The trackers are related to Google’s Tag Manager, a product that interacts with Google Analytics and the Doubleclick ad network, and Facebook’s controversial user-tracking service, Pixel.
NHS Inform is a website that provides Scots with a series of information about their symptoms and tells them what to do in case of illness, in a similar way to its UK counterpart, NHS 111 Online (formerly NHS Choices).
NHS Inform’s “self-help” pages, a series of multiple-choice questionnaires for symptom-checking, contain elements from Google Doubleclick – the giant’s online ad sales marketplace, Facebook Pixel, Google Analytics, and a large GIF from UK’s ad agency Avid Media – via its proprietary metadsp.co.uk domain.
Scottish NHS Digital equivalent, the NHS 24, told The Register:
“All partners that NHS 24 works with are compliant with GDPR regulations around privacy. Google tag manager is used only when working with partner organizations to track the effectiveness of health information campaigns which are hosted on our websites and once the campaign is complete the tracking code is removed.
In general, these are not used across the entire site, only at the request of partner organizations to support specific campaign activity. We identify unique visits, but not individuals and do not serve customized adverts to anyone. Our campaigns and those with partners are targeted to the general population of Scotland rather than specific user groups.”
Those concerned about the private sector increasingly gaining access to sensitive data are alarmed by these revelations.
Phil Booth of Medconfidential explained to The Register that he thinks the situation is terrible:
“I think it’s terrible that basically, an NHS service is pinging out associated IDs to all these advertisers. What is actually going on here? Certainly, with these IDs being pinged around, you’re going to be able to identify an individual and market them based on the pages to which they’re being directed. That’s very bad. Why are they consciously adding code that pings to advertisers? Why was the web development contract not written to deliberately and explicitly exclude any of this advertising?”
NHS 24 pointed out that all the data is anonymized, and supported its stance by citing the Scottish Approach to Service Design. However, it is not clear why the NHS Inform website is loading content from metadsp.co.uk, Pixel, and adservice.google.com which allow tech companies to build profiles on users.