NHS site allowed to spy on your visiting habits

Embarrassing ailment you don’t want to discuss? Why not visit the NHS Choices web site. Well one reason you might not want to do that is because the NHS could be letting Google and Facebook know about it. I’ve just written to Andrew Lansley to ask him to put the matter right.

15 thoughts on “NHS site allowed to spy on your visiting habits”

  1. Well, Google Analytics makes sense – it’s what many many organisations use internally to track site metrics like how many visitors and page visits they received.

    Facebook, on the other hand, is potentially more worrying.

  2. I thought the Facebook like button allows the user to post the contents of the page your are browsing back to the users facebook profile. I think is passive in terms of collecting data

  3. Hi Tom, can’t speak for the NHS but it’s quite possible that there is a facebook campaign say for the flu vaccine, tha would explain the facebook tracking. Google analytics, as far as I know, doesn’t track users individually, though it does track search terms. This, used right, is a way for site owners to look after and develop content.

    The other 2 URLs I’m not so sure about – could be there accidentally. Bottom line, I don’t think it’s a conspiracy.

  4. Tom, why have you not passed this to the Information Commissioner? And perhaps also to those people in Cabinet Office who want us to be safe online as we use more and more online public services?

  5. Some useful excerpts from or about one Tom Watson, significant personage in the New Labour (which I gather is not to be improved, but steered well clear of) regime:

    Government’s CIO praises NHS progress
    Tags: A Choose and Book CIO Efficiency Government GP GPs Information iS Open Source Reform Savings

    20 May 2009

    The government’s chief information officer has praised IT systems in the health sector but has highlighted the need to “drive value out of IT investments” throughout the recession.

    The comments come in the government’s latest Transformational Government progress report.

    In a year when the government spent £13.7 billion on IT, the report says the recession means that there will need to be “even more focus on driving value out of the IT investments we make.”

    The report says this must be based on three main priorities: “putting the citizen at the heart of what we do”, “shared services” and “professionalising IT-enabled business change.”

    The report points to savings including £50m at the Department for Work and Pensions using shared services, with a total of £100m expected by the end of 2008/09.

    In the government’s third annual assessment of its own IT investments, the government’s CIO, John Suffolk, applauds systems including PACS, Choose and Book and GP2GP.

    He says: “PACS helps patients to be assessed and treated more efficiently by supporting clinicians in providing the best possible diagnosis.”

    He also says that more than half of outpatient appointment referrals from GPs are now arranged using Choose and Book, with the number of bookings made using the system doubling over the past year to more than 12m.

    However, the report shies away from the troubled subject of the National Programme for IT in the NHS. No mention is made of the delays, changes in key contractors or implementation problems experienced in the hospital sector.

    The report states: “The National Programme for Information Technology… is already delivering new systems and applications to hospitals and GP practices to provide improved services and safer care for patients.”

    The report also states the need for expansion on the government’s use of open source as well as the introduction of user focused web 2.0 tools and technologies.

    At the launch of the report, Tom Watson, the minister for digital innovation, claimed that use of information technology will save £35 billion in two years by improving efficiency, and said public sector reform will help Britain meet the challenges involved in overcoming the recession.

    He added that the government has already achieved £26.5 billion of efficiency savings through the transformation of the public sector, underpinned by technology.

    Concerning his shopping habits:

    Without guidelines, the potential for retailers to use RFID to monitor closely who purchases what, why, where and when is very real. Not only our buying habits but our browsing behaviour could be monitored. In the British Retail Consortium’s November 2003 newsletter, Ruth Carpenter noted:

    “While the retail world currently uses source tags mainly for inventory help and crime prevention, the move into marketing is a logical progression.”

    It is also a dangerous progression. My shopping habits could be analysed by marketing departments. For example, I might pick up product A or B before choosing product C. Should supermarkets be allowed to collect such data? Linking together different databases or combining information with credit cards and store cards that also contain tags would be a huge invasion of customers’ privacy, which British consumers simply will not tolerate.

    Tom Watson

    12 July 2010

    Dear Department of Health,

    Please send me a copy of the KPMG report into NHS Choices and NHS
    Direct. I’m happy with an electronic copy if this is the only way
    you can get it to me.

    If there are any problems, please call my parliamentary office on
    0207 219 8335.

    Yours faithfully,

    Tom Watson MP

    He’s keen on homeopathy – not sure where he’s gone on that one – nhs websites, naming (godawful), customer journey mapping, open source etc etc., how many live births there were in the Peterborough and Stamford Hospitals NHS Foundation Trust in each year since 1997,

    On security, privacy, and the National Identity Database, summary care records, and related multi-billion projects – not an awful lot.

  6. I’m sorry Alasdair but Google Analytics is just as unacceptable as the others in my book.

    Any organisation of any decent standing should be using their own analytics package, not gifting all their data to a third party.

    The rise in 3rd-party tracking using “utility” add-ons, whether it be analytics or “tweet/Facebook this” is worrying.

    In collecting a URL as a referrer that contains a reference to a medical condition and linking that with an IP address, or, as is more likely, with a specific personal account on one of these services is worrying not just for the government but for the companies performing this data collection.

    Whether they like it or not these 3rd parties could be either knowingly or unknowingly collecting Sensitive Personally Data, a category defined under S2 of the Data Protection Act 1998.

    One then needs to ask the question whether these organisations are using the same stringent data handling requirements (including the restrictions on exporting this data out of the country) demanded by the Data Protection Act for any Sensitive Personal Data they collect.

    James Firth

  7. Without enabling java i can assume you have the same code on this page as well since i have it blocked. I do have to applaud your effort to stamp out that scourge called Facebook on a government website though. Facebook has no right to be tracking people seeking medical advice. I dont care what you do on this page since all you are going to get is who i clicked on bu on the NHS site people are there to seek what might be considered by many to be very sensitive information that third parties should not have access to.

  8. Uhm, Tom I agree with the matter brought up is one for concern, but you might want to have a closer look at your own site here too, firefox noscript presents me with a few blocked script connections here …. facebook.com being one of them.

    Anyhoo, also the Privacy agreement hospitals give you before going for an operation I think is rather badly timed, people waiting for an operation just wanting to get on with it and have previously not agreed to sharing their info online are handed a bunch of forms among them is this little beauty.

    Bit sneeky dont you think, I had an op recently and telled them where to shove it. But most wont even bother reading it looking for obfuscated details.

  9. and how long before an insurance company adjusts your premiums based on data gathered from nhs websites?… apparently its nearly if not already happening in america. This nhs idea should never have happened, nothing online is secure. Ask yourselves who has access to your national insurance number now while site admins go back to playing solitaire.

  10. This isn’t new though is it Tom?

    So why only now do you bother? Its been like that (so I’m told) since 2007??

  11. Hmmm… Never thought about the Like button that way, especially as the data is linked to an individual. Sinister and wrong. Added it to by block list on Adblock now.

    Google Analytics is potentially less sinister, data is not linked to a personally identifiable person, and it’s a quick, easy (and free!) way for the NHS Choices team to track the use of their site.

  12. Labour eroded everyone’s civil liberties on an unprecedented scale. Yet more hypocrisy from the MP who thinks his own party’s ruination of the country has been forgotten.

  13. I too am not happy about being ‘tracked’ every time I use the web. I try to avoid being tracked as much as possible even if it means going to a second-rate or even a third-rate search engine.
    To be tracked when I use an NHS web-site is particularly disconcerting.

  14. Hello Tom

    The original article at http://mmt.me.uk/blog/2010/11/21/nhs-and-tracking/ is misleading when it comes to the use of Google Analytics (GA). I have included the comments I made there below for your reference:

    In terms of Google Analytics (GA), I wanted to point out a few facts:

    1. GA does not track any personal identifiable information.
    To answer Chris’s comment directly – if you log into Gmail, then visit NHS Choices webpage about breast cancer, and then google ‘knows’ that I (Chris) have breast cancer?

    No, that is not the case and you can verify this by examining the headers sent to Google (for example using the Firefox plugin Firebug).

    In fact, as far as web tracking goes, Google is probably the least invasive because all visitor information reported is not only anonymous but is also in “aggregate” i.e. it is not at the individual level. A number of competitors flag this as a limitation, but in fact it is a deliberate decision by Google not to track individuals with GA.

    As a sideline, if as an individual you wish to opt-out of be tracked by GA you can install the official opt-out plugin from Google – http://tools.google.com/dlpage/gaoptout

    2. Safe Harbour
    I too am no data protection lawyer, however your point about data being sent outside of the European Economic Area is covered by Safe Harbour agreements – http://www.export.gov/safeharbor/

    In summary
    As a privacy advocate myself, I see no issue with the use of GA on any NHS website. The use of other tools however is a different matter…

    Brian Clifton
    Former Head of Web Analytics, Google EMEA
    Author, Advanced Web Metrics with Google Analytics

  15. Well, Google Analytics makes sense – it’s what many many organisations use internally to track site metrics like how many visitors and page visits they received. Facebook, on the other hand, is potentially more worrying.

Leave a Reply

Your email address will not be published. Required fields are marked *