NHS Choices and Facebook in breach of data laws?Both deny any breach

07 December 2010

Facebook signup and principles

Which? believes a government website and Facebook could be in breach of the Data Protection Act (Act).

The claim was made after it emerged that health website NHS Choices was allowing Facebook to track the browsing behaviour of its users, along with their Facebook IDs, via its ‘Like’ button embedded on some webpages.

According to Andy Thomas, the managing director of Garlik, the firm which made the discovery, these webpages contain health and lifestyle advice that could be personal and sensitive to the browsing individual.

Under the Act, if an organisation processes sensitive personal data, it has to satisfy one of a number of areas under the Act, one of which is getting explicit consent from data subjects.

See Which?s guide to learn how to create a profile and protect your privacy when social networking

‘If the data that Garlik has observed Facebook to be collecting from NHS Choices proves to be sensitive and personal data, and explicit consent has not be obtained, then it is possible that both parties are in breach of the Act,’ explained Rob Reid, Which?’s senior policy adviser.

‘And NHS Choices surely has a duty to its users to prevent sensitive user data from being collected by third parties in this manner. We can’t help but wonder if NHS Choices fully understood the privacy implications when it agreed to allow the Facebook Like button on its site.’

Garlik also claims that NHS Choices is in breach of its own privacy policy as a number of pages under the ‘LiveWell’ section of the site send data to Facebook, even though they do not display the ‘Like’ social plugin.

Government refutes the claim

A Department of Health (DoH) spokesperson denied it was in breach of the Act, but hinted that any possible breaches could be down to Facebook.

‘NHS Choices has strict privacy policies which are in line with the Act,’ a spokesperson said. ‘Facebook capturing data from sites like NHS Choices is a result of Facebook’s own system.

‘When users sign up to Facebook they agree that Facebook can gather information on their web use. NHS Choices' privacy policy, which is on the homepage of the site, makes this clear.’

In a tacit admission that mistakes may have been made, the spokesperson added: ‘The use of Facebook functionality on the NHS Choices was initiated under the previous administration.’

Facebook challenges Which’s assertion

Facebook also denied that it was in breach. A spokesperson said: ‘Facebook is confident that its policies and processes meet the requirements of European data protection law, including in respect of the processing of sensitive and personal data.’

She explained that websites only send data to Facebook from pages where the site has chosen to implement a Facebook social plugin. ‘In the case of NHS Choices, the developers had embedded a Like button on many pages across the website,’ she continued. 

‘However, on some pages the button was not visible to the user, even though it had been embedded by the developers in the code of the page.’

She added: ‘It is against our terms for a website to embed the Like button without it being visible to the user and NHS Choices quickly rectified this to ensure our social plugins were being used properly.’

ICO responds to possible data breach

A spokesperson for the Information Commissioners Office (ICO) said: ‘If Facebook is processing just IP address identifiers then that would not be personal data, but if it is an identifier then that links to a person then that could constitute personal data [and it could be in breach of the act].

She continued: ‘There are few things more personal to an individual than their health information. We have contacted the DoH to find out whether any details of individuals consulting the NHS Choices website are available to third parties.’

In a clear rebuke at the decision to allow Facebook to collect and process the data of its users visiting the site, the spokesperson said: ‘The NHS should consider the privacy implications of offering this service and the impact that it might have on the people that use it.’

The ICO said it took all complaints seriously and would investigate any it received. It also said it understood that the DoH would be issuing clarification around the situation in response to an early day motion tabled in Parliament.

If you would like to make the most out of your computer, take up a trial to Which? Computing

How to follow the latest Which? Tech news

Are you a Twitter user? Follow WhichTech on Twitter for regular tech tweets.

Prefer RSS? Don't miss a thing with the Which? tech RSS feed

For just the main headlines in newsletter form, sign-up to our weekly Which? tech email.

Apple iPad 2 3G data plans compared - find the best 3G plan for your iPad
Best Android tablets round-up - we look at the best iPad alternatives around
Best cheap laptops for under £500 - find the best laptop deals