Information about a user's activity is sent to Facebook even if a user is logged out of the Facebook system at the time of the visit, Garlik has warned. It said that information was also being passed to Google.
MP Tom Watson has written to health secretary Andrew Lansley asking him to stop information about citizens' use of Government health sites being passed to outside companies.
"I write to you to express my concern that the NHS is allowing Google, Facebook, and others to track your http://www.nhs.uk/ browsing habits, regardless of the fact that people use the page to seek medical advice," he wrote. "The NHS Choices website is used by members of the public in order to find out facts about ailments they may be suffering from and these illnesses could cause an individual embarrassment if the information was leaked."
The Department of Health defended the data sharing that is part of its integration of Facebook features into NHS Choices, saying that it is mentioned in the site's privacy policy.
Facebook said that it does receive data but that it does not share the information with third parties.
"Facebook capturing data from sites like NHS Choices is a result of Facebook’s own system," said a Department of Health statement. "When users sign up to Facebook they agree Facebook can gather information on their web use. NHS Choices privacy policy, which is on the homepage of the site, makes this clear."
"We advise that people log out of Facebook properly, not just close the window, to ensure no inadvertent data transfer," said the Department of Health statement.
Many Facebook users may not realise that they can close a browser window with the Facebook site on it but still be logged in to it. Garlik said that even logged-out Facebook users have information about their use sent to the company.
A Facebook spokeswoman said that this was the case, but that if the user was not logged in at the time the information about use was identified by the user's internet protocol (IP) address and browser, not by their individual Facebook identity.
A Department of Health spokesman said that users who want to avoid tracking altogether should disable the cookies on their browser. This, though, would seriously affect the operation of many websites which depend on cookies for their operations.
"The NHS is allowing Google, Facebook, and others to track your http://www.nhs.uk/ browsing habits, regardless of the fact that people use the page to seek medical advice," said Garlik researcher Mischa Tuffield in a blog post on his findings. "There are four third-party, advertising/tracking companies which are informed every time a user visits one of the 'conditions pages' on the NHS Choices website."
"When a person is logged into Facebook and visits a partner site that is using a social plugin, such as NHS Choices, Facebook can see technical information such as a person’s User ID, IP address and operating system," said Facebook spokeswoman Sophy Silver. "This is industry standard data that helps us customize the experience on the partner site for the person, such as showing what friends have liked or recommended."
"If a person decides they do not want a personalised experience on a partner site, they can log out of Facebook and we will not receive their User ID," said Silver.
Facebook would receive information on the site usage in that case, but not the Facebook ID. "We also delete this technical impression data within 90 days of receiving it, which is consistent with standard industry practice," said Silver.
Silver said that Facebook does not sell this data on to third parties. Watson said, though, that the very fact of its transmission to a commercial company is a cause for concern.
"Imagine for example, if you or a close colleague had an embarrassing ailment, say genital warts," he wrote to Lansley. "The current settings of the site allow third party applications to know that you have visited the part of the NHS site that lets you know how to treat genital warts."
"I understand the demands to offer government service online but this should not be achieved at the price of privacy," said Watson. "I urge you to take steps to ensure that third party websites should not have access to such information. This could be simply achieved by ensuring all third party interaction is run on an opt-in system, rather than the current opt-out model."