Several NHS Trusts have been caught sharing patients’ personal data with Facebook without consent.
An investigation conducted by The Observer and first published by The Guardian this weekend uncovered a covert tracking tool within the websites of 20 NHS Trusts that has been allowing Facebook’s parent company, Meta, to access confidential browsing information.
The information extraction was enabled by Meta Pixel, an analytics tool that spent years gaining access to data detailing NHS Trust website users’ page views, buttons clicked and keywords searched.
Meta Pixel used the data to identify individual users by matching it with their IP address and in some cases, their Facebook accounts. The report based on the investigation posited that accessing this information and linking it to an individual has the potential to reveal personal medical details.
Since the investigation went public last week, 17 of the 20 NHS Trust websites have confirmed they have pulled the Meta Pixel tracking tool from their website and eight have issued apologies.
According to Observer, several Trusts have stated that they were not aware the tool was sending their patients data to Facebook. The Information Commissioner's Office (ICO) has launched an investigation into the breach.
“Marketers in all industries should sit up and take note”
With the NHS landing themselves in hot water, PMW got the experts’ take on exactly what has unfolded and why ignorance isn’t good enough anymore.
Rhys Cater, Managing Director of Precis Digital, said: "In 2023, there’s no excuse not to have a crystal-clear understanding of data collected and transferred by your organisation.
"Those in sensitive industries (health, finance, etc) should exercise particular caution, but marketers in all industries should sit up and take note.”
Jamie Barnard, CEO of Compliant, explained how the NHS fell into the trap of ignoring their data-centric responsibilities.
He said: "The Meta pixel is widely used as an analytics tool, helping brands measure the effectiveness of ads on Facebook by monitoring subsequent activity on their websites. The problem is that very few individuals understand how it works, and almost always underestimate how much information is being shared. This can lead to some unintended but very severe consequences, as the NHS just found out.
“When this information relates to sensitive topics, companies can be blind-sided. A lot can be inferred from what people search, read and share, which can create privacy concerns when that information is shared with social platforms like Facebook and TikTok. What may seem like a harmless analytics pixel can seriously jeopardise your data compliance.”
Three things advertisers can do now to avoid customer privacy breaches
Cater provided a framework for organisations to follow to get their house in order and safeguard against making the same mistake as many of the NHS Trusts.
He said: “Every organisation who strives to do privacy well, both to comply with the law but also to win the trust of their customers, should do three things urgently.
“Firstly, create a cross-functional data protection team comprising members from legal, technology, and marketing — this group must have the force and buy-in of senior leadership. Secondly, conduct a full analysis of data collected and transferred by your websites and apps — leave no stone unturned and document everything.
“Finally, create an overview of the data that is required and which adds value to the business and ensure that the legal grounds for collecting and processing the data (e.g. consent) are in force. With that, you have the foundations for a solid privacy and data strategy and are less likely to let your customers down in a similar way to the NHS trusts exposed this week."