My team worked with government APIs that exposed health data via a third-party app so that individuals could easily access their medical records. However, we didn’t know whether individuals fully understood the authorization flow and what it entailed in terms of their privacy, and therefore effectively grant their consent.
We conducted research with end-users to assess whether they understood the flow and what it entailed. We asked:
What data do individuals consider to be personal and private?
What does granting and revoking consent looks like to them?
For this research we used a prototype that simulated one of the mobile apps that integrates with the health data API. We asked participants to go through the authorization flow and walk us through their understanding of what the flow meant to them and what they expected to happen to their health data.
We found that participants:
Expected the agency to actively oversee their data.
They hold the agency to a different standard than commercial apps.
Didn’t understand how their health data was managed by the 3rd-party app because that information wasn’t easily available to them, and they wanted to know.
The findings of this research:
Informed changes in the approval process for applications integrating with the health API.
Informed changes in the copy of the authorization flow.
Laid the foundation for future research on control over scopes.