Discover the key problem with the information sharing and consent options presented in the virus tracking app. Learn why specifying data use and recipients for medical research is critical.
Table of Contents
Question
SCENARIO –
Please use the following to answer the next questions:
Your company is launching a new track and trace health app during the outbreak of a virus pandemic in the US. The developers claim the app is based on privacy by design because personal data collected was considered to ensure only necessary data is captured, users are presented with a privacy notice, and they are asked to give consent before data is shared. Users can update their consent after logging into an account, through a dedicated privacy and consent hub. This is accessible through the ‘Settings’ icon from any app page then clicking ‘My Preferences’, and selecting ‘Information Sharing and Consent’ where the following choices are displayed:
- “I consent to receive notifications and infection alerts”;
- “I consent to receive information on additional features or services and new products”;
- “I consent to sharing only my risk result and location information for exposure and contact tracing purposes”;
- “I consent to share my data for medical research purposes”; and
- “I consent to share my data with healthcare providers affiliated to the company”.
For each choice, an ‘ON’ or ‘OFF’ tab is available The default setting is ‘ON’ for all. Users purchase a virus screening service for US$29.99 for themselves or others using the app. The virus screening service works as follows:
Step 1: A photo of the user’s face is taken
Step 2: The user measures their temperature and adds the reading in the app
Step 3: The user is asked to read sentences so that a voice analysis can detect symptoms
Step 4: The user is asked to answer questions on known symptoms
Step 5: The user can input information on family members (name, date of birth, citizenship, home address, phone number, email and relationship).
The results are displayed as one of the following risk status “Low”, “Medium” or “High”. If the user is deemed at “Medium” or “High” risk an alert may be sent to other users, and the user is invited to seek a medical consultation and diagnostic from a healthcare provider.
A user’s risk status also feeds a world map for contact tracing purposes, where users are able to check if they have been or are in close proximity of an infected person. If a user has come in contact with another individual classified as ‘medium’ or ‘high’ risk, an instant notification also alerts the user of this. The app collects location trails of every user to monitor locations visited by an infected individual. Location is collected using the phone’s GPS functionality, whether the app is in use or not however the exact location of the user is “blurred’ for privacy reasons. Users can only see on the map circles with a 12-feet radius (approximately 4 meters wide), which is double the recommended distance for social distancing.
Which of the following is likely to be the most important issue with the choices presented in the ‘Information Sharing and Consent’ pages?
A. Options for allowing location sharing are not provided
B. Allowing users to share risk result information is not properly defined
C. The data and recipients for medical research are not specified
D. The sharing of information with an affiliated healthcare provider is not secure
Answer
C. The data and recipients for medical research are not specified
Explanation
The most important issue with the choices presented in the “Information Sharing and Consent” pages is that the data and recipients for medical research are not specified (Option C).
While the app provides users with various consent options, including sharing data for medical research purposes, it fails to provide critical details about what specific data will be shared and with whom. To ensure informed consent and comply with privacy regulations, the app should clearly disclose:
- The exact types of personal data that will be shared for research (e.g., health information, location data, demographics)
- The specific entities or categories of recipients who will have access to the data (e.g., universities, pharmaceutical companies, government agencies)
- The purpose and scope of the medical research for which the data will be used
Without this information, users cannot make a fully informed decision about whether to consent to sharing their data. Vague or overly broad consent options may violate privacy laws and best practices, such as the GDPR’s requirement for specific, informed, and unambiguous consent.
The other options, while potentially problematic, are less critical:
- Option A: Location sharing options are provided elsewhere in the app
- Option B: Risk result sharing, while not perfectly defined, is more specific than the medical research consent
- Option D: The security of data sharing with healthcare providers, while important, is a separate issue from the consent itself
In summary, the lack of specificity regarding data use and recipients for medical research poses the most significant issue with the app’s consent options, as it hinders users’ ability to make an informed choice about sharing their sensitive information.
IAPP CIPT certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the IAPP CIPT exam and earn IAPP CIPT certification.