JMIR Publications

ABSTRACT

Background:

Community-based primary care focuses on health promotion, awareness raising, illnesses treatment and prevention in individuals, groups, and communities. Community Health Workers (CHWs) are the leading actors in such programs, helping to breach the gap between the population and the health system. Many mobile health (mHealth) initiatives have been undertaken to empower CHWs and to improve the data collection process in the primary care, replacing archaic paper-based approaches. A special category of mHealth applications, known as Mobile Health Data Collection Systems (MDCSs), is often used for such tasks. These systems process highly sensitive personal data (i.e., health data) of entire communities so that a careful consideration about privacy is paramount for any successful deployment. However, the mHealth literature still lacks methodologically rigorous analyses for privacy and data protection.

Objective:

This paper presents a full Privacy Impact Assessment (PIA) for a MDCSs in order to systematically identify and evaluate potential effects on privacy and to search for ways to avoid or mitigate negative privacy impacts.

Methods:

The privacy analysis follows a systematic methodology for PIAs. As a case study, we adopt the GeoHealth system, a large-scale MDCS used by CHWs in the Family Health Strategy (FHS), the Brazilian program for delivering community-based primary care. All the steps of analysis were based on discussions among the researchers (privacy and security experts), and in particular, the identification of threats and controls was based on literature reviews and brainstorming meetings among the group. Moreover, we also received feedback from specialists in primary care and software developers of other similar MDCSs.

Results:

In numbers, the GeoHealth’s PIA is based on 8 Privacy Principles and 26 Privacy Targets derived from the European General Data Protection Regulation (EU GDPR). Associated to that, 22 threat groups with a total of 97 sub-threats and 41 recommended controls were identified. Among the main findings, we observe that existing MDCSs do not employ adequate controls for managing consent, transparency and intervenability.

Conclusions:

Although there has been significant research that deals with data security issues, attention to privacy in its multiple dimensions is still lacking for MDCSs in general. New systems have the opportunity to incorporate privacy and data protection by design. Existing systems will have to address their privacy issues to comply with new/upcoming data protection regulations. However, further research is still needed to identify feasible and cost-effective solutions.