top of page
  • Writer's picturePro Bono Society

Digital Privacy and Legal Rights

Health apps and privacy concerns

If you have a health app on your phone, it may have access to a wider range of your data than you realise. It's easy to be lulled into a false sense of security by the presumed positive intentions of such apps of helping you manage your health. Like any app though, your data may be at risk. This is a particular concern due to the nature of the data they have - as an example, the Apple Health App allows iPhone to store walking data, mobility data, headphone audio levels, sleep history, health records, any data you manually enter such as menstrual cycles, medications, body measures, as well as information from a paired Apple Watch like heart rate and blood oxygen.


The risk of data leaks

In recent years there has been a trend of health apps appearing in data leaks. Most Health Apps have been found to have weak security, with one analysis finding 91% of them to have weak encryption and another finding all apps vulnerable to API (Application Program Interfaces - communication channels between an app and a cloud service, physical server, or hospital infrastructure) attacks. API endpoints are also particularly susceptible to a type of attack called a Broken Object Level Authorization attack, which allows someone to view personally identifying information. In June 2021 for example, an unsecured database was found to expose more than 61 billion records tied to fitness app users, information from which could be used in targeted phishing attacks. Authorities are increasingly cracking down, but it's nonetheless important to stay on top of what data you are sharing to reduce your risk.


Third Party sharing

Beyond just data leaks, health apps can potentially share any data they have access to with third parties. The British Medical Journal analysed more than 20,000 mobile health apps on the Google Play Store and found 88% to be using tracking identifiers and cookies to track user activities, with 28% providing no privacy statements on Google Play about what exactly was being collected - something against the terms of service. Such information can be used for tracking and profiling purposes, essentially a form of data mining which is done without user consent. Companies like Facebook, Google, and Amazon potentially have access to your health data.


What's the law and what can you do to protect yourself

In the UK, health apps must adhere to the UK General Data Protection Regulation and the Data Protection Act 2018. The former requires app developers to obtain explicit user consent for data collection and clearly inform users about how their data will be used. The latter gives you the right to find out about what the government and other organisations store about you - if you write to an organisation asking for a copy of this information they are obliged to give this to you within 1 month, notifying and explaining any delay up to 2 further months.


As a preventative measure though, it's important to be able to read a Privacy Policy, a summary of which is usually available when an app is downloaded. On Google Play you can scroll down to the Data Safety section and on the App Store you can scroll down to App Privacy and read the policy summary. Some things to consider include:

- Any confusing language making unclear how data is collected, used, and shared.

- Requests for large quantities of data

- A multitude of third parties listed without clarity on what data they are accessing.

- A lack of defined data retention period outlining how long your data is stored.

When downloading a health app, consider:

- Are you given clear opt-out options for data sharing?

- Are the app permissions legitimate, a health app is unlikely to need access to your microphone or location.

- What sign-in options are available, requiring a social media login makes it easier to connect your data to your person, opt to use a secure email where possible.



For more help, consider checking:

- Mozillas Privacy Not Included, which allows you to read privacy reviews of a variety of apps.

- Exodus, which allows you to search to Android apps to identify embedded trackers designed to collect data.

- Terms of Service; Didn't Read, which analyses and reviews data and privacy terms and conditions.

- Privacy International Learning Topics, which has guides on how to enhance your privacy.



All accessed 17.03.24



Data collection by companies


Technologies that capture and analyse data have grown considerably in recent years, allowing businesses greater abilities to predict consumer behaviour to make further profit. Indeed, there are businesses that operate solely on the capture and sale of consumer data, selling this data to third parties or creating ads for the sale of products[1]. Often it is unclear when this data is being collected or how this data is collected, often leaving consumers unaware. Even less well known are the rights that you have regarding your own data.


How do companies collect data and how can we avoid it?


There are various methods by which a company can collect consumer data, ranging from the more obvious to the hidden. These methods can be complex themselves however the three main ways in which consumer data is collected by businesses are by :


  1. Directly Asking Customers : This includes information provided by customers when they sign up for a service, fill out a form or complete a survey.

  2. Indirectly Tracking Consumers: Use of technologies such as cookies and web beacons on websites that track browsing histories and interactions with content

  3. Appending other Sources: Acquisition of data from other companies or public records to add to their own data.[2] [3]


Whilst these methods of data collection can be hard to spot, there are ways in which they can be avoided. The main thing to keep in mind is to be vigilant to the techniques that companies use to collect data from consumers. With this mindset on the web it is possible to use a multitude of techniques to avoid data collection, being :


  1. Browse Smart : Use different browsers for different activities to limit tracking.

  2. Adjust your Privacy Settings : Check and adjust privacy settings on your apps and devices

  3. Limit Sharing : Be careful on how much personal data you share online and on forms.

  4. Use Privacy Tools : Use tools such as VPNs,ad-blockers and privacy-focussed browsers.

  5. Opt-Out of Data Collection (This is the most important one): Many sites will offer options to opt out of their data collection, look for these and exercise your right to privacy. [4] [5] 

Whilst remaining completely invisible online is near impossible, taking these steps can significantly reduce the amount of data that companies can collect on you.


How long can a company keep my personal data and can I request them to delete my personal information?


Whilst the length of time a company can keep your data varies, the overall principle is that they cannot keep it ‘longer than necessary’. The UK’s General Data Protection Act (GDPR) states that personal data should be kept in a form that allows identification of its subjects and be held no longer than necessary for the means of which the data is being processed. However, there can be exceptions which allow companies to keep data longer than necessary, such as public interest archiving, scientific or historical research or statistical purposes [6] [7] [8]


Overall there are three key points to bear in mind regarding how long your data can be retained and what companies should be doing:


  1. Necessity: Data should only be kept ‘as long as necessary’ for the purposes it was collected.

  2. Retention Policy: Companies should often have a data retention policy on how they hold the data and either delete or anonymise it after use.

  3. Regular Review: Companies should be regularly reviewing data they hold to find out when it is no longer needed.

Importantly, when it comes to personal data, you have the right to request a company to delete your personal information. This is known as the right to erasure or the right to be forgotten [9]. This can be requested verbally or in writing, and a company could be obliged to comply with the request [10] [11]. In brief you can ask to have your data deleted if:

-        The data is no longer needed for the purpose it was collected.

-        You initially consented to the use of your data but now withdraw your consent.

-        You object to the use of your data and your interests outweigh the company using it.

-        The data was collected unlawfully or the company has a legal obligation to erase it.

-        The data was collected from you as a child. [12]


When requesting your right to erasure, you should contact the company holding the data and specify the data that you wish to have deleted. However, it should be remembered that this right is not absolute and applies only in certain situations, therefore it is worth double-checking your specific conditions to see if they fall within the scope of your right.





                                                       Oversharing on Social Media


With the rise of social platforms such as Facebook, Instagram and Snapchat, oversharing has become an increasingly prevalent phenomenon. Individuals have the ability to share every aspect of their lives with a global audience through their posts, stories and other means through these apps and research shows that 4.8 billion of the world’s population actively uses social media. Although there are many positives to such apps and connecting with your loved ones, there are many risks of oversharing information on an accessible platform that are often overlooked. ‘Oversharing’ in this sense refers to any information or content available online about you that can or may be used against you, including stalking, identity theft and fraud. The impact of social media oversharing on society is multifaceted and complex and this article examines the various reasons people overshare, the positives and negatives of doing so and how one can safeguard themselves from the risk of exploitation due to oversharing.


Oversharing on social media includes posting temporary and permanent stories and posts for people to have access to – including just your followers but also people that you are unaware of if you have a public/non-private profile and through the use of search engines or apps designed specifically for the purpose of viewing profiles. People tend to overshare to seek validation and attention from others – hence for their own internal gratification through the views, likes, comments, shares, messages and followers they gain through their posts which provides them a sense of achievement and reinforcement. Comparison and competition may also be a common reason for sharing on social media – people compare their experiences with others and sharing has started to be a means of ‘showing off’ happiness and lifestyle. Another major reason for oversharing that ties into the reasons mentioned above is a boost to self esteem and identity and using the platforms as a coping mechanism to make life seem better than it is by avoiding to deal with the issues faced. The upcoming generations specifically tend to experience ‘FOMO – Fear of Missing Out’ if they don’t post and hence, often due to such peer pressure, they end up sharing more than they willingly would on social media and feel the need to constantly post to ‘fit in’.

However, over sharing is not always necessarily a bad thing. If used wisely, social platforms can be used to spread awareness about current issues around the globe, a major example being the Palestine situation. Instagram has also launched a feature to raise funds through donations for multiple causes. People can also become influencers through these platforms and share their interests and talent with the world. Social media’s primary initial focus was to connect loved ones, share memories and experiences with them and to store for themselves, which now seems to have shifted and has raised concerns that will now be examined.


In recent times with technology evolving every day, all children of every age have access to social media. Although age restrictions and programming such as mandatory private accounts for children under a certain age are applicable on all if not most social platforms, it is inevitable to be able to hide your content from strangers and people that might exploit that information. Not all children are provided with knowledge on safe use of social media and due to many of the reasons mentioned above, children may feel complied to post content that could result in misuse of that information. Posting your live location or places you frequently visit amongst other things can be used to invade your privacy. Oversharing may be a cause of underlying mental health issues, such as anxiety but may also give rise to them through hate comments and other means. Your digital footprint is permanent and accessible to all and hence there is a crucial need to be considerate of your social activity and how it may affect you. People get involved in dangerous activities to get the ‘right angle’ for the content they post which can also result in injuries – another concern for the obsession people tend to develop with sharing content. You can also be subjected to identity theft, fraud and harassment for which you have the legal right to prosecute under statutes such as Fraud Act 2006, Protection from Harassment Act 1997 and Crime and Disorder Act 1998.


1.     Make sure your account is set on private and remove any followers that you do not know. Remember accounts that look sensible may not be the user’s true identity.

2.     Try to avoid posting your location

3.     Try to avoid posting personal details and information

4.     If you are being harassed online, block and report the accounts and seek guidance and help from someone you trust.

5.     Share consciously and choose your content wisely.

All accessed 25-03-2024


A topical issue when it comes to digital privacy is breaches of personal healthcare data. Fortunately, the Information Commissioner’s Office reports that in the UK in recent years most data leakage is accidental, rather than the result of cyber-attacks - think letters posted to the wrong addresses or misplaced paperwork.[13] East Midlands Ambulance Service recently reported losing 42,000 patient forms, an accident which the chief executive, Sue Noyes, was quick to clarify was unlikely to lead to breaches of privacy due to the unavailability of specialist hardware to read the forms, all held on a single cartridge.[14]

Noyes words are assuring. In fact, when data is handled outside of the patient care process, it is customary for it to be stripped of identifying features.[15] More problematic is when information from other leaked data has been used to conjunctively create a digital ‘picture.’ In this situation one has to contend with the possibility that somebody else can uncover sensitive aspects of their personal history. Depending on the nature of a patient’s particular medical history, their data in the hands of a malicious party understandably can cause stress or worse. But such a situation would be rare.

The more challenging issue with healthcare data security is the passing of individual information to online platforms. Notably, an Observer investigation the prior year discovered a browser tracking tool used with over 20 NHS websites, the data then being shared with Facebook for the subsidiary company’s own advertising purposes.[16] These breaches did end up being connected to individuals. One individual who had viewed information on HIV medication had their history sent to Facebook alongside their IP address and Facebook user ID.[17] The common maxim of data privacy cynics that ‘if you have nothing to lose you have nothing to hide’ was proven groundless in this data debacle.

In the above breaches personal information was sent to Facebook even before users had the opportunity to choose their cookie settings.[18] 17 of the 20 NHS trusts did not even mention Facebook or Meta in their website privacy statements at all.[19] Evidently, data security is an ongoing concern, but it is possible that consumers will need to become more aware of these kinds of events before companies get tighter.

[1] M Freedman, ‘How businesses are collecting data (and what they’re doing with it’,  Businesses Are Collecting Data. How Are They Using It? ( (Accessed 18.03.2024)

[2] Ibid


[3] W Goddard, ‘How Do Big Companies Collect Consumer Data?’, How Do Big Companies Collect Customer Data? - ITChronicles  (Accessed 18.03.2024)

[4] A Fitzpatrick, ‘How companies legally harvest your data- and how to stop them’, How companies legally harvest your data — and how to stop them - Reincubate  (Accessed 18.03.2024)

[5] J Porter, ‘How to Prevent Online Companies From Collecting Your Data?, How to Prevent Online Companies from Collecting Your Data? (  (Accessed 18.03.2024)

[6] ICO, Principle (e): Storage limitation | ICO  (Accessed 18.03.2024)

[7] C Hajduk, ‘How Long Can You Keep Personal Data Under UK GDPR?,’How long can you keep personal data under UK GDPR? (  (Accessed 18.03.2024)

[9] Google Spain v AEPD and Mario Costeja González (2014)

[10] ICO, Your right to get your data deleted | ICO  (Accessed 18.03.2024)


[11] ‘Can I Ask A Company To Delete My Personal Data?’, Can I ask a company to delete my personal data? - European Commission (  (Accessed 18.03.2024)

[12] ICO, Your right to get your data deleted | ICO  (Accessed 18.03.2024)

[13] n.a., ‘What are the risks around patient data? (Understanding Patient Data, n.d.) accessed 19 March 2024.

[14] Rene Millman, ‘East Midlands Ambulance Service loses disk containing 42,000 patient forms’ (ITPro, September 2014)  accessed 19 March 2024.

[15] 3 ‘What are the risks around patient data?  accessed 19 March 2024.

[16] 4 Shanti Das, ‘NHS data breach: trusts shared patient details with Facebook without consent’ The Guardian (London, May 2023)  accessed 19 March 2024.

[17] ibid

[18] 6 Dan Milmo, ‘UK plan to scrap cookie consent boxes will ‘make it easier’ to spy on web users’ The Guardian (London, June 2022)  accessed 19 March 2024.

[19] 7 Das, ‘NHS data breach: trusts shared patient details with Facebook without consent.’

10 views0 comments

Recent Posts

See All


bottom of page