The Users' Perspective on the Privacy-Utility Trade-offs in Health Recommender Systems

TL;DR

This study investigates how users perceive privacy-utility trade-offs when health data are used in health recommender systems, comparing k-anonymity and differential privacy. It combines focus groups with two large conjoint analyses ($n=521$) in Germany to quantify attribute importances and part-worth utilities across data type, recipient, identifiability, and privacy settings. Key findings show identifiability risk and the data recipient as primary drivers of sharing decisions, with strong reluctance toward mental illness data and commercial use, while data used for science and physical health information are more acceptable under privacy protections. The results offer actionable guidance for designing privacy-preserving health recommender systems and provide a practical method to estimate privacy budgets and user-acceptable trade-offs in real deployments.

Abstract

Privacy is a major good for users of personalized services such as recommender systems. When applied to the field of health informatics, privacy concerns of users may be amplified, but the possible utility of such services is also high. Despite availability of technologies such as k-anonymity, differential privacy, privacy-aware recommendation, and personalized privacy trade-offs, little research has been conducted on the users' willingness to share health data for usage in such systems. In two conjoint-decision studies (sample size n=521), we investigate importance and utility of privacy-preserving techniques related to sharing of personal health data for k-anonymity and differential privacy. Users were asked to pick a preferred sharing scenario depending on the recipient of the data, the benefit of sharing data, the type of data, and the parameterized privacy. Users disagreed with sharing data for commercial purposes regarding mental illnesses and with high de-anonymization risks but showed little concern when data is used for scientific purposes and is related to physical illnesses. Suggestions for health recommender system development are derived from the findings.

Figures (7)

• Figure 1: Overview of the related fields of work and where our conjoint studies aim at.
• Figure 2: Overview of the methodological approach showing both the qualitative focus groups to determine relevant attributes and the two conjoint decision tasks. Attributes in red differ between both studies.
• Figure 3: Exemplary decision scenario from study 2. Each picture refers to one level of an attribute. Scenario 1 in this case refers to sharing data of a mental illness when the patient is among 20% similar users in a sample of 10,000 users. The data used in a recommender systems would provide financial benefit for the patient (e.g. cheaper therapy) and would be stored by a health insurance company. Participants are asked to select their preferred scenario. Actual decision tasks were supported with textual descriptions of attribute levels as tool-tips.
• Figure 4: Relative importance of attributes for preference. The sum of importances adds to approx. 100%. Error bars denote standard errors.
• Figure 5: Part-worth utilities across attributes and levels. Part-worth utilities add up to zero for each attribute and can not be compared across attributes. Error bars denote standard errors.