A few months ago I took part in a discussion with the Cambridge Collective for Women’s Health regarding data privacy and security in femtech….. here are some of the key topics we discussed.
What is femtech and what data are we talking about?
Femtech is a phrase coined by entrepreneur Ida Tin in 2016, for technology that addresses the unmet health and biological needs for women (including trans people and those undergoing gender reassignment), and refers to diagnostic tools, products, service, wearables, and software that use technology to address women’s health issues. This includes products such as fertility solutions, period tracking apps, pregnancy and nursing care, sexual wellness, and reproductive health.
The data collected as part of this will include name, date of birth, location, as well as product specific data including, period duration, fertility related hormone levels, mental state, body temperature, sexual health, and libido. Collected data will also include IP address, device type, cookies, behavioural data regarding a website.
What is the data used for?
Data is used to make the product work for the customer, and the more data you submit to the app for example, the better it will work. Some products will allow the user to create a body/diary of evidence of symptoms, (period/menopause for example), which may be useful for collating evidence to show to a persons GP for example.
Can you tell us briefly about the different data and privacy laws in different regions?
The most well known is the General Data Protection Regulation (GDPR) which governs data protection in the EU as well as the UK until we left the EU.
GDPR is based upon the following principles, and those that are processing data, such as the app manufacturers, must follow them:
- Data is collected lawfully, fairly and with transparency
- Data is collected for a specific and legitimate purpose
- Data collected is adequate and limited to what is necessary
- Data collected is accurate and kept up to date
- Stored data will be kept for minimal time
- Data is kept secure
There is also stronger legal protection for more sensitive information such as race, ethnic background, genetics, health, sex life or orientation.
Data protection in the UK follows the Data Protection Act 1998 or UK GDPR which again is based upon data protection principles very similar to GDPR. As the UKs data laws follow the same stringency as GDPR, this allows data to be moved between UK and EU more easily.
If an app is purchased by a customer (if it was free or paid for), the customer is termed as a data owner and have specific rights such as:
- Be informed how their data is being used
- Have access to their data
- Have incorrect data updated
- Have data erased
- Stop or restrict the processing of their data
- Have portability of their data
- Object to profiling e.g. if a company uses data to predict behaviours or interests
In the US, there is no single data protection regulation, rather a jumble of hundreds of laws at a federal and state level which can be hard to navigate.
HIPAA (Health Insurance Portability and Accountability Act) is a federal privacy protection law that safeguards a person’s medical information. HIPAA applies to hospitals, healthcare providers, insurance companies. However, some products such as period tracking apps are not classed as healthcare data and therefore not covered by HIPAA, instead is covered by the Federal Trade Commission, which does not mandate as stringent laws.
What rights do data owners have?
Under GDPR and UK DPA, customers or data owners do have rights, and need to be aware of these and action if needed, such as data amendment or deletion.
Customers also need to be aware that their data could be sold to third parties and can have little control over this, especially if this clause in contract is buried in product terms and conditions.
As we become more connected there needs to be a level of acceptance that some of our data gets sold to third parties. However, there needs to be better transparency of this to data owners when signing up for apps etc.
What are the concerns for customers and are they legitimate?
Some customers may feel slightly violated that our data is sold on, but generally this is for marketing purposes and nothing sinister. However, in the US in June 2022 US supreme court issued its official ruling on the case of Dobbs v Jackson Women’s Health Organisation. Their decision overturned the landmark case of Roe v Wade which gave federally guaranteed right to abortion across all US states. Therefore, depending on state, women, trans men and those of other identity that can get pregnant are open to prosecution if they seek an abortion.
For example, in 2017 in Mississippi, Latice Fisher was charged with second degree murder for the death of her foetus. As part of the case her phone was reviewed including internet search history that sound searches for purchase of abortion pills. Data was used to prove intent to receive an abortion. It should be noted that in 2020 the charges were dropped.
Most femtech companies in the US do not have restrictive measures on what data is collected, stored and what they can do with it, because they are not classed as a healthcare provided under HIPAA. Therefore, there is not have the same level of protection from authorities i.e., police cannot easily demand a person’s health record. However, some states such as California, Colorado, Connecticut have started to address this gap in their state privacy laws.
So there are fears that femtech data privacy and security practices could result in disclosure of reproductive data to law enforcement, who could use it to investigate and criminally prosecute women who have had illegal abortions.
What can users do to protect their data?
Read the small print! Although in the UK and EU what data is collected and used for should be made very clear, it is worth spending the extra time to ensure we are comfortable with what and how it is being used.
One point to note is “if you’re not paying for it, you’re not the customer; you’re the product being sold”, although it is not always the case, user data may sold on to third parties, and if that does not sit comfortably then perhaps put the product down and walk away.