Awareness & Understanding
Privacy and Consent
Privacy refers to the right of individuals to be free from interference by others. It's a crucial right in a society that values freedom and democracy. This includes personal space, information, thoughts, communications, and more. The concept of privacy comprises several aspects such as informed consent, transparency, and compliance, that are not necessarily connected to security.
​
Central to privacy is the ability to control one's personal information. Consent is closely tied to privacy, as individuals should have the chance to decide whether to allow the collection, use, and sharing of their information.
Debunking Myths
Incorrect. Agencies are not required to obtain consent in order to collect personal information; it's just one of several options they have for using or disclosing it.
Most Companies Follow Data Privacy Laws
Incorrect. Data Privacy extends beyond personal data to include various types of information like demographic, customer, business, employee, and financial data.
Data Privacy only pertains to personal information
Incorrect. Many companies overlook data privacy laws, collecting excessivedata and struggling with compliance, requiring continuous monitoring and robust privacy programs for consumer trust
Privacy means you have to get the individual's consent before dealing with their personal information
Foundations of Privacy and Consent
The Risks with Insecure Apps
In today's digital age, mental health apps provide vital resources, yet their security is crucial as they contain sensitive personal health data, facing development challenges due to limited budgets and tight deadlines, leading to potential security vulnerabilities and risks to users' well-being.
​
-
The Value of Information: Cyber-criminals target mental health apps due to the sensitive personal health information they contain. Protecting this information is not just about safeguarding data; it's about safeguarding well-being.
-
Challenges for Developers: Many Mental Health apps are developed under constraints that can lead to security vulnerabilities. These include insufficient security guidelines, inadequate testing, and the rush to meet launch deadlines.
-
The Consequences: Associating an individual with a mental health app can inadvertently disclose sensitive information about their psychological well-being. Moreover, analyses have revealed that a significant number of apps are at a critical security risk, underscoring the need for improved protections.
​
Terms and Conditions: The hidden "Elephant"
The "Terms and Conditions" section of mental health apps represents a significant, yet often overlooked, aspect of user consent and data privacy. With most users habitually clicking "agree" without reading, the implications of what lies within these agreements remain largely unexamined and misunderstood.​
The Illusion of Privacy
Despite the assumption of privacy and protection under laws like HIPAA, many mental health apps fall outside these regulations. This gap leaves user data vulnerable to misuse.
Data Commodification and Risks
Selling health data to non-healthcare entities poses major privacy risks. When merged with other data for targeted ads, it becomes a powerful tool for companies not governed by healthcare privacy standards.
The Need for Clearer Consent
Current consent processes often mix generic terms of service with genuine informed consent. Mental health apps urgently require transparent, accessible consent forms detailing data collection separate from standard terms.
Mental Health Personal Information and HIPAA
It was interesting to note that several phone applications have no protection from the HIPAA around protecting people’s mental health personal information. Although HIPAA protects “covered entities,” such as hospitals or other health organizations. Other entities that store health data, such as several phone applications, aren’t regulated through HIPAA, which allows the data to be sold and purchased. According to a study conducted by Duke University, people’s personal information, including illness and medication, was sold to third-party companies, and it was legal.
​
The privacy policies of some companies also mention that they make use of anonymized data collected from users or customers. The companies collect and make use of data such as demographics information, sexual orientation, disabilities, and other information regarding your personal health. The companies disclose that this information might be used in the future to share with others such as healthcare providers and researchers. However, this is concerning as it possible for anonymous data to be de-anonymized. The de-anonymized data can put the users as risk as their privacy can be violated.
The privacy policy highlights the personal information can be de-identified and shared with others. The policy includes the following statement: "Such anonymized, aggregated data is no longer considered Personal Information."
In 2022, a research showed some concerns in Youper's privacy policy. The policy stated: "may disclose aggregated, de-identified information about our users, and information that does not identify any individual, without restriction."
​
However, in 2023, Youper seems to not share data with third parties. Nonetheless, there is less clarity about whether the privacy policy aligns with HIPAA.