Study Exposes Shortcomings in Data Security of Health Apps on NHS Choices Platform
At the end of September, the BMC Medical Journal published a study by Imperial College London (the Study) into information privacy practices in health apps available from the NHS Choices Health Apps Library (NHS Choices). The results of the study indicated significant shortcomings in the handling of personal data by many of those apps. In turn, this raised concerns about the accreditation process used by NHS Choices to ensure adherence to data protection principles, which relies substantially on self-declaration by developers.
NHS Choices provides health apps covering a wide range of functions—from supply of health information, to health promotion (e.g., weight loss), to self-management of medical conditions. They are intended to be suitable for recommendation by medical professionals to their patients, but are also publically available for more general use. NHS Choices is not currently responsible for the accreditation of health apps available on its platform; rather, developers are required to declare whether any data transmissions are made by their app and, where data is transmitted, to provide evidence of their registration with the Information Commissioner's Office. However, NHS Choices does review the apps it offers to ensure their compliance with data protection laws (as well as their relevance and clinical safety).
Since the Study was published, NHS Choices has begun taking action to address the security concerns it raises. In the short term, it has either removed non-compliant apps, or required developers to update them to ensure compliance. In the longer term, NHS Choices is committed to developing a "whitelist" of endorsed apps, which have undergone close scrutiny for security compliance. An assessment model is in the pilot stage. Developers will need to consider the final assessment criteria in producing future health apps.