Image: Shutterstock

The UK Certified These Health Apps for Privacy, Yet They're Anything But

Some send personally identifying information unencrypted, and have inaccurate privacy policies.

|
Sep 25 2015, 12:00am

Image: Shutterstock

More and more people are using apps to self-diagnose, help get themselves healthy, and generally just keep tabs on their own well-being.

But, it turns out that some medical apps are sending sensitive data unencrypted and do not have clear privacy policies, despite being accredited by the UK's National Health Service (NHS) explicitly for their data protection.

In a paper published today in BMC Medicine, "Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment," researchers examined 79 separate apps included on the NHS' "Health App Library," on both Android and iOS. These apps included ones that deal with weight loss, harm reduction for alcohol use, and long-term condition self-care, according to the press release.

The Health App Library is a list of apps that have been reviewed by the NHS for their relevance to people living in England, whether they use information from a verifiable and trusted source, and, importantly, whether they comply with the UK's Data Protection Act, "to make sure that they hold and user your information appropriately," according to an NHS website.

That sounds all well and good, but the researchers found that out of 70 apps that send data over the internet, 23 of those sent identifying information without encryption. On top of this, of the 38 apps that had an accompanying privacy policy and transmitted data over the web, the policy did not indicate would personal info would be sent.

"Our study suggests that the privacy of users of accredited apps may have been unnecessarily put at risk, and challenges claims of trustworthiness offered by the current national accreditation scheme being run through the NHS," lead researcher, Kit Huckvale, Imperial College London, UK, said in a forwarded statement. "The results of the study provide an opportunity for action to address these concerns, and minimize the risk of a future privacy breach. To help with this, we have already supplied our findings and data to the NHS Health Apps Library."

But, more worryingly, the paper claims that "A failure to implement appropriate technical safeguards of personal information does not only imply a failure of accreditation, it may also represent a violation of data protection law in the UK."

A spokesperson for NHS Choices said:

"It's important that all of the apps listed on the NHS Health Apps Library meet the criteria of being clinically safe, relevant to people living in England and compliant with the Data protection act. We were made aware of some issues with some of the featured apps and took action to either remove them or contact the developers to insist they were updated. A new, more thorough NHS endorsement model for apps has begun piloting this month."

As more of our physical lives are recorded, analysed and transmitted by our smart devices, both developers and consumers need to be fully aware of the risks that shoddily implemented apps put their sensitive data under.

Stories