Study Exposes Shortcomings in Data Security of Health Apps on NHS Choices Platform

At the end of September, the BMC Medical Journal published a study by Imperial College London (the Study) into information privacy practices in health apps available from the NHS Choices Health Apps Library (NHS Choices). The results of the study indicated significant shortcomings in the handling of personal data by many of those apps. In turn, this raised concerns about the accreditation process used by NHS Choices to ensure adherence to data protection principles, which relies substantially on self-declaration by developers.

NHS Choices provides health apps covering a wide range of functions—from supply of health information, to health promotion (e.g., weight loss), to self-management of medical conditions. They are intended to be suitable for recommendation by medical professionals to their patients, but are also publically available for more general use. NHS Choices is not currently responsible for the accreditation of health apps available on its platform; rather, developers are required to declare whether any data transmissions are made by their app and, where data is transmitted, to provide evidence of their registration with the Information Commissioner's Office. However, NHS Choices does review the apps it offers to ensure their compliance with data protection laws (as well as their relevance and clinical safety).

The Study reviewed 79 of 88 apps available from NHS Choices over a six-month period and assessed compliance with recommended data protection practices, including collection and transmission of information, confidentiality arrangements, and the availability of privacy policies. The results showed that 23 apps transmitted personal information (e.g., name, date of birth, email address, login details), and that four did so without encryption. Further, only 53 apps had a form of privacy policy, of which 38 failed to specify what information was transmitted over the internet. The Study called for regulators to consider establishing standards for accreditation processes and to intervene where such processes fail to manage risks effectively.

Since the Study was published, NHS Choices has begun taking action to address the security concerns it raises. In the short term, it has either removed non-compliant apps, or required developers to update them to ensure compliance. In the longer term, NHS Choices is committed to developing a "whitelist" of endorsed apps, which have undergone close scrutiny for security compliance. An assessment model is in the pilot stage. Developers will need to consider the final assessment criteria in producing future health apps.