogsp
ot.co.uk/2009/08/bright-side-
of-sitting-in-traffic.
html

14. 3. Smart phone apps and beyond
Apple’s App store contains > 1,000,000 apps
32,000 lifestyle & 25,000 medical apps
http://148apps.biz/app-store-metrics/?mpage=catcount
3,000,000,000 downloads in December
2013, costing $1,000,000,000
http://www.apple.com/pr/library/2014/01/07App-Store-Sales-Top-10-Billion-in-2013.htmli
https://openclipart.org/detail/182175/white-iphone-5-by-barrettward-182175

15. Privacy and mHealth apps
 Permissions requested: use accounts,
modify USB, read phone ID, find files,
full net access, view connections…
 Our study of 80 apps: average of 4
clear privacy breaches for health apps,
only 1 for medical apps
 We know that - we read the Terms &
Conditions ! (this one only 1200 words,
but many much longer…)
First Folio As You Like It Public Domain Photo taken by Cowardly
Lion - Folio Society edition of 1996
With Hannah Panayiotou & Anam Noel,
Leeds medical students

16. Data brokers
 “Even as you’re reading this, your smart
phone can reveal your location… data
brokers are going to know more about us
than we know ourselves”. – Madhumita
Venkataraman, Wired Nov 2014

17. Data you are currently sharing
 Any phone – call data record (unique phone ID,
phone no. called, time, location – every 7
seconds)
 Smart phone:
 Wifi networks – unique MAC id (Viasense wifi
sniffers)
 Apps: everything you browse (WebMD); pregnancy
due date (MyPregnancyToday), name, email, height,
weight (Fitbit)

18. The data market
Data sources Data aggregators
Smart phone
Credit agency
Open data
(electoral roll
etc.)
Social media
Marketing agency
Insurance data
Data users
Advertising
Financial services
Insurance industry
brokers Health services ?
Your
purchase
s
and
behaviou
r
Browsing history
Purchase history
(online, point of
sale)

19. 4. Does it matter - how companies use your data
 Tailored mailings (everyone), tailored vouchers (eg. Tesco
Clubcard)
 Tailored adverts on web (Doubleclick, Eyeota, Experian…),
 Tailored adverts in shopfronts – Tesco, Godiva (Shoppertrak
instore wifi sensors)
 Tailored products shown on websites, eg. CapitalOne cards – [x+1]
website tracker product (200mS to generate your profile)
 Tailored critical illness insurance – Inst of Actuaries, based on
HES data
 Make money – Facebook make £4 & Google £12 selling your
cookie data to advertisers
Total US interactive advertising market 2013: $43Bn

20. The Amscreen technology
You stand outside a shop
you want to
enter shop
TV camera TV screen
Quividi algorithm
Shop’s product database
your age,
gender
time, location,
stock levels
images of suitable
items, given age,
gender, location, time

21. 5. Health data: professional ethics
 GMC and other professional bodies:
obligation on clinicians to protect all personal
data to best of their ability
 Exceptions:
 Notifiable diseases
 High risk of immediate harm to others

22. How your GP and hospital manage your data
 Personal data captured by GPs & hospitals is
governed by Caldicott 2 principles
 All data for management, research, quality
improvement etc. must be stripped of identifiers
 Caldicott Guardians help resolve grey areas
 Central data returns to HSCIC:
 National Hospital Episode Statistics
 Many national audits on specific diseases
 GPs may have to send in their data soon

23. Caldicott 2 principles
 Justify the purpose(s)
 Don't use patient identifiable information unless it is
necessary
 Use the minimum necessary patient-identifiable information
 Access to patient identifiable information should be on a
strict need-to-know basis
 Everyone with access to patient identifiable information
should be aware of their responsibilities
 Understand and comply with the law
 The duty to share information can be as important as the
duty to protect patient confidentiality.

24. Three categories of data the NHS recognises
Category of data Example How NHS manages it
1. Personal level
My diagnosis, blood
identifiable data
results
Access by health professionals with a
smart ID card and “legitimate
relationship” only; audit trail of access
2. Aggregated
data
Average waiting
time; rate of
anaemia
Open publication - NHSChoices etc.
3. Everything else
– ie. anonymised
personal level
data
Blood results for the
last 1000 patients
Secure “safe haven” to which
researchers must log in after getting
ethical approval, & where their actions
are monitored

25. 6. What options do you have if this worries you ?
Option Pros Cons
1. Do nothing, ignore it, it’ll
go away
Simple You get manipulated &
your life choices may
reduce
2. Take an informed,
sceptical approach to
apps & data sharing
Should improve your life a
bit
Untidy, never know if it’s
helping or not
3. Explore user controlled
data schemes
Empowers you by
controlling your data
Few organisations can
cope with it yet
4. Become a complete
data recluse
No erosion of privacy No smart phone, apps,
social media…

26. Some questions to ask of any app before using it
1. Who published this app ?
2. Who is it for, and what is the purpose ?
3. Where does my data go after it leaves the
app ?
4. Where did the content come from, and when ?
5. Is its advice accurate ?
6. Is there any evidence that it actually works ?
(work of Leeds, Warwick & Coventry Universities & UCL, in
collaboration with the Royal College of Physicians, London)

27. Our Data Mutual - www.ourdatamutual.org
OUR MANIFESTO
ONE
Our data has a value. We want a cut of that value - and a say in how it's used.
TWO
We want our data to be used for good.
THREE
No one is responsible for protecting us from abuse of our data, so we're creating 'our data
mutual' to protect ourselves.

28. MyDex
 We provide you with a hyper-secure storage
area so you can manage your personal
data your way, from any aspect of your life.
 This includes text, numbers, images, video,
certificates and sound.
 No-one but the individual can access or see the
data
 https://mydex.org/ - a social enterprise

29. Patients know best www.patientsknowbest.com
 We put patients in control of their medical
records. Everyone benefits, including
clinicians, researchers and charities
 We are a social enterprise, and our mission
is that patients know best
 BMJ online poll: 58% of 667 responders
voted in favour of giving patients control of
their records

30. MiData www.midatalab.org.uk/midata-explained
 Midata programme (from BIS) encourages companies to hand
personal transaction data they hold back to customers in machine
readable format so they can use the data for their own purposes
 MiData means every individual can get not just their personal
data back but also valuable proof of relationships - ID Assurance
 ID Assurance means using third-party evidence to prove claims,
for example of name or address.
 In paper world we do this with documents such as a passport or
electricity bill. Midata delivers electronic versions of these.
 Properly encrypted and signed, these help build up to a
trustworthy online identity people can use to get things done.

31. 7. Conclusions
1. We knowingly (?) trade off our privacy for benefits
2. Your GP and hospital work hard to protect your data
3. Google, Facebook, Experian and now HSCIC don’t
4. They trade your data as a commodity in a $43Bn+
global business
5. The EU is tightening up data protection law soon, which
may help a bit
6. Meanwhile, you have several options to protect your
data, including (soon) to control all your data yourself

33. The Law
 EU Data Protection Directive now
 UK Data Protection Act
 EU Data Protection Regulation from 2015
 Human Rights Act right to privacy

34. Current UK law
Eight data protection principles:
1. Fair processing: consent, vital interests or legal requirement to
process data
2. Obtained only for specified purpose
3. Relevant, not excessive for purpose
4. Accurate and kept up to date
5. Not kept longer than needed
6. Processed according to rights of data subjects
7. Protection against unauthorised access or loss of data
8. Not transferred outside EU

35. Additional requirements for processing sensitive
data
 Explicit consent*
 Necessary to comply with law, or in course of legal proceedings
 Necessary to protect vital interests of individual or another person
 Carried out by not for profit & not disclosed elsewhere
 Individual has published their data
 Necessary for statutory or government functions (eg. RIP), carried out by
health professional & necessary for medical purposes
 Necessary to monitor equal opportunity
* …”any freely given specific and informed indication of his wishes by which the
data subject signifies his agreement to personal data relating to him being
processed”.

36. EU General Data Protection Regulation 2015
 Data controllers must be able to prove consent (opt-in – eg.
cookies must ask for permission)
 Consent may be withdrawn
 Limited consent: scope and timescale
 Right to erasure (replaced right to be forgotten)
 Privacy by design; privacy defaults to highest setting
 Sanctions: fine of up to 100M EUR or 5% of annual
worldwide turnover, whichever is greater
 Data Protection Impact Assessments to be conducted
when specific risks may occur to rights or freedoms of data
subjects