Short term savings can mean long term risk: Data Protection Officer Andrea Vosshoff warns against sending fitness app data to health insurance companies
“Runtastic”, “Calory Counter” by FatSecret, “Zombies Run!” these are only three of about 400.000 apps today that deal with medical, health or lifestyle topics. A growing number of private health insurance companies in Germany offer apps to their members for use as proof of healthy habits. They simply transfer data about their preventive check-ups or sporting activities to the insurance companies. These apps are either being downloaded on smartphones and tablets or they are already integrated into wearable devices. They also gather sensitive health data like heartrate frequency, overall physical condition, eating habits or a person’s entire medical history. German Data Protection Officer Andrea Vosshoff, however, warns users who voluntarily download those fitness apps not to be negligent about their sensitive medical information. None should start to use them merely because of short term financial benefits, without thinking about about the long term risks.
Tempting cost benefits mask the risks
Transferring the information is connected to certain cost benefits. These are tempting especially for young and healthy people. However, prognoses concerning the future health development of the insurance members can be used for individual offers depending on each customer’s profile. The service portfolio could, for example, be appropriately adjusted or future risk loads calculated. This then could become expensive for the individual.
Not only the private insurance companies have an interest in fitness apps. The public health insurance agencies also like the idea of watching their customers’ activity and vital data. There is, however, a crucial difference: public health insurance agencies may only gather sensitive personal data in accordance with cases defined by legislation. Clients of private companies can also agree to data gathering by contract. To make participating even more compelling, Generali (a German holding company consisting of about 20 insurance companies) will soon start with a rate where insured people can receive discounts or presents for sharing data. The customer organization of Baden-Wuerttemberg criticizes this undertaking. The Generali member wouldn’t know where his data is being processed inside the corporation and who has access to it. The fitbit that one wears while sleeping knows, e.g., about a person’s sleeping patterns. That could also be of interest to an employer or potential employer. In the near future it will be possible to aggregate data and compare, e. g., the sleeping patterns with driving or food consumption patterns and draw conclusions about a person’s health or lifestyle out of it. The question is also who is storing all the information and what this party is intending to do with it. Data like name, location, weight and height could lead to sophisticated social engineering where third parties might know more about than you than you do yourself. To get an impression of what can be done with sensitive information in the internet of things I recommend David Mount’s talk at EIC 2015.
Right time for „Life Management Platforms“
There have to be other ways to deal safely with personalized data. The customer needs to keep control of his information. An appropriate answer would be (digital) life management platforms. A key concept behind them is the so called “informed pull” where you are able to receive information from others on a wide scale without violating an individual’s interest for safeguarding his data. On youtube Craig Burton explains the event-driven concept designed to not be dominated by a single vendor.
Life management platforms are systems with which personal data can be used safely. It also can be passed on securely to other parties if needed without the fear of unwanted third parties fiddling with the data. The bases for this are secure web solutions for personal data management. Pioneers in this are smaller, specialized companies such as Meeco and the dutch Qiy Foundation, but also worldwide companies like IBM and Microsoft have started extensive research in this field.
Social, but private
Contrary to current social networks, control over access and transmittal of information stays with the owner of the data. However, with mere platforms for saving and sharing of personal information the individual won’t keep control over transmitted data. Here Kim Cameron’s concept of “minimal disclosure” comes into play: The Chief Architect of Identity in the Identity and Access Division at Microsoft sees it as crucial that we only pass information which is really needed. That means much less data than we typically pass now. E. g., in some cases of online business it is enough to know that someone is over 18. The service provider on the other side doesn’t have to know the exact date of birth.
Likewise it would be possible to transfer health information without passing the identity of the insurance member. I have explained before why this could still be a very interesting model for a health insurance company, be it public or private. It could be even more rewarding in fact, not only for one company but for the whole industry. Last but not least the customer could use the activity tracker she or he wants to. This would also lead to a much better customer relationship than by forcing them to use a specific solution they might not like, a relationship built on mutual respect and concern. If you are interested in knowing more about the concept behind this approach, I recommend Doc Searls’ book “The Intention Economy”.
ABOUT THE AUTHOR
Martin Kuppinger is Founder of the independent Analyst Company KuppingerCole and as Principal Analyst responsible for the KuppingerCole research. In his 25 years of IT experience he has already written more than 50 IT-related books and is known as a widely-read columnist and author of technical articles as well as reviews and is also a well-established speaker and moderator at seminars and congresses. His interest in Identity Management dates back to the 80s, when he also gained considerable experience in software architecture development. Over the years, he added several other fields of research, including virtualization, cloud computing, overall IT security, and others. Having studied economies, he combines in-depth IT knowledge with a strong business perspective.