Monday, 18 August 2014

There's something deeply personal about my numbers

Have you ever been testing your bgs and someone has asked "What's your number?", maybe they have even tried to peer over and look at the meter reading to see the number for themselves?
I know they are asking for all the right reasons - they care about my health and well being.
They've taken an interest in my condition and want to be supportive ...yet, it can sometimes feel deeply intrusive.

I go to cover up the meter with my hand so I can see the number first. I want to be the one that knows (and be comfortable in sharing) that number with someone else. After I've seen the number I might reply with the exact number; I might even show the number displayed on my meter (if it's really good); give an "about" number if it's kind of "ok"; or declare "it's rubbish" if, well, it's rubbish - that usually garners a response to tease the exact number out of me - making me feel more uncomfortable in the process.

You can tell me there is no such thing as a good or bad number (and that's true!) but, the reality of the situation is, I can't help judging my performance on every bg reading.

Maybe it's me? Maybe I'm too self-critical? Maybe it's because I feel others will judge me on my numbers? It's a complex feeling, but mostly I think it's about being in control. My numbers, my responsibility, my business.

When I go to clinic they download the readings from my meter and the consultant looks over them with me. I can find it to be the most stressful part of the consultation. They focus on all the high and low readings, trying to find out what's going on as I frantically flick through my notebook to provide excuses, justifications... explanations. They rarely acknowledge my "in target" readings and why would they? They don't need to focus on those number, they're ok.

They ask about the highs and lows because that's where they can add most value. They're looking to help improve my self-management and give me the tools and knowledge I need to do that. Yet (as you can see from my language) it can sometimes feel like an assessment I'm failing in, with little recognition given for the hard work I put in day and night to get and maintain control. Most people don't go to work to do a bad job and so it is with diabetes management, yet sometimes it would be nice to be have a little bit recognition for the good work done - it would be a powerful motivator.

A page from my notebook

My notebooks record everything I've eaten each day since receiving my type 1 diagnosis, every blood test, every meal and carbohydrate count, every insulin dose, everything unusual I did on a particular day that could justify an unusual reading, every thought process. It is deeply personal to me. I have even created my own shorthand, my own code, to explain certain actions and activities I do. It is my most personal of diaries and yet those around me can thoughtlessly treat it like an open book:

"Let's see what your numbers have been like today" as they reach out to take the latest notebook from the "bag of life" I carry around with me.

Don't get me wrong, I can and do share this information at times - but I'm the one in control of sharing that data. People get to see it when I'm comfortable with sharing it.

People are usually surprised when they see I record all my data in paper format. They are confused about why I don't use a mobile phone application to store all the information, after all I'm a technology geek and the apps are "free". I usually joke that pen and paper doesn't require a battery to operate, but the real reason is much deeper than that. Let me explain...

At diagnosis I immediately looked for diabetes applications for my mobile. I found a huge collection of diabetes apps: most of them were absolute rubbish (either making it difficult and time consuming to enter data or impossible to extract or edit the data once entered, some clearly had absolutely no input from people with diabetes and completely missed the basic requirements someone with diabetes would need); a few showed promise with interesting ways to speed up data entry and some I ended up using for quite some time. I never found an app that was perfect for me and eventually I even got involved in helping a company create a diabetes app which helped to give me insight to the development process and some of the business models used when creating applications.

Many applications now like to store your data in "the cloud" and this can bring great benefits to those using these types applications as you can enter and view your data on a number of different devices. With the data held centrally it is available anywhere and everywhere and usually means you can share your data with other people (should you wish) more easily too.
It also allows the company providing the "free" application with more ways to make money. This isn't necessarily a bad thing. The cost of developing an application, marketing it, providing servers in the cloud to store and process your data etc all adds up and they need to find ways to recoup those costs (both development and ongoing storage and processing) as well as a profit. Until recently most applications relied on either in-application advertising; asking you to sign up with an email address to gain access to further features; or getting you to pay for additional features. In all these scenarios the amount of personal information given in exchange for using the application was minimal and there was a choice of what information you provided, but times change and now things are different.

Many of these "free" applications hold a lot more information about you, they know your name, your email address, your age, weight, what insulins you use, your account may even be linked to a facebook or twitter account profile providing even more demographic profiling and with every entry you make they build up a profile:

What are you eating/drinking? How many carbs? How much insulin did you take? What was your bg reading? What was your location? (Yes many apps now use the GPS information from your phone to locate where the entry is made), some even ask you to take photographs of the food you are eating etc.

This is all valuable information and can be sold on to other companies with an interest in it.
They can gain commission by identifying appropriate people to sign up to clinical studies & trials, create more targeted advertising etc. From the GPS information they know where you live, where you work, what restaurants you prefer. From the images supplied they know what food you like, what your favourite food brands are - a marketers dream!

Apple aren't getting into the health market just because it is a good thing to do for people, they are doing it because the market is worth millions. When they recently announced their intention to move into the health tracking market one of the example applications shown was a blood glucose monitoring app. Embarrassingly for them they got the unit of measurement wrong (which is an issue I might come back to in another blog).

Google also sees the value of being a player in this market and have partnered up with a pharmaceutical firm to create the Google contact lens that monitors bgs and well as providing a platform for health apps similar to Apple. Google is in the business of advertising, the health market is just another opportunity for them to sell health data and market health products.

So our data is valuable.

When you start looking deeper into companies polices you start to see that many seem to make great efforts to hide the fact that they are planning to use and sell your data and I wonder why. After all Google makes no secret of the fact they use programs to read your emails to create more targeted advertisements - you have a choice: use the "free" Gmail service and accept this advertising process or use another mail service. The key here is that Google tells you explicitly what you are signing up for. It's the same with Facebook (although they have and continue to have "run ins" with privacy rights groups) options are provided to allow you to opt out of certain advertising and data selling processes.

I've talked about in the past - I'm not a fan of it in it's current form and have opt-ed out until I see sensible safeguards in place. It got in to a lot of problems because of a lack of clarity on how data would be used and who could see it. Ben Goldacre has written many articles on this issue. Checks and balances need to be in place to protect peoples privacy and rights. Sensibly the programme has been delayed to try and fix some of these fundamental issues. If the resulting changes are acceptable to me I will opt back in.

So why do diabetes applications (and other mobile health apps for that matter) make it difficult to know how, why and what your personal data is going to be used for? Are they worried we might not use their applications if we knew how widely they want to trade our data?

Let's take a look at some examples: Dario and DiabetesPA. I could have picked any diabetes mobile app company, they are in no way special when it comes to how they treat your data other than they do provide some form of privacy statement - many don't!


Dario (or LabStyle Innovations Corp.) is a company traded on the OTC QBunderstock exchange (OTCQ:BDRIO) with a market capitalisation of around $4.4million. On their investor website they have an investors presentation which on page 20 or 26 explains how they plan to monetise their offering.

Dario sees several potential revenue streams

The third being data monetisation through clinical studies, trial recruitment and partnerships.

Now, pop over to the Dario website (and/or download the application to your phone) and try and find out, as a user of the application, what you are signing up to.

Not so easy? Well their privacy policy can be found here (right at the bottom of the web page) and section 5 covers the main point "We may disclose your Personal Information..." and section 2.3 of the terms of use (within the app) states: "You understand and agree that the personal data you enter into your account may be used by us or by any third party for research, development, commercialization and/or academic purposes..."

Interestingly you can email Dario to opt-out of emails being sent to you, but there is no option to opt out of your data being used for commercialisation.

Obviously everyone reads the privacy policies and terms of use in great detail before signing up to use an app, right?

What's "great" about these privacy policies is that they can change them whenever they want, to suit their purposes, without the need to tell you... Section 9:

"This Privacy Policy is subject to revisions from time to time, upon our sole discretion and without prior notice. [...] All such changes will apply to previously collected information. Therefore, please make sure you read this Privacy Policy regularly."

How many people using the application will repeatedly go back and check if any policy changes have been implemented?


DiabetesPA is a mobile phone application created by Diabetes Digital Media Limited, the people behind the website Initially the website didn't provide any privacy statement (the link went nowhere). After pointing this out they fixed the link and after reading it I tweeted them some questions. They got in touch with me by email to ask for more details about my questions and I responded to their email on the 29th June 2014 with the following text:
Thank you for the email.

My main concerns are around the terms used in the privacy statement. They seem to be very loose and open to interpretation which I feel at times seem contradictory.

For example, Section 5 makes it very clear that information captured via the app will only be viewed by your "medical team" and not passed on to anyone else except for complying with the law/regulators and when people choose to take part in a clinical trial:

You should be aware that information captured via our App may be viewed by our medical team. None of this information will be passed to any other person except for:

   + disclosure for the prevention of crime;
   + in accordance with the law;
   + compliance with the direction of any regulatory or governing bodies;
   + for the purposes of preventing injury or harm to you as the data subject; or
   + when registering to take part in clinical trials, to the responsible clinical research organisation(s).

However, Section 6.2, 7.1 and 7.2 suggest otherwise:

In 6.2 it is not clear what data will be used, but clearly in the case of your company it would be more than the medical team using it. If third parties are using the data is that not against section 5?

6.2. We may also use your data, or permit selected third parties to use your data, to provide you with information about goods and services which may be of interest to you and we or they may contact you about these by post, email or telephone. If you are an existing customer, we will contact you by post or email with information about goods and services which may be of interest to you. If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by post or email, only if you have consented to this.

Again there is no clarity in section 7.1 as to what information is being disclosed, but the entities listed are not the your companies medical team.

7.1. We may disclose your information to:

   + advertisers and advertising networks that require the data to select and serve relevant adverts to you and others;
   + analytics and search engine providers that assist us in the improvement and optimisation of our Website;
   + pharmaceutical research organisations.
   + Please note, we do not disclose information about identifiable individuals to such third parties, but we may provide them with aggregate information about our users.

...and in section 7.2 (and I appreciate this is a boiler plate statement) it does suggest that information could be shared with others outside of the medical team.

7.2. We may disclose your personal information to third parties:

   + in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;

There is also no clarity as to the reasons the medical team may be required to look at data.

I appreciate that the data input via the app has value and I don't have a problem with you mining this information and even selling the information on to third parties such as pharma companies BUT I want to understand what I am agreeing to in order to use a "free" app.

I also have some concerns over the possibility of data being taken outside of the EEA, something your ICO registrations says isn't the case.

4.1.    The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

ICO registration:


It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.

Again I suspect this is a boilerplate statement yet on Twitter the suggestion was that taking the data outside of the EEA was a theoretical possibility and it would be easier to change the ICO entry than the privacy statement - something I find very hard to believe given you can change the privacy statement without going to a 3rd party.

I hope that gives an idea of the concerns I have.

After several chasers I finally received a response on the 12th August saying they would upload changes to their policy that very day. They said they'd make some amendments to the privacy statement and in particular add some additional words to section 5 (changes shown in bold here):
You should be aware that medical information captured via our App may be viewed by our medical team in order to provide you with the MyLifeStyle services. None of this information will be passed to any other person except for:

• disclosure for the prevention of crime;
• in accordance with the law;
• compliance with the direction of any regulatory or governing bodies;
• for the purposes of preventing injury or harm to you as the data subject; or
• when registering to take part in clinical trials, to the responsible clinical research organisation(s). ; or
• otherwise in accordance with this Privacy Policy.

As of today (18th August 2014) those changes haven't been implemented.

You can read the full privacy statement on their website: DiabetesPA (Diabetes Digital Media Limited / privacy statement

The change would (if added) at least make it more explicit as to what happens to your data but ideally I would like to see more. I shared my thoughts with the DiabetesPA team specifically explaining how I'd like references to data use to be split into three different categories:

I guess for me data broadly falls into three categories:

1. Usage data - IP, browser, URLs etc (data described in Section 2 of your privacy policy)
2. Personal data - name, address, email, facebook, twitter, phone etc
3. Sensitive data - bg results, insulin requirements, mood etc

I believe a gold standard policy would identify which type of data is being disclosed to whom.

ie. In Section 7.1 I suspect the first two bullet points relate to "Usage data" in the definition above, but the third one relating to Phara companies would be "Sensitive data" that has been anonymised and aggregated for reporting purposes.

Although they agreed that people would start to think about their data more and more they clearly aren't going to implement a clear and transparent policy unless users stop using the app and make them aware that reason is due to a lack of clarity on their data usage.

In Summary

So, if I'm not happy with the people around me (that have a true interest in my health and well being) riffling through my notebooks, why would I not only let a company do this for themselves but also allow them sell all my notebook entries to others?

...and now you know the real reason why I use pen and paper to record information and not a mobile phone application. Until companies have true transparency around how they use my data and provide opt-outs (or ideally opt-ins) to it's use I'm going to keep my diary under my control.

It all comes down to who really owns the data. My advice is if the application is "free" you shouldn't assume the data you input is yours until you have proof otherwise. If it is a paid-for application, sadly it seems (in the vast majority of case) the same is true!

If you aren't sure what a particular company policy is, ask them. If it's not clear, ask them to clarify (in writing) and, if you don't like the responses you get use a different application with an acceptable policy or like me, use pen & paper to control how and when the data is used for yourself.

Additional Reading

Tuesday, 5 August 2014

Why measure? Is it waste or non-compliance?

Two topics in one blog post? Well, they are kind of related and I'm in a cost and time saving mood...

Why measure?

Recently I've (unfortunately) been going to the hospital and my new GP practice a lot more than normal. Sometimes I've had hospital visits twice in one week and although the observation I'm about to make has struck me as odd before, these regular visits have made me question what is going on even more.

Every time I've had an out-patient visit something happens and yet, nothing happens.

What happens? I get weighed and my height is measured.

Now I'm being a bit harsh when I say nothing happens because in reality the results get recorded on the system but, after that, nothing happens.

If I were to visit the hospital today, my weight and height would be recorded. If I visited tomorrow, I would (once again) be weighed and my height measured.
No one stops and thinks "Oh, this was recorded yesterday, no need to do it today". It seems to "just be the procedure". It seems a waste of time and effort.

What's worse is that no one seems to look at these measurements or, if they do, they see no reason to discuss them with me - yet they should. My weight has increased by over 50% in the last year and my BMI wasn't in the green zone to start with!

So why is this procedure blindly followed every time I visit hospital or visit my GP practice?
If the data isn't used, why collect it in the first place?
If I refuse to be weighed or have my height measured I suspect I'd be deemed a non-compliant patient, which nicely leads on to part two of this blog post...

Is it waste or non-compliance?

I have a new GP!

I have no idea who they are. I don't know their name as it could be any one of the GPs at the practice I've registered at, but I'm sure the system knows who I've been nominally assigned to.
If it's anything like the last two practices I've been registered with, I suspect I will never see them. Instead I'm always seen by the practice nurse, because I'm "special"... I have type one diabetes... which is fine my me - being seen by the practice nurse, not so much the diabetes bit!

When I initially registered I was told that they no longer do "new patient assessments" - fantastic. I always found them to be annoying time wasting activities imposed on me so I'd be allowed to order a repeat prescription. I asked how my repeats would be setup and (unfortunately), whilst casting their eye over my last repeat prescription, they back tracked a bit and said "well the GP might want to see you before setting all this up".

I realised, the following week, that I hadn't asked about sharps bins. Unlike my previous two addresses, were the council both took away and replaced sharps bins, my current council only takes sharps bins away.
I went back to ask how I could get a replacement sharps bin. Apparently I need a sharps bin to be added to my prescription (which to this day still hasn't been done). The council will come and collect my bins on the 8th so it might be an interesting challenge to store my medical waste soon!
Anyway, whilst this was being discussed I was told that I needed to be booked in to see the practice nurse to discuss my diabetes and get my repeats setup etc... sounds like a new patient assessment to me! As a "compliant" patient I set up the appointment, after all, if I didn't get my repeat of insulin I'd be putting myself at risk of dying - no small incentive.

Unfortunately the practice nurse was ill on the day I was meant to see her and the GP practice rang to rearrange for the following week.

The day arrived. I go with my urine sample, all of my notes and a list of issues and questions I'd like to discuss - I always go prepared.

Some of the numerous forms I filled in to register at my current GP practice.
Including key questions: Do I smoke? Do I drink? Do I exercise?
I get weighed; they measure my height; they do my blood pressure; ask if I drink?; do I smoke?
...and a couple of surprise statements/questions: You have type two diabetes. What other conditions do you have?

At registration I'd provided a printout from my previous GP listing everything about me. I'd also filled in numerous forms to register with practice too (one of which asked if I smoked, how much I drank and the amount of exercise I do). I also knew that (because they'd taken so long registering me) my previous GP had managed to send through everything they had about me. Heck I even knew (via the EMIS patient portal) that my repeats had been setup and so this meeting was a complete waste of my time - I didn't need to be here to get my repeats setup as I'd previously been told! So why was I being asked all this stuff - again?

The NHS love to record when and how much I drink & smoke.
Just like weight and height - it's an obsession.

Even when I was admitted to hospital on the verge of coma I was asked! Yes, I know, there is good reason for this... but I must always disappoint them when they get the same response:

"only for celebrations and no, never"

How boring! ...but every time it's as though they're asking these questions for the first time. No one has ever said "We've recorded on the system that you don't smoke, is that still the case?". Why bother recording the information if it's never going to be looked at again?

Then the question (spoken as a fact), that always annoys me, was made:

"You have type two diabetes."

I interject, "No I don't. I was mis-diagnosed with type two diabetes. I actually have type one."

"Oh. What other conditions do you have?"

I mention Raynauds.

"How do you spell that?"

The system shows three different options for Raynauds and I point out they all describe the same condition. She selects one and then asks me a question about it that makes no sense what-so-ever. She decides not to explain, presumably because she doesn't know what the question means either.

I sit there wondering why I'm being asked all this when they have all of my medical notes already. Maybe they're doing this to check the information is right? Well if I didn't have type one diabetes I wouldn't be here, so it can't be that... besides, she's typing this stuff into the system whilst I'm here. Why hasn't it all been imported electronically already?

...and then it is back to discussing my diabetes...

"Have you had a retinal screening this year?"
"Yes, 8th of May" (I know this because I blogged about it: Eyes Wide Open)
"Was it ok?"
"Yup, no problems."
"Ok, we'll get you added to the system to have one later then."

Then came the shocker.

"We need to set you up with a couple more appointments. One to have a fasting blood test and the other to see the diabetes nurse at the practice."

What started as not requiring any appointments has turned into three!

So I'm booked in next week for blood tests (let's hope I don't go hypo before that one!) and the following month to see the diabetes nurse to discuss whatever it is she wants to discuss - assuming I go. At some point someone needs to re-test my potassium levels... I seem to be the only one concerned about this, hopefully I can convince them to do that next week otherwise I'll cancel the appointment with the nurse because I don't see any value to it.

As the practice nurse starts to send me on my way I say I have a few concerns and questions I'd like to ask. It turns out she can't help with any of them, only the diabetes nurse can deal with these when I see her next month. I guess I'll just plod on by myself then.

So I leave in the knowledge that my time has been wasted, but I'm sure they found it useful as they've managed to collect some QOF points along the way.

Eye Screening Invitation

Then to my surprise I receive an invitation in the post to book a retinal screening! It's not even been 3 months since my last one and they know it!

It would seem the cost of providing this service is about £25, but the cost and inconvenience to me is a lot more. Every location available is a car journey away, but once they've put the drops in my eyes I won't be able to drive for up to 6 hours. That means I either have to ask my wife to take time off work (as well as myself) in order to take me or a rather expensive taxi ride each way.

So I have a choice. Either:

  • Waste NHS time and money as well as my own (and mess my employer about by taking time off work) and have another retinal screening, despite the fact my screening in May didn't even have signs of background retinopathy, or
  • refuse to go on the basis that it is less than three months since my last one and then I have a GP practice thinking I am an awkward, non-compliant patient.
I guess I'm going to be a non-compliant patient, but why do I feel bad about saving the NHS time and money? Why do I feel like I'm being used rather than getting care?

Unfortuntely I have very little choice over who I can register with, I just hope they don't hold me to ransom like my previous GP when it comes to ordering a repeat prescription.