Privacy Toolkit for mHealth Research
How might researchers and engineers create privacy-conscious mhealth apps?
Timeline: 5 months (2-7 days per study)
Team: 1 researcher (me), 1 governance expert, 2 designers, 2 engineers
Methods: literature review, prototyping, interviews, usability tests
opportunity
Mobile health (mHealth) apps allow people to collect and understand their health information in their daily life. As they increase in popularity, protecting the privacy of health information is a growing problem. Researchers who create mHealth apps have an ethical and legal obligation to give their study participants control over their health data, but might not have the resources to design apps that protect privacy.
goals
As part of my internship at Sage Bionetworks, I worked with the Governance and Design teams to create an open source privacy toolkit for mHealth researchers. The goals of this project were to:
Share best practices for designing mHealth research apps that respect participants’ privacy.
Provide researchers and engineers with resources to implement best practices in their own mHealth studies.
Prior work by team members found that mHealth research participants experience a five-stage study journey. The goal of Sage Bionetwork’s Privacy Toolkit is to address these participants’ privacy concerns at each stage so they have control over how their data is collected, used, and shared throughout the study.
METHODS
First, I conducted a literature review to generate ideas for the toolkit. I surfaced articles and real-world examples of designs that do, and do not, protect end-user privacy. I noted recommendations from community experts on best practices for privacy design.
Second, after several meetings with my team to scope the project, define best practices, and prioritize designs for the toolkit, I prototyped the toolkit’s best practices. I worked with the design and governance teams to ensure each best practice was cohesive and accurate.
My preliminary sketches of best practices for creating user-friendly Privacy Policies.
Third, I interviewed mHealth researchers and engineers to better understand their needs and, using the think aloud technique, gather their feedback on the prototypes. I decided to show prototypes during the interview so discussions about needs and feedback were more concrete.
Finally, after iteratively incorporating feedback from these interviews, I conducted usability tests to resolve issues before releasing the toolkit publicly and to identify longer-term strategic opportunities for the toolkit.
The prototype of best practices for creating user-friendly Privacy Policies, created in Figma. I showed these to researchers and engineers in interviews to gather feedback on content and design.
FINDings & key insights
Researchers and engineers thought the toolkit humanized the mHealth app user experience and helped them understand why user-friendly privacy features were important for maintaining their study participants’ engagement.
They recognized what tasks might be a burden for mHealth research participants, and saw the toolkit as a valuable resource for their teams to to discuss the technical challenges of implementing privacy features.
But the toolkit needed more work. Researchers and engineers had specific questions—such as how to ethically “nudge” study participants who have been inactive—and needed concrete, real-world examples to reference for their own work.
Based on this and other feedback from usability tests, I identified these short-term actionable recommendations for the toolkit:
Add best practices to meet specific needs of researchers and engineers (e.g., inactivity notifications, allowing study participants to share their mHealth data outside the study).
Expand resources and real-world case studies for researchers and engineers.
Final version of the best practice for designing user-friendly Privacy Policies, including step-by-step instructions for designing and implementing this best practice. This is one of many best practices I created for the toolkit.
My work also helped identify longer-term strategic recommendations for the toolkit, such as recommending best practices that are more relevant for different audiences (e.g., researchers vs. engineers), and creating auto-generated content that can be customized for different mHealth research apps.
OUTCOMES & IMPACT
I added more best practices to the toolkit to answer the specific questions researchers and engineers had about their mHealth apps. For example, I created best practices for creating private share links and inactivity notifications, based on feedback I gathered in my interviews.
The best practices I added to the toolkit are shown in a comprehensive list on the toolkit’s website.
To expand resources, I added more content to the “Case Studies” section of each best practice in the toolkit so researchers and engineers could see examples of best practices in the real-world.
An expanded list of Privacy Policy case studies for researchers and engineers to reference when creating mHealth apps.
I collaborated with engineers to make sure these changes were reflected in the backend and were updated on the toolkit’s website via Github.
The Privacy Toolkit was released to the public in September 2019.