Do Health Apps Threaten the Privacy of Sensitive Data?
The growing use of smartphone apps and wearable devices to generate personal health and lifestyle data poses a dilemma for privacy. While individuals have much to gain using apps to help them manage ongoing health concerns, including better understanding of their health, the privacy of the data itself may be at risk.
Consumer-grade devices that link across Internet networks are rather vulnerable to security attack (hacking). The levels of security that can be tolerated by users fall short compared to enterprise networks. The portability of wearables and smart devices, carelessness with passwords and lack of encryption means confidential data is much more at risk of being stolen.
Apps use a programme interface (API) to access sensors in devices themselves - GPS, messages, even the camera - and to collect data. Many apps combine data to draw conclusions (accurate or otherwise) about the user’s state of health. Some insurers are already using activity data from fitness trackers to enhance products. It seems likely the trend will continue as apps become more sophisticated and hardware develops broader appeal.
U.S. federal and state laws require published policies concerning the use, disclosure and safeguarding of personal data by mobile apps. Health data are subject to special restrictions. In addition to imposing restrictions on sale and disclosure on all personal data on apps, EU data protection directives and national laws also have more restrictions for health data; for example, explicit consent requirements. Apps must comply with all applicable legal requirements for processing health data and personal data more generally, including consent requirements of various levels of specificity and explicitness for different types of uses and disclosures of different types of personal data.
It may not occur to most users of a fitness app that their personal data will be disclosed to the device manufacturers, who may sell it to third-party advertisers or share it with data aggregators. The terms and conditions of apps are not always read or the developer is based beyond national legal boundaries. The relatively short life cycle of many apps could also mean personal data may end up lost as the apps become defunct.
A survey by the Global Privacy Enforcement Network found that in 85% of the 1200 apps reviewed, the owners failed to clearly explain how they were collecting, using and disclosing personal information.1 EMEI (unique serial) numbers of smartphones makes identification of individuals simple and many app users mistakenly believe their information stays private.2
I have previously written about how wearables and apps that use smartphones as a hub can play an important role in life and health insurance (see my slideshare: The Growing Impact of Wearables on Digital Health and Insurance). Research in the UK shows half the population now monitors their health problems this way, and 95% of doctors see more patients bringing their own data to appointments.3 The trend is expected to continue as apps become more sophisticated and hardware develops broader appeal - more than 140 million wearables are expected to be sold in 2020, up from around 70 million in 2014.4
Underwriters and claims assessors will process increasing levels of digital health data in their day-to-day work in future. However, if patients cannot believe the health data they store in apps is private, they may resist calls from clinicians to use them. It’s important to address concerns over data privacy or failures to protect individual’s sensitive information, so patients’ resistance does not stall this innovation.
For more blogs on how technology is changing life insurance, click here.
- Results of the 2014 Global Privacy Enforcement Network Sweep, Office of the Privacy Commissioner of Canada, September 2014, available at:
- Blenner,SR., et al. (2016) Privacy policies of Android diabetes apps and sharing of health information, JAMA 315:10 1051-52, 2016.
- The Future of People Powered Health, Nesta research (2015), www.nesta.org.uk.
- International Data Corporation.