NHS site allowed to spy on your visiting habits

Embarrassing ailment you don’t want to discuss? Why not visit the NHS Choices web site. Well one reason you might not want to do that is because the NHS could be letting Google and Facebook know about it. I’ve just written to Andrew Lansley to ask him to put the matter right.

15 comments ↓

#1 Alasdair on 11.23.10 at 10:31 am

Well, Google Analytics makes sense – it’s what many many organisations use internally to track site metrics like how many visitors and page visits they received.

Facebook, on the other hand, is potentially more worrying.

#2 nick on 11.23.10 at 12:56 pm

I thought the Facebook like button allows the user to post the contents of the page your are browsing back to the users facebook profile. I think is passive in terms of collecting data

#3 webgeek on 11.23.10 at 5:50 pm

Hi Tom, can’t speak for the NHS but it’s quite possible that there is a facebook campaign say for the flu vaccine, tha would explain the facebook tracking. Google analytics, as far as I know, doesn’t track users individually, though it does track search terms. This, used right, is a way for site owners to look after and develop content.

The other 2 URLs I’m not so sure about – could be there accidentally. Bottom line, I don’t think it’s a conspiracy.

#4 dreamingspire on 11.24.10 at 12:09 am

Tom, why have you not passed this to the Information Commissioner? And perhaps also to those people in Cabinet Office who want us to be safe online as we use more and more online public services?

#5 Dominic Pinto on 11.24.10 at 2:01 am

Some useful excerpts from or about one Tom Watson, significant personage in the New Labour (which I gather is not to be improved, but steered well clear of) regime:

Government’s CIO praises NHS progress
Tags: A Choose and Book CIO Efficiency Government GP GPs Information iS Open Source Reform Savings

20 May 2009

The government’s chief information officer has praised IT systems in the health sector but has highlighted the need to “drive value out of IT investments” throughout the recession.

The comments come in the government’s latest Transformational Government progress report.

In a year when the government spent £13.7 billion on IT, the report says the recession means that there will need to be “even more focus on driving value out of the IT investments we make.”

The report says this must be based on three main priorities: “putting the citizen at the heart of what we do”, “shared services” and “professionalising IT-enabled business change.”

The report points to savings including £50m at the Department for Work and Pensions using shared services, with a total of £100m expected by the end of 2008/09.

In the government’s third annual assessment of its own IT investments, the government’s CIO, John Suffolk, applauds systems including PACS, Choose and Book and GP2GP.

He says: “PACS helps patients to be assessed and treated more efficiently by supporting clinicians in providing the best possible diagnosis.”

He also says that more than half of outpatient appointment referrals from GPs are now arranged using Choose and Book, with the number of bookings made using the system doubling over the past year to more than 12m.

However, the report shies away from the troubled subject of the National Programme for IT in the NHS. No mention is made of the delays, changes in key contractors or implementation problems experienced in the hospital sector.

The report states: “The National Programme for Information Technology… is already delivering new systems and applications to hospitals and GP practices to provide improved services and safer care for patients.”

The report also states the need for expansion on the government’s use of open source as well as the introduction of user focused web 2.0 tools and technologies.

At the launch of the report, Tom Watson, the minister for digital innovation, claimed that use of information technology will save £35 billion in two years by improving efficiency, and said public sector reform will help Britain meet the challenges involved in overcoming the recession.

He added that the government has already achieved £26.5 billion of efficiency savings through the transformation of the public sector, underpinned by technology.

Concerning his shopping habits:

Without guidelines, the potential for retailers to use RFID to monitor closely who purchases what, why, where and when is very real. Not only our buying habits but our browsing behaviour could be monitored. In the British Retail Consortium’s November 2003 newsletter, Ruth Carpenter noted:

“While the retail world currently uses source tags mainly for inventory help and crime prevention, the move into marketing is a logical progression.”

It is also a dangerous progression. My shopping habits could be analysed by marketing departments. For example, I might pick up product A or B before choosing product C. Should supermarkets be allowed to collect such data? Linking together different databases or combining information with credit cards and store cards that also contain tags would be a huge invasion of customers’ privacy, which British consumers simply will not tolerate.

Tom Watson

12 July 2010

Dear Department of Health,

Please send me a copy of the KPMG report into NHS Choices and NHS
Direct. I’m happy with an electronic copy if this is the only way
you can get it to me.

If there are any problems, please call my parliamentary office on
0207 219 8335.

Yours faithfully,

Tom Watson MP

He’s keen on homeopathy – not sure where he’s gone on that one – nhs websites, naming (godawful), customer journey mapping, open source etc etc., how many live births there were in the Peterborough and Stamford Hospitals NHS Foundation Trust in each year since 1997,

On security, privacy, and the National Identity Database, summary care records, and related multi-billion projects – not an awful lot.

#6 @JamesFirth on 11.24.10 at 10:17 am

I’m sorry Alasdair but Google Analytics is just as unacceptable as the others in my book.

Any organisation of any decent standing should be using their own analytics package, not gifting all their data to a third party.

The rise in 3rd-party tracking using “utility” add-ons, whether it be analytics or “tweet/Facebook this” is worrying.

In collecting a URL as a referrer that contains a reference to a medical condition and linking that with an IP address, or, as is more likely, with a specific personal account on one of these services is worrying not just for the government but for the companies performing this data collection.

Whether they like it or not these 3rd parties could be either knowingly or unknowingly collecting Sensitive Personally Data, a category defined under S2 of the Data Protection Act 1998.

One then needs to ask the question whether these organisations are using the same stringent data handling requirements (including the restrictions on exporting this data out of the country) demanded by the Data Protection Act for any Sensitive Personal Data they collect.

James Firth

#7 David on 11.25.10 at 1:40 pm

Without enabling java i can assume you have the same code on this page as well since i have it blocked. I do have to applaud your effort to stamp out that scourge called Facebook on a government website though. Facebook has no right to be tracking people seeking medical advice. I dont care what you do on this page since all you are going to get is who i clicked on bu on the NHS site people are there to seek what might be considered by many to be very sensitive information that third parties should not have access to.

#8 John on 11.25.10 at 1:41 pm

Uhm, Tom I agree with the matter brought up is one for concern, but you might want to have a closer look at your own site here too, firefox noscript presents me with a few blocked script connections here …. facebook.com being one of them.

Anyhoo, also the Privacy agreement hospitals give you before going for an operation I think is rather badly timed, people waiting for an operation just wanting to get on with it and have previously not agreed to sharing their info online are handed a bunch of forms among them is this little beauty.

Bit sneeky dont you think, I had an op recently and telled them where to shove it. But most wont even bother reading it looking for obfuscated details.

#9 John on 11.25.10 at 2:02 pm

and how long before an insurance company adjusts your premiums based on data gathered from nhs websites?… apparently its nearly if not already happening in america. This nhs idea should never have happened, nothing online is secure. Ask yourselves who has access to your national insurance number now while site admins go back to playing solitaire.

#10 Scottspeig on 11.25.10 at 5:47 pm

This isn’t new though is it Tom?

So why only now do you bother? Its been like that (so I’m told) since 2007??

#11 Stuart Harrison on 11.25.10 at 5:55 pm

Hmmm… Never thought about the Like button that way, especially as the data is linked to an individual. Sinister and wrong. Added it to by block list on Adblock now.

Google Analytics is potentially less sinister, data is not linked to a personally identifiable person, and it’s a quick, easy (and free!) way for the NHS Choices team to track the use of their site.

#12 Linvell on 11.25.10 at 7:41 pm

Labour eroded everyone’s civil liberties on an unprecedented scale. Yet more hypocrisy from the MP who thinks his own party’s ruination of the country has been forgotten.

#13 Monika Kasnickas on 11.25.10 at 9:13 pm

I too am not happy about being ‘tracked’ every time I use the web. I try to avoid being tracked as much as possible even if it means going to a second-rate or even a third-rate search engine.
To be tracked when I use an NHS web-site is particularly disconcerting.

#14 Brian Clifton on 12.03.10 at 6:09 am

Hello Tom

The original article at http://mmt.me.uk/blog/2010/11/21/nhs-and-tracking/ is misleading when it comes to the use of Google Analytics (GA). I have included the comments I made there below for your reference:

In terms of Google Analytics (GA), I wanted to point out a few facts:

1. GA does not track any personal identifiable information.
To answer Chris’s comment directly – if you log into Gmail, then visit NHS Choices webpage about breast cancer, and then google ‘knows’ that I (Chris) have breast cancer?

No, that is not the case and you can verify this by examining the headers sent to Google (for example using the Firefox plugin Firebug).

In fact, as far as web tracking goes, Google is probably the least invasive because all visitor information reported is not only anonymous but is also in “aggregate” i.e. it is not at the individual level. A number of competitors flag this as a limitation, but in fact it is a deliberate decision by Google not to track individuals with GA.

As a sideline, if as an individual you wish to opt-out of be tracked by GA you can install the official opt-out plugin from Google – http://tools.google.com/dlpage/gaoptout

2. Safe Harbour
I too am no data protection lawyer, however your point about data being sent outside of the European Economic Area is covered by Safe Harbour agreements – http://www.export.gov/safeharbor/

In summary
As a privacy advocate myself, I see no issue with the use of GA on any NHS website. The use of other tools however is a different matter…

Brian Clifton
Former Head of Web Analytics, Google EMEA
Author, Advanced Web Metrics with Google Analytics

#15 Michele Foley on 12.26.10 at 12:09 am

Well, Google Analytics makes sense – it’s what many many organisations use internally to track site metrics like how many visitors and page visits they received. Facebook, on the other hand, is potentially more worrying.

Leave a Comment