ORCHA research identifies privacy issues with policy-tracking apps

An ORCHA study [the Organisation for the Review of Care and Health Apps] revealed that 84% of period-tracking apps share data with third parties.

Data stored in some of these apps may show details of sexual activity, contraception used and when the user’s periods stop and start.

ORCHA studied 25 different policy-tracking apps and found only one that kept all sensitive data on the owner’s device. The others have all shared this data with the app developer.

Additionally, 84% of apps enabled the sharing of personal and sensitive health data beyond the developer’s system, with third parties. The majority (68%) did so for marketing, 40% for research, and 40% for improving developer services for the app itself.

Tim Andrews, COO of ORCHA, said, “It would be best for an app to have a ‘consent’ page easily accessible from the main menu. Each individual permission could then be checked or unchecked at any time. Thus, a user wishing to ensure privacy could easily change their mind and uncheck the permission to share with third parties.

Among other issues identified by ORCHA with this type of application regarding data security, almost half of those tested showed poor compliance with the GDPR; only two apps showing evidence of compliance with best practice certifications; and 80% of apps not meeting wider quality standards for inclusion in ORCHA app libraries for NHS providers.

Fatima Ahmed, ORCHA’s Clinical Manager for Maternity and Women’s Health, said: “Period tracking apps were developed for alarming reasons, but they are probably just the tip of the iceberg in regarding data security. And even app developers who promise to stop sharing names and addresses, for example, should be aware that people can be identified by an IP address.

This is not the first time that this type of application has been highlighted for not having protected user data. In 2019, Privacy International reviewed six period tracking apps and found five were sharing data with Facebook – some before privacy settings had even been agreed with the user.

Lance B. Holton