Gunjan Balde,Aryendra Singh,Niloy Ganguly,Mainack Mondal

2023-06-20

Abstract:Data privacy in healthcare is of paramount importance (and thus regulated using laws like HIPAA) due to the highly sensitive nature of patient data. To that end, healthcare organizations mention how they collect/process/store/share this data (i.e., data practices) via their privacy policies. Thus there is a need to audit these policies and check compliance with respective laws. This paper addresses this need and presents a large-scale data-driven study to audit privacy policies from healthcare organizations in three countries -- USA, UK, and India. We developed a three-stage novel \textit{workflow} for our audit. First, we collected the privacy policies of thousands of healthcare organizations in these countries and cleaned this privacy policy data using a clustering-based mixed-method technique. We identified data practices regarding users' private medical data (medical history) and site privacy (cookie, logs) in these policies. Second, we adopted a summarization-based technique to uncover exact broad data practices across countries and notice important differences. Finally, we evaluated the cross-country data practices using the lens of legal compliance (with legal expert feedback) and grounded in the theory of Contextual Integrity (CI). Alarmingly, we identified six themes of non-alignment (observed in 21.8\% of data practices studied in India) pointed out by our legal experts. Furthermore, there are four \textit{potential violations} according to case verdicts from Indian Courts as pointed out by our legal experts. We conclude this paper by discussing the utility of our auditing workflow and the implication of our findings for different stakeholders.

Computers and Society,Cryptography and Security,Human-Computer Interaction

Ravin Gunawardena,Yuemeng Yin,Yi Huang,Rahat Masood,Suranga Seneviratne,Imran Razzak,Nguyen Tran,Aruna Seneviratne

2023-03-03

Abstract:With the increasing awareness and concerns around privacy, many service providers offer their users various privacy controls. Through these controls, users gain greater authority over the collection, utilisation, and dissemination of their personal information by the services. However, these controls may be buried deep within menus or settings, making them difficult for a user to access. Additionally, the terminology used to describe privacy controls can sometimes be confusing or technical, further complicating the user's ability to understand and use them effectively. This is especially true for health websites, as users often share sensitive information about their health and well-being. While many privacy controls have been proposed to protect user data on these sites, existing research focuses on individual controls (e.g., privacy policies or cookie opt-outs) rather than providing a comprehensive overview of the privacy landscape. In addition, many studies concentrate on the technical aspects of privacy controls without considering the usability of these features from a user's perspective. This paper aims to fill the gaps in the existing work by analysing four privacy controls, namely privacy nudge, privacy notice, privacy policy, and privacy setting, and evaluating their usability on the top 100 most visited health websites. First, we define usability attributes for each privacy control in three website visit scenarios; the guest, registering, and log-in visits. These attributes include awareness, efficiency, comprehension, functionality, and choice. Then, we design a survey template based on these attributes and scenarios and collect data about privacy controls. Next, we analyse the availability and usability of each privacy control on health websites. Finally, we provide suggestions for improving the design of these privacy controls based on the data analysis results.

Cryptography and Security

Tim Libert

DOI: https://doi.org/10.1145/2658983

2015-03-07

Abstract:This article investigates privacy risks to those visiting health- related web pages. The population of pages analyzed is derived from the 50 top search results for 1,986 common diseases. This yielded a total population of 80,124 unique pages which were analyzed for the presence of third-party HTTP requests. 91% of pages were found to make requests to third parties. Investigation of URIs revealed that 70% of HTTP Referer strings contained information exposing specific conditions, treatments, and diseases. This presents a risk to users in the form of personal identification and blind discrimination. An examination of extant government and corporate policies reveals that users are insufficiently protected from such risks.

Computers and Society,Cryptography and Security

Olga Sovova

DOI: https://doi.org/10.32008/nordsci2019/b2/v2/31

2019-01-01

Abstract:The paper examines the issue arising when delivering healthcare in the modern information society. Throughout the past decade, the Internet has seen a significant rise of the "Web 2.0" trend, which carried on its wings a health industry trend often referred to as "Health 2.0" or "Medicine 2.0". More recently, we have also witnessed the crowning of concepts such as Health Social Media, eHealth and mHealth. European Union as well as the national states develop strategies implementing new technologies for personal and medical data sharing, including the prescription of medicals as well as their validation through websites. Healthcare data privacy and security is one of the top challenges, healthcare providers face. The huge amount of data the medical care generates holds potential for researchers, providers, pharmaceutical companies as well as for doctors, who can use it to improve care or find new treatments and insights into disease. The key issue to examine is how to balance the competing interests of privacy and data-sharing and not exclude the patient as a holder and owner of the information. The paper addresses the issue of privacy protection in digitized healthcare, using the analysis of the legislation and case-law of the Czech Republic, stressing the demands for human rights and privacy protection of a member state of the European Union. The paper introduces several proposals for providers on how to re-design digital healthcare with respect to laws and patients ́ rights. The paper concludes that even modern and digitized medicine is based not only on evidence and modern technologies but also on human interaction and face-to-face approach and trust between the doctor and patient.

Matthew S. McCoy,Angela Wu,Sam Burdyl,Yungjee Kim,Noell Kristen Smith,Rachel Gonzales,Ari B. Friedman

DOI: https://doi.org/10.1001/jamanetworkopen.2024.5861

2024-04-12

JAMA Network Open

Abstract:This cross-sectional study examines whether hospital websites have accessible privacy policies and whether those policies contain key information related to third-party tracking.

medicine, general & internal

Maiju Kyytsönen,Tuulikki Vehko,Virpi Jylhä,Ulla-Mari Kinnunen

DOI: https://doi.org/10.1016/j.ijmedinf.2023.105336

IF: 4.73

2024-01-07

International Journal of Medical Informatics

Abstract:Introduction Seeking and receiving care requires disclosure of personal information which is recorded as health data in electronic health records. Thereafter, restricting the flow of information is dependent on data protection, information security, ethical conduct, and law. Privacy concerns may arise as patients' options concerning privacy have been balanced to cater both the privacy of patients and the needs of healthcare, as well as secondary use of data. Methods This study examined privacy concerns among the users of a national patient portal in a representative sample of Finnish adults aged 20 to 99 years old (n = 3,731). We used logistic regression analysis with population weights to seek answers to which factors are associated with privacy concerns. The cross-sectional survey data was collected in 2020. Results Every third patient portal user had privacy concerns. Those who were 50 to 59 years old (p = 0.030) had privacy concerns more often than 20 to 49-year-olds. Those who had financial difficulties (p = 0.003) also had privacy concerns more often while those, who had good digital skills (p=<0.026), did not need guidance on telehealth service use (p=<0.001) and found telehealth service use to be beneficial (p = 0.008), had privacy concerns less often. Conclusion The usefulness of telehealth seems to play an important role in privacy concerns. Another important factor is the skills required to use telehealth services. We encourage providing guidance to those who lack the necessary skills for telehealth service use. We also encourage putting effort not only into data protection and information security measures of telehealth services, but also into providing transparent and comprehensible privacy information for the service users as privacy concerns are common.

health care sciences & services,computer science, information systems,medical informatics

David B. Meinert,Dane K. Peterson,John R. Criswell,Martin D. Crossland

DOI: https://doi.org/10.4018/jeco.2006010101

2006-01-01

Journal of Electronic Commerce in Organizations

Abstract:Consumers’ concerns about information privacy are a primary obstacle to the success of e-commerce. The adoption of privacy policy statements is a direct response to this concern. This exploratory study examined the willingness of graduate students (who, by virtue of age, education, and income, are representative of typical Internet consumers) to provide various types of personal information given varying degrees of protection offered by privacy policy statements. The results demonstrated that the willingness to provide information to Web merchants increased as the level of privacy guaranteed by the statements increased. More importantly, the level of privacy promised by the statements interacted with respondents’ prior familiarity with policy statements in terms of their willingness to provide personal information. The results also demonstrated that while most individuals were aware of privacy policy statements, less than half of the respondents had ever read a privacy statement.

Louisa Walsh,Sophie Hill,Meredith Allan,Susan Balandin,Andrew Georgiou,Isabel Higgins,Ben Kraal,Shaun McCarthy,Bronwyn Hemsley

DOI: https://doi.org/10.1177/1833358317712200

IF: 3.778

2017-06-07

Health Information Management Journal

Abstract:Background: Low health literacy, low levels of positive belief and privacy and security concerns have been identified as a significant barrier to personal electronic health record uptake and use. An important tool for overcoming these barriers is the consumer-facing information which accompanies the system. My Health Record (MyHR) is the Australian national e-health record system, for which a large suite of online resources exists to facilitate consumer registration and use. This study uses a number of different measures of health resource quality to assess the MyHR online consumer-facing information and identify any gaps or areas for improvement. Objective: To analyse the quality and content of the online consumer-facing resources which support the uptake and use of MyHR. Method: Australian information resources aimed at healthcare consumers about the MyHR were included in this study. A comprehensive search using Internet search engines was conducted to locate all online consumer-facing resources about MyHR from both government and non-government sources. Readability (measured by Flesch–Kincaid grade level), year of publication/review, publishing organisation type, presentation style, linked websites, target audience, and themes were identified as important measures of health information quality, and these were recorded and reported on for each resource. Results: Eighty resources met the inclusion criteria. The mean Flesch–Kincaid grade level was 11.8. Most resources were created by Australian government sources ( n = 55), and the most common target audience was the general public ( n = 65). Registration ( n = 51), privacy/security ( n = 49), and benefits of use ( n = 46) were the most common resource themes. Conclusion: The authors identified a number of gaps and areas for improvement in the provision of consumer-facing information about MyHR. Readability is too high for the general Australian population, and there are few translated resources, which means that the information provided does not cater to people with low literacy levels, communication disability, and/or difficulties in understanding written English. The target audiences for resources do not reflect priority groups that were identified during the MyHR development processes. There are also gaps in information provision about how consumers can use MyHR as a tool to meaningfully engage with health professionals and services to support their own person-centred care.

medical informatics,health policy & services

Saka Suleiman,Sanchari Das

2024-10-19

Abstract:The widespread adoption of telehealth systems has led to a significant increase in the use of healthcare apps among older adults, but this rapid growth has also heightened concerns about the privacy of their health information. While HIPAA in the US and GDPR in the EU establish essential privacy protections for health information, limited research exists on the effectiveness of healthcare app privacy policies, particularly those used predominantly by older adults. To address this, we evaluated 28 healthcare apps across multiple dimensions, including regulatory compliance, data handling practices, and privacy-focused usability. To do this, we created a Privacy Risk Assessment Framework (PRAF) and used it to evaluate the privacy risks associated with these healthcare apps designed for older adults. Our analysis revealed significant gaps in compliance with privacy standards to such, only 25% of apps explicitly state compliance with HIPAA, and only 18% mention GDPR. Surprisingly, 79% of these applications lack breach protocols, putting older adults at risk in the event of a data breach.

Cryptography and Security,Computers and Society

Vladimir Stanisavljevic,,Bruno Tekić Sauerborn,

DOI: https://doi.org/10.54820/entrenova-2023-0013

2023-12-15

ENTRENOVA - ENTerprise REsearch InNOVAtion

Abstract:The non-certified e-health segment is gaining momentum around the world. The trend was significantly advanced by the introduction of several sports and medical measuring devices in the form of smartwatches. There has also been a resurgence of other medical Internet of Things class devices. Several devices connect to a product or platform-specific online (Cloud) service for storing, exchanging, analysing and monitoring the customer-collected e-health data. The devices and the data collected allow the consumers to continuously track their sports achievements, movement, vital signs, essential health state, etc. while receiving some recommendations and warnings based on the measurements. As some recent examples showed, the data collected can contain sensitive information that could be used creatively and unexpectedly, either positively or negatively. Unlike professional healthcare systems, which should comply with the strict GDPR, there is much less pressure on commercial entities in the consumer technological sector to provide more privacy options for data collection through their devices. In this work, we analyse the data typically collected by consumer e-health devices and assess possible risks that commercial entities present to their customer in unauthorised use of the data for their commercial advances. They use obscure legal language to prevent users from consenting to various data usages while providing primary data storing functionality. Moreover, there is a significant risk of using the data for repression in some contexts. We analyse the sector's current state and provide some recommendations to consumers and legislation to improve consumer rights to privacy while enhancing their health. At the same time, we recommend how the professional health sector should benefit from the collected data to improve their operations.

Max Maass,Nicolas Walter,Dominik Herrmann,Matthias Hollick

DOI: https://doi.org/10.48550/arXiv.1811.12775

2018-11-30

Cryptography and Security

Abstract:Today, online privacy is the domain of regulatory measures and privacy-enhancing technologies. Transparency in the form of external and public assessments has been proposed for improving privacy and security because it exposes otherwise hidden deficiencies. Previous work has studied privacy attitudes and behavior of consumers. However, little is known on how organizations react to measures that employ public "naming and shaming" as an incentive for improvement. We performed the first study on this aspect by conducting a qualitative survey with 152 German health insurers. We scanned their websites with PrivacyScore.org to generate a public ranking and confronted the insurers with the results. We obtained a response rate of 27%. Responses ranged from positive feedback to legal threats. Only 12% of the sites - mostly non-responders - improved during our study. Our results show that insurers struggle due to unawareness, reluctance, and incapability, and demonstrate the general difficulties of transparency-based approaches.

David Grande,Xochitl Luna Marti,Rachel Feuerstein-Simon,Raina M. Merchant,David A. Asch,Ashley Lewson,Carolyn C. Cannuscio

DOI: https://doi.org/10.1001/jamanetworkopen.2020.8285

2020-07-09

JAMA Network Open

Abstract:Importance: Digital technology is part of everyday life. Digital interactions generate large amounts of data that can reveal information about the health of individual consumers (the digital health footprint).Objective: Τo describe health privacy challenges associated with digital technology.Design, Setting, and Participants: For this qualitative study, In-depth, semistructured, qualitative interviews were conducted with 26 key experts from diverse fields in the US between January 1 and July 31, 2018. Open-ended questions and hypothetical scenarios were used to identify sources of digital information that contribute to consumers&#x27; health-relevant digital footprints and challenges for health privacy. Participants also completed a survey instrument on which they rated the health relatedness of digital data sources.Main Outcomes and Measures: Health policy challenges associated with digital technology based on qualitative responses to expert interviews.Results: Although experts&#x27; ratings of digital data sources suggested a possible distinction between health and nonhealth data, qualitative interviews uniformly indicated that all data can be health data, particularly when aggregated across sources and time. Five key characteristics of the digital health footprint were associated with health privacy policy challenges: invisibility (people are unaware of how their data are tracked), inaccuracy (data in the digital health footprint can be inaccurate), immortality (data have no expiration date and are aggregated over time), marketability (data have immense commercial value and are frequently bought and sold), and identifiability (individuals can be readily reidentified and anonymity is nearly impossible to achieve). There are virtually no regulatory structures in the US to protect health privacy in the context of the digital health footprint.Conclusions and Relevance: The findings suggest that a sector-specific approach to digital technology privacy in the US may be associated with inadequate health privacy protections.

medicine, general & internal

Ali Sunyaev,Tobias Dehling,Patrick L Taylor,Kenneth D Mandl

DOI: https://doi.org/10.1136/amiajnl-2013-002605

Abstract:Mobile health (mHealth) customers shopping for applications (apps) should be aware of app privacy practices so they can make informed decisions about purchase and use. We sought to assess the availability, scope, and transparency of mHealth app privacy policies on iOS and Android. Over 35,000 mHealth apps are available for iOS and Android. Of the 600 most commonly used apps, only 183 (30.5%) had privacy policies. Average policy length was 1755 (SD 1301) words with a reading grade level of 16 (SD 2.9). Two thirds (66.1%) of privacy policies did not specifically address the app itself. Our findings show that currently mHealth developers often fail to provide app privacy policies. The privacy policies that are available do not make information privacy practices transparent to users, require college-level literacy, and are often not focused on the app itself. Further research is warranted to address why privacy policies are often absent, opaque, or irrelevant, and to find a remedy.

Sambhabi Patnaik,Kyvalya Garikapati,Lipsa Dash,Ramyani Bhattacharya,Arpita Mohapatra

DOI: https://doi.org/10.4108/eetpht.10.5583

2024-03-29

EAI Endorsed Transactions on Pervasive Health and Technology

Abstract:INTRODUCTION: Health information amassed during the treatment of a medical condition is termed health data. This data encompasses information gathered about a patient and their family, forming a patient history. The internet has progressively transformed communication, commerce, and information acquisition. Among the diverse domains it has influenced, the healthcare sector stands out as one of the most intricate and unique realms of integration. Big data are the results of normal online transactions and interactions that take place online, the detectors that are implanted in devices and actual locations, as well as the generation of digital contents by individuals whenever they submit data over internet. OBJECTIVES: The need of protection of health data and methods of safeguarding patient privacy. The study also helps \understand and appreciate the best practices which will help India in implementing the law more effectively. METHODS: A doctrinal method of research was employed to analyse the laws and regulations. A comparative approach of different countries gives us the understanding of the gaps and issues. The efficacy of the laws was tested as the paper explores the laws of Canada & Indonesia regarding data protection. RESULTS: In this study, we understood the generation, processing, and interchange of these massive amounts of data can now be facilitated by cloud computing technology. As India, recently enacted 'The Digital Data Protection Act 2023' which might be a ray of hope for protection of sensitive health data of individuals from misuse. CONCLUSION: The journey towards optimal data protection is ongoing, requiring continuous adaptation to the dynamic nature of technology and the ever-changing healthcare environment.

Prathamesh Churi,Ambika Pawar,Antonio-José Moreno-Guerrero

DOI: https://doi.org/10.3390/inventions6030045

IF: 3.4

2021-06-23

Inventions

Abstract:Background: According to the renowned and Oscar award-winning American actor and film director Marlon Brando, “privacy is not something that I am merely entitled to, it is an absolute prerequisite.” Privacy threats and data breaches occur daily, and countries are mitigating the consequences caused by privacy and data breaches. The Indian healthcare industry is one of the largest and rapidly developing industry. Overall, healthcare management is changing from disease-centric into patient-centric systems. Healthcare data analysis also plays a crucial role in healthcare management, and the privacy of patient records must receive equal attention. Purpose: This paper mainly presents the utility and privacy factors of the Indian healthcare data and discusses the utility aspect and privacy problems concerning Indian healthcare systems. It defines policies that reform Indian healthcare systems. The case study of the NITI Aayog report is presented to explain how reformation occurs in Indian healthcare systems. Findings: It is found that there have been numerous research studies conducted on Indian healthcare data across all dimensions; however, privacy problems in healthcare, specifically in India, are caused by prevalent complacency, culture, politics, budget limitations, large population, and existing infrastructures. This paper reviews the Indian healthcare system and the applications that drive it. Additionally, the paper also maps that how privacy issues are happening in every healthcare sector in India. Originality/Value: To understand these factors and gain insights, understanding Indian healthcare systems first is crucial. To the best of our knowledge, we found no recent papers that thoroughly reviewed the Indian healthcare system and its privacy issues. The paper is original in terms of its overview of the healthcare system and privacy issues. Social Implications: Privacy has been the most ignored part of the Indian healthcare system. With India being a country with a population of 130 billion, much healthcare data are generated every day. The chances of data breaches and other privacy violations on such sensitive data cannot be avoided as they cause severe concerns for individuals. This paper segregates the healthcare system’s advances and lists the privacy that needs to be addressed first.

Ryan Amos,Gunes Acar,Eli Lucherini,Mihir Kshirsagar,Arvind Narayanan,Jonathan Mayer

DOI: https://doi.org/10.1145/3442381.3450048

2021-07-21

Abstract:Automated analysis of privacy policies has proved a fruitful research direction, with developments such as automated policy summarization, question answering systems, and compliance detection. Prior research has been limited to analysis of privacy policies from a single point in time or from short spans of time, as researchers did not have access to a large-scale, longitudinal, curated dataset. To address this gap, we developed a crawler that discovers, downloads, and extracts archived privacy policies from the Internet Archive's Wayback Machine. Using the crawler and following a series of validation and quality control steps, we curated a dataset of 1,071,488 English language privacy policies, spanning over two decades and over 130,000 distinct websites. Our analyses of the data paint a troubling picture of the transparency and accessibility of privacy policies. By comparing the occurrence of tracking-related terminology in our dataset to prior web privacy measurements, we find that privacy policies have consistently failed to disclose the presence of common tracking technologies and third parties. We also find that over the last twenty years privacy policies have become even more difficult to read, doubling in length and increasing a full grade in the median reading level. Our data indicate that self-regulation for first-party websites has stagnated, while self-regulation for third parties has increased but is dominated by online advertising trade associations. Finally, we contribute to the literature on privacy regulation by demonstrating the historic impact of the GDPR on privacy policies.

Computers and Society

Mohamed Abdelhamid,Joana Gaia,G Lawrence Sanders

DOI: https://doi.org/10.2196/jmir.6877

IF: 7.076

2017-09-13

Journal of Medical Internet Research

Abstract:BACKGROUND: Health care providers are driven by greater participation and systemic cost savings irrespective of benefits to individual patients derived from sharing Personal Health Information (PHI). Protecting PHI is a critical issue in the sharing of health care information systems; yet, there is very little literature examining the topic of sharing PHI electronically. A good overview of the regulatory, privacy, and societal barriers to sharing PHI can be found in the 2009 Health Information Technology for Economic and Clinical Health Act.OBJECTIVE: This study investigated the factors that influence individuals&#x27; intentions to share their PHI electronically with health care providers, creating an understanding of how we can represent a patient&#x27;s interests more accurately in sharing settings, instead of treating patients like predetermined subjects. Unlike privacy concern and trust, patient activation is a stable trait that is not subject to change in the short term and, thus, is a useful factor in predicting sharing behavior. We apply the extended privacy model in the health information sharing context and adapt this model to include patient activation and issue involvement to predict individuals&#x27; intentions.METHODS: This was a survey-based study with 1600+ participants using the Health Information National Trends Survey (HINTS) data to validate a model through various statistical techniques. The research method included an assessment of both the measurement and structural models with post hoc analysis.RESULTS: We find that privacy concern has the most influence on individuals&#x27; intentions to share. Patient activation, issue involvement, and patient-physician relationship are significant predictors of sharing intention. We contribute to theory by introducing patient activation and issue involvement as proxies for personal interest factors in the health care context.CONCLUSIONS: Overall, this study found that although patients are open to sharing their PHI, they still have concerns over the privacy of their PHI during the sharing process. It is paramount to address this factor to increase information flow and identify how patients can assure that their privacy is protected. The outcome of this study is a set of recommendations for motivating the sharing of PHI. The goal of this research is to increase the health profile of the patients by integrating the testing and diagnoses of various doctors across health care providers and, thus, bring patients closer to the physicians.

health care sciences & services,medical informatics

Muhammad Rizwan Asghar,TzeHowe Lee,Mirza Mansoor Baig,Ehsan Ullah,Giovanni Russello,Gillian Dobbie

DOI: https://doi.org/10.48550/arXiv.1711.00546

2017-11-02

Abstract:The emergence of New Data Sources (NDS) in healthcare is revolutionising traditional electronic health records in terms of data availability, storage, and access. Increasingly, clinicians are using NDS to build a virtual holistic image of a patient's health condition. This research is focused on a review and analysis of the current legislation and privacy rules available for healthcare professionals. NDS in this project refers to and includes patient-generated health data, consumer device data, wearable health and fitness data, and data from social media. This project reviewed legal and regulatory requirements for New Zealand, Australia, the European Union, and the United States to establish the ground reality of existing mechanisms in place concerning the use of NDS. The outcome of our research is to recommend changes and enhancements required to better prepare for the 'tsunami' of NDS and applications in the currently evolving data-driven healthcare area and precision or personalised health initiatives such as Precision Driven Health (PDH) in New Zealand.

Computers and Society

Hannah K. Galvin,Paul R. DeMuro

DOI: https://doi.org/10.1055/s-0040-1701987

2020-08-01

Yearbook of Medical Informatics

Abstract:Objectives: To survey international regulatory frameworks that serve to protect privacy of personal data as a human right as well as to review the literature regarding privacy protections and data ownership in mobile health (mHealth) technologies between January 1, 2016 and June 1, 2019 in order to identify common themes. Methods: We performed a review of relevant literature available in English published between January 1, 2016 and June 1, 2019 from databases including PubMed, Google Scholar, and Web of Science, as well as relevant legislative background material. Articles out of scope (as detailed below) were eliminated. We categorized the remaining pool of articles and discrete themes were identified, specifically: concerns around data transmission and storage, including data ownership and the ability to re-identify previously de-identified data; issues with user consent (including the availability of appropriate privacy policies) and access control; and the changing culture and variable global attitudes toward privacy of health data. Results: Recent literature demonstrates that the security of mHealth data storage and transmission remains of wide concern, and aggregated data that were previously considered “de-identified” have now been demonstrated to be re-identifiable. Consumer-informed consent may be lacking with regard to mHealth applications due to the absence of a privacy policy and/or to text that is too complex and lengthy for most users to comprehend. The literature surveyed emphasizes improved access control strategies. This survey also illustrates a wide variety of global user perceptions regarding health data privacy. Conclusion: The international regulatory framework that serves to protect privacy of personal data as a human right is diverse. Given the challenges legislators face to keep up with rapidly advancing technology, we introduce the concept of a “healthcare fiduciary” to serve the best interest of data subjects in the current environment.

Jana Korunovska,Bernadette Kamleitner,Sarah Spiekermann

DOI: https://doi.org/10.48550/arXiv.2005.08967

2020-05-18

Abstract:The new information and communication technology providers collect increasing amounts of personal data, a lot of which is user generated. Unless use policies are privacy-friendly, this leaves users vulnerable to privacy risks such as exposure through public data visibility or intrusive commercialisation of their data through secondary data use. Due to complex privacy policies, many users of online services unwillingly agree to privacy-intruding practices. To give users more control over their privacy, scholars and regulators have pushed for short, simple, and prominent privacy policies. The premise has been that users will see and comprehend such policies, and then rationally adjust their disclosure behaviour. In this paper, on a use case of social network service site, we show that this premise does not hold. We invited 214 regular Facebook users to join a new fictitious social network. We experimentally manipulated the privacy-friendliness of an unavoidable and simple privacy policy. Half of our participants miscomprehended even this transparent privacy policy. When privacy threats of secondary data use were present, users remembered the policies as more privacy-friendly than they actually were and unwittingly uploaded more data. To mitigate such behavioural pitfalls we present design recommendations to improve the quality of informed consent.

Computers and Society