UK Health Service tracking scandal: What went wrong?

Tracking technologies such as pixels and cookies are present on the majority of websites. These tools can be useful for analytics and marketing purposes—but they also present a risk to people’s privacy and data protection rights.

An investigation by UK newspaper The Observer has revealed how UK National Health Service (NHS) trusts have installed the Meta Pixel on highly sensitive websites. The trusts allegedly shared visitors’ data with Facebook without notice or consent.

This article explains what happened and considers whether using the trusts’ use of the Meta Pixel could have violated UK data protection law.

What happened?

The Observer’s investigation found the Meta Pixel installed on the websites of 20 NHS trusts—organisations that govern public healthcare in a given area of the UK.

The Meta Pixel is a piece of javascript code that can track how people interact with a website and collect information about visitors. Website operators using the tool can share this information with Meta to target ads at Facebook users.

The Observer’s investigation found that NHS trusts had installed the Meta Pixel on websites covering the following topics:

• HIV
• Prescription medication
• Sexual development
• Mental health crisis services
• Eating disorders
• Self-harm
• Cancer
• Gender dysphoria in children
• “Disturbing sexual behaviours”

In addition to sharing information about whether a person had visited these pages, the Meta Pixel also collected and shared information about how a person interacted with these pages, including:

• Which pages a person viewed.
• Which buttons a person clicked.
• Which keywords a person searched for.
• When a person booked an appointment with a healthcare professional.
• When a person requested a referral for counselling.
• When a person ordered repeat prescription medication.

Information about people’s visits to and interactions with these websites was shared with Facebook along with their IP address and, in some cases, their Facebook ID.

The Observer estimates that information about millions of people was shared in this way over a period of “several years”.

Did the Trusts get people’s consent for this?

The Observer claims that “in most cases”, the websites shared information with Facebook without consent. The Meta Pixel was triggered immediately once a person visited a page,

Some trusts’ websites incorporated a cookie banner offering visitors a choice to “accept” or “refuse” pixels, cookies, and other trackers. However, in some cases, the Meta Pixel had already shared data with Facebook before the person could refuse.

Several trusts also reportedly “promised” people that their information would never be shared or used for marketing purposes.

Why were the trusts using the Meta Pixel?

When approached by The Observer, 17 of the 20 trusts removed or began the process of removing the Meta Pixel from their websites. Eight of the trusts also apologised to patients.

Some of the trusts told The Observer that they had initially installed the tool to monitor recruitment drives or charity campaigns. Several trusts were reportedly unaware that the Meta Pixel shared data with Facebook.

Was this illegal?

When implemented properly, the use of tools such as the Meta Pixel is legal in some contexts. However, there are likely to have been significant legal issues with how these NHS trusts allegedly used the Meta Pixel.

The UK’s data protection authority, the Information Commissioner’s Office (ICO), is reportedly investigating the concerns highlighted by The Observer’s investigation.

It’s also important to note that Meta’s terms of service prohibit Meta Pixel users from sending certain types of sensitive information. The company claims it has processes for screening out such information if users share it.

However, the organisation using the Meta Pixel is responsible for doing so in a legally compliant way—and will be liable for any breaches of privacy or data protection law.

In the UK, two laws primarily govern the use of pixels, cookies, and other tracking software. Now we’ll explore how these laws apply in this case.

Privacy and Electronic Communications Regulations 2003 (PECR)

The Privacy and Electronic Communications Regulations 2003 (PECR) is the UK’s implementation of an EU law known as the ePrivacy Directive.

PECR covers online privacy and digital marketing and sets rules about how websites and apps use tools such as pixels.

Under PECR, you must get consent before “storing information” or “accessing information stored” on someone’s device. There are exceptions, but not specifically for marketing or analytics.

These rules apply when using the Meta Pixel. A website operator that integrates the Meta Pixel into its website must explain why it is using the tool and request consent before using it to collect or share any information.

UK General Data Protection Regulation (UK GDPR)

The UK General Data Protection Regulation (UK GDPR) is the UK’s version of the EU GDPR.

The UK retained the GDPR in its domestic legislation on leaving the EU. The UK’s version of the law is practically the same as the EU’s. The government is in the process of reforming the UK GDPR and PECR, but these reforms are still pending at the time of writing.

It is worth noting that some European regulators have found that using the Meta Pixel violates the GDPR’s rules on transferring personal data to the US. This suggests that there might be no legally-compliant way for EU-based organisations to use the tool.

However, the UK ICO interprets this part of the law in a more lenient way, and has not ruled out the use of the Meta Pixel.

Legal Basis: Article 6

Under Article 6 of the GDPR, you must have a “legal basis” for processing personal data. The types of information shared by the Meta Pixel are normally considered personal data under the GDPR.

“Consent” is one of the GDPR’s six legal bases. As noted, PECR requires you to get consent for setting the Meta Pixel, so consent is the only acceptable legal basis in this context.

The GDPR defines consent as freely given, specific, informed, unambiguous, and given via a clear, affirmative action. People must also be able to easily withdraw their consent.

This means that before activating the Meta Pixel (or any other non-essential tracker), you must provide concise information about what this means and offer the user a clear way to accept or reject it.

Special Category Data: Article 9

Information revealing a person’s health is classed as “special category data” under Article 9 of the GDPR.

A person’s IP address or Facebook ID is not “health information” in its own right. However, such data could be considered health information if it reveals that an individual has been using a particular health service.

As such, the NHS trusts using the Meta Pixel in sensitive contexts are likely to have been processing special category data.

Special category data requires particularly strong protection under the GDPR, and organisations must identify an additional legal basis under Article 9 before processing special category data.

“Explicit consent” is among the legal bases for processing special category data. The requirement for consent to be “explicit” under Article 9 suggests an even stronger standard of consent than exists for other types of personal data.

However, given the tight restrictions on processing special category data, it is questionable whether the NHS trusts could have justified deploying tracking technology on websites relating to topics such as HIV, mental health treatment, and prescription medication.

So while using the Meta Pixel with proper notice and consent might be considered legal for UK organisations in some contexts, the NHS trusts should have considered whether their use of the tool was necessary or proportionate.

This incident underlines the importance of several other key GDPR concepts, such as “data minimisation” and “data protection by design”.

These principles require organisations to consider whether they can achieve their goals in less intrusive or risky ways. Using tracking technology—particularly without consent and without any clear justification for doing so—is likely to always be inappropriate in such sensitive contexts.