ICO concerned by mass health data-sharing with advertisers

A touchscreen display showing information in line graphs

The UK's data regulator has expressed deep concerns over reports that some of the most popular health websites are sharing sensitive data with advertisers across the world.

The majority of prominent health websites embed tracking cookies in users' browsers without explicit consent to allow third-party companies to track them while surfing the internet, according to a Financial Times (FT) investigation. The probe examined 100 health sites, including WebMD and Bupa, and found 79% used such techniques.

This data is then transmitted to a swathe of advertising platforms including Amazon and Facebook, with the majority of data sent to Google's DoubleClick targeted ad platform. This includes information like medical symptoms, diagnoses, drug names and fertility information.

The incident has raised clear General Data Protection Regulation (GDPR) concerns, and the Information Commissioner's Office (ICO) has reiterated past warnings that special category data, such as personal health information, must have greater protections.

"This investigation by the Financial Times further highlights the ICO's concerns about the processing of special category data in online advertising, as well as the role that site owners and publishers play in this ecosystem," the ICO's executive director for technology policy and innovation, Simon McDougall, told IT Pro.

"Under data protection law, organisations have to ensure that their processing is fair, lawful and transparent and that appropriate security is in place.

"In addition, special category data – such as health information – requires greater protection because of its sensitivity and the increased risk of harm to or discrimination against individuals. Organisations have to recognise this and take additional steps to address these risks."

McDougall also highlighted the ICO's own investigations into the adtech industry, published earlier this year, which claimed that companies in this space are actively violating data protection laws.

The report highlighted, in particular, a mechanism known as real-time bidding (RTB), which allows advertisers to compete for available digital space by automatically populating webpages and apps with billions of ads.


Fraud detection in healthcare

A step-by-step guide to incorporating machine learning


For a handful of websites examined in closer detail, investigators found the privacy policies did not adequately outline that sensitive health data would be shared with third-parties.

In eight cases out of ten, the reporters also found a specific identifier that was transmitted, which could allow information to be tied to an individual, with tracker cookies dropped before consent was provided.

"The interesting point is the British Heart Foundation (BHF) justification in the FT piece, where they admit it's personal data and they're doing it anyway," medConfidential coordinator Sam Smith told IT Pro.

The BHF insisted it does not share or sell personal information that could directly identify an individual, and said it would review how it used cookies and how it seeks consent, with changes implemented in the coming months.

Smith continued: "Facebook are assumed to sell out their users for cash, we don't expect charities with public trust to do the same.

"The FT picked up a bunch of high profile sites, but a bunch of others are probably reconsidering whether the small amount of money they get is worth the price in terms of public trust."

The ICO added that it will assess the information provided by the FT before considering whether this warrants any further investigation.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.