Privacy and wearable technologies – A POPI dilemma?
As technology becomes less of a utility and begins to retain intelligence about who we are through wearables, organisations will begin to invest in such technologies to gain competitive advantage and consumer insights through what has become “human telematics”.
As consumers increasingly demand meaningful, personalised, communications and engagement with their insurance providers through seamless platforms such as wearables, insurers will, by necessity, be required to integrate wearable technologies into their product offering to retain their competitive edge. Technological integration positively impacts both insurers and consumers, however, we need to “draw a line in the sand” between utility and the right to privacy so as to avoid over-reaching privacy invasions.
Rapid innovations in technology, falling costs in the unit price of devices, and a general social trend toward health by tech-savvy consumers, are largely held to be the drivers of the increased demand for health-related wearables. Ian Chen, a marketing manager at Freescale Semi-Conductors Sensor Division, believes that “by 2025, there will be more data generated from sensors and devices than all of the data being generated today from every source.”
With increased demand comes a highly competitive market with new and old entrants battling it out to produce better, more accurate and more useful wearables. The pace of innovation and demand in this space is increasingly leading to concerns over privacy and inadequate security safeguards as development outstrips legislative and regulatory requirements. However, there is a further commercial benefit that insurers have been quick to leverage at the risk of potentially invading the privacy of their policyholders and users.
Security and privacy
Wearables present multiple attack vectors, in that they often require data to be transmitted to a processing application typically housed on a smart devices such as phones, tablets or computers. Furthermore, applications may store the data online. Gary Davis, the Chief Consumer Evangelist at Intel Security believes that the data collected through wearable devices “is worth 10 times more than that of a credit card on the black market.”
Reviews by various security firms have found multiple vulnerabilities in wearable devices and related applications, these range from exposed login credentials, network sniffing (wherein data transmitted from the device is visible to potential attackers), to being able to monitor a user’s location through the device’s tracking mechanisms and public networking capability. It is worth considering the security risks of wearables when linked to smart devices.
Careless users may leave their wearable or smart phone unattended, where any person may pick it up and peruse the data stored thereon. Wearables themselves are not typically password protected or secured, and smartphones and other devices are only as secure as their lock screen password, if enabled.
Future concerns include the susceptibility of the Internet of Things to cyber-attacks. While not currently viewed as a serious problem, it is poised to become one as smart devices, wearables and other smart appliances become more widely adopted, providing would-be thieves with a plethora of information about individuals.
Privacy of the user is closely linked to the security considerations and concerns that are inherent to wearables. Wearables that process health-related information – which may be anything from vital statistics to sleeping patterns – and track user locations, require additional safeguards to be in place to ensure the protection and lawful processing of such information in accordance with various legislation and regulations in place worldwide. However, despite the number of countries with laws regulating the use of personal information, few laws holistically address the collection, storage, use, sharing and disclosure of personal information obtained through wearables.
What does this mean in the South African context?
South Africans have also been swept up in the wearable fever. Fitness bands, for example, are common features in public and in the workplace. Large insurers and medical aid schemes offer incentives to members who buy and use wearables and share the related health information with the organisation. In turn, this information is utilised in profiling, and incentivising policy holders and scheme members. The benefits of the technological integration are multi-faceted and present opportunities for both consumers, insurers and medical aid schemes.
Imagine an insurer or medical aid scheme being able to calculate, in real-time, the risk profile of its policy holders and members and provide competitive premiums based on the health profile of each of its policy holders or members uniquely. This not only incentivises members to lead healthy lifestyles but enables the insurer and medical aid scheme to accurately quantify and underwrite its risk exposure. From a consumer perspective the benefits are numerous and range from customised premiums, as well as health-related savings and promotions, to early warning of possible health risks enabling more relevant, just-in-time treatment.
Privacy awareness in South Africa is still in its infancy. However, there are currently several pieces of legislation that provide a framework to understand the rights and obligations of the user, service provider and other parties, where personal information is concerned. Policy holders and scheme members will need to become more astute as to the purposes for which their personal information, health-related data, and other data collected through wearables provided or utilised by insurers and medical aid schemes is processed to ensure that their privacy is not unreasonably infringed.
All organisations integrating new technologies into their day-to-day interactions with consumers, like insurers and medical aid schemes, will need to start considering the privacy impact of adopting these technologies and the consequent business, consumer, and compliance risks.
Organisations should consider the privacy impact in light of the following:
- nature of information processed (i.e. health information);
- how the information is collected, used and why the organisation requires it;
- where the information is located and volume of information retained;
- who has access to the information and whether it is shared with third parties; and
- the legal obligations in respect of the information.
Based on this assessment, the organisation will be able to accurately determine what the privacy impact of technology adoption, such as wearables, is and most importantly where to “draw a line in the sand.”