Vendors have 'obligation' to be transparent about data use, charity warns

Medical app vendors have an “obligation” to tell users anything that is happening with their data, a patient safety charity has said.

Clive Flashman, chief digital officer for Patient Safety Learning, said there is often confusion about who is responsible for ensuring users’ know what’s happening to their data, but ultimately that burden should not be put on the individual.

Speaking to Digital Health News following the news pregnancy club Bounty UK was fined £400,000 for illegally sharing patient data, Mr Flashman said vendors are “merely stewards” of a users data and don’t have the authority to make decisions on what happens to that data.

Bounty was fined by the Information Commissioners Office (ICO) in an “unprecedented” case which saw the club sharing patient data collected through it’s app, website and patient surveys with third parties which then used the information for marketing purposes.

Many patients sharing their data did not know the company was a data broker supplying their information to third parties.

“Part of it is that these app vendors think that you are entering the data onto their system and that they, therefore, own the data,” Mr Flashman told Digital Health.

“But actually they don’t own it, you own it, they are merely stewards of your data.

“They have an obligation to tell you anything that happens with that data. Let’s say they change storage – if that data storage moves geographic location you should know that.

“If they negotiate secondary re-uses of that data, like Bounty have done, you should know who else is entitled to see it.”

Apart from the obvious data sharing issues with vendors incorrectly using a subscriber’s information, there’s also an element of risk to patient safety, according to Helen Hughes, chief executive of Patient Safety Learning.

Ms Hughes has previously called for consistent regulatory standards to be applied to medical apps as a “necessity” to protect patient safety.

While patient data shared in an app, or for other health and medical purposes, may be accurate it does not represent a complete view of a person’s health, she explained.

It would be impossible to make sound judgements on an individuals wants and needs based on the small snapshot of data that may be provided.

“The person who is capturing that data in the first instance only captures the information that is relevant to them, but people have a whole bunch of complex healthcare needs,” she said.

“Looking at a patient safety perspective, what would the person that’s using the data infer from that and how are they making judgements on that?

“They may be misinterpreting it, not having complete data, not checking it back to the prime source so the patient doesn’t know how it’s being used.”

So, what do app developers and vendors need to take into consideration when collecting patient data?

The principles of the Caldicott Review are a good place to start, according to Ben Moody, head of health and social care, at techUK, which represents more than 900 tech companies in the UK.

The review, handed down in 2016, called for data protection to be embedded into financial contracts and harsher sanctions for malicious data breaches.

“The National Data Guardian took a balanced view and importantly recognised the duty we have to encourage sharing of information in the interests of better health,” Mr Moody told Digital Health.

“But she also recommended that there should be no surprises to the public and they should have a choice about the use of their data.”

But when it comes to responsibility, Mr Moody’s views differ from that of Patient Safety Learning’s. In his view, users are responsible for knowing what they are signing up for and how their data will be used.

“As citizens we should all have the ability and right to share our data with whoever we want; so it is the individual’s responsibility to understand what they are signing up to with any given digital tool regardless of whether it is a health app or otherwise,” he added.

“That said, companies do not operate in a moral vacuum and we have seen the damage that can be done to reputations, business models and share prices when companies act irresponsibly.”

Patient Safety Learning is currently working with app review organisation ORCHA to find a way to design safety into apps, including making it easier for users to understand how their data will be used.