For thousands of New Zealanders who are feeling down and struggling with their mental health, an ad for depression.org.nz can be a lifeline of hope that they cling to on their journey to getting better.

Over the past decade, the series of ads starring Sir John Kirwan have been credited with helping to change the way New Zealanders talk about mental health and making it easier than ever to get help.

Privacy Commissioner John Edwards said he hoped the HPA reviews its privacy policies.

Users on the site are greeted by simple self-tests for depression and anxiety that help decide their next move, such as calling a hotline or speaking with a professional.

But that sensitive information may have been exposed and shared with third party URLs, according to a new report by Privacy International titled Your Mental Health For Sale.

"Since the website contacts 10 third-party services, this means that all of these receive test answers and the final test score," the study said.

That's because the answers and scores are included in the URL of the final page. This is the URL from a sample test, the final score of nine can be seen at the end, as can the scores for answers to each of the nine questions.

While the questions themselves can't be seen in the URL they are easily available and a high score would clearly indicate someone having a high likelihood of depression or anxiety.

The site also uses Hotjar, a 'session replay script' which records everything a user types and clicks on a website, so that it can be played back later. There is no option for users to block this. Depression.org.nz was one of just two out of 136 sites included in the study which used this technology.

Hotjar is used to create heatmaps which show which areas are clicked on the most, and track individual user IDs to make a recording of every tap, scroll, and movement of the mouse.

Privacy International said third party screen-tracking services like Hotjar were particularly intrusive, and could lead to users being identified if there was a breach or hack of a third party company which held that information. 

The study said that 70 per cent of the time tracking data was passed onto third parties it was used for marketing purposes.

NetSafe chief executive Martin Cocker said user data can become part of a larger pot of information.

The Health Promotion Agency admitted they used tracking cookies and third-party software to collect information about how people used the website, but said it was "limited and non-identifiable."

"The www.depression.org.nz website does not collect any personal data, therefore we do not and could not sell or share personal data. All user information collected on www.depression.org.nz is non-identifiable - no identifying information eg, names, email addresses etc are collected," a spokesperson said. 

Netsafe chief executive Martin Cocker said HPA's statement that it did not collect any personal data was an "oversimplification".

"It depends on what you call personal data.

Sir John Kirwan, former All Black and frontman for depression.org.nz

"It can become more personalised as part of becoming a bigger pot of information."

There wasn't necessarily a suggestion HPA was profiting from passing on the data, but users of websites with sensitive content were likely to expect a higher degree of privacy.

Passing on information to third parties meant information could potentially be use to "target someone at their most vulnerable".

It was "certainly not best practice" to do so, and HPA could "100 per cent" provide higher security while still delivering their service, he said.

Privacy Commissioner John Edwards hoped HPA took note of the study and reviewed its third-party cookies.

In the UK, the National Health Service also uses Hotjar to collect information, but said that screen-tracking was disabled on their depression self-assessment tests.

When asked by Privacy International, the NHS said the functionality would be automatically disabled from the end of September, with users able to opt-in should they wish to.

The HPA  said they were in the process of reviewing and updating their privacy policies. 

The Privacy International study was based on the most used mental health websites in the UK, France and Germany. Depression.org.nz was included because it ranked in the top search results for depression tests in the UK. 

Under European law, websites must ask for consent before tracking cookies. The HPA said they do not do this as it is not legally required in New Zealand.

The report recommended that mental health websites should protect users privacy by obtaining valid and informed consent from their users, and limit third-party tracking to what is strictly necessary. 

It also recommended that websites ensure they are not unintentionally storing more data than they realise, and ideally mental health test scores should not be stored at all. 

Privacy International describes itself as a charity that "challenges the governments and companies that want to know everything about individuals, groups, and whole societies".

"Our findings show that many mental health websites don't take the privacy of their visitors as seriously as they should," an article on its website announcing the study said.

"This research also shows that some mental health websites treat the personal data of their visitors as a commodity, while failing to meet their obligations under European data protection and privacy laws."

Article: https://www.stuff.co.nz/national/health/115586450/new-zealand-depression-website-exposed-test-results-to-thirdparty-companies
Note from Nighthawk.NZ:

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 
Powered by OrdaSoft!