Eliciting Design Guidelines for Privacy Notifications in mHealth Environments

1. Introduction

The number of users of mobile health (mhealth) devices is increasing (Statista, 2018), as is the spectrum of applications related to personal informatics (Knowles et al., 2018). However, few users of online services know how their personal data are processed by the data services they are relying on (Lau et al., 2018). This imbalance of knowledge, and hence power, between service providers and users is in stark contrast to the statutes of the EU General Data Protection Regulation (GDPR) (European Parliament and the Council of the European Union, 2016), which mandate transparency with respect to how personal data are processed. The Regulation considers data transparency a prerequisite for enabling data subjects to make informed decisions about intervening with the processing of their personal data, i. e. the right to access, rectification, to object to processing and profiling, and to have their data erased (GDPR Art. 12 et seq.). The deviation from the legal statutes is particularly remarkable because ‘data concerning health’ are considered special categories of data (GDPR Art. 9) whose processing warrants special care and responsibilities on the part of data controllers (Art. 29 Working Party, 2011).

One way of providing users of online data services with insight about the processing of their personal data is by means of ex post transparency-enhancing tools (TETs). Ex post TETs provide intelligible information about how their personal data have been processed. In this respect, ex post TETs differ from ex ante TETs, the latter of which communicate risk and potential outcome before users perform an action, such as before signing up for a data service or before installing an app. For the sake of readability and unless the context in question requires clarification as to whether it refers to an ex ante or ex post scenario, the term ‘TET’ will be used in lieu of ‘ex post TET’ throughout this article to refer explicitly to ex post transparency-enhancing tools.

TETs retrospectively provide users of online data services with transparency about the processing of their personal data and guide them in making informed decisions with respect to managing the data they have disclosed previously. Hence, TETs can serve as indicators of facts that help users to hold data controllers accountable for how their personal data have been processed. The medium that facilitates ex post transparency discussed in this paper is privacy notifications, which notify users about events related to personal data processing deemed relevant for them. However, many TETs discussed in the literature are limited in terms of their usability in that their design does not systematically reflect the needs of their final users (Murmann and Fischer-Hübner, 2017a). This suggests research that addresses usable TETs specifically through the lens of human-centred design (International Organization for Standardization, 2010), and motivates the following research questions:

• 1.

  What kind of model is required to adequately describe the conceptual and functional nature of TETs that employ privacy notifications to enable intervenability?

• 2.

  What findings exist in the body of literature that lend themselves to conceptualising design guidelines for privacy notifications received on mobile devices?

• 3.

  What guidelines can be inferred from the model and the findings in the literature for the design of TETs that best reflect the individual needs of their users?