The value sensitive design of a preventive health check app

In projects concerning big data, ethical questions need to be answered during the design process. In this paper the Value Sensitive Design method is applied in the context of data-driven health services aimed at disease prevention. It shows how Value Sensitive Design, with the use of a moral dialogue and an ethical matrix, can support the identification and operationalization of moral values that are at stake in the design of such services. It also shows that using this method can support meeting the requirements of the General Data Protection Regulation.


Introduction
Most organisations nowadays are engaged in thinking about, experimenting with or implementing of data-driven services. Besides successful implementations, for instance in recommendation systems or advisory robots, however, failures also occur regularly. Often, these failures can be traced back to disregard for particular human values such as privacy. In Europe respect for privacy is forced by the General Data Protection Regulation (EU 2016/679). However, many organisations are still struggling with how to comply with the GDPR. Besides, one may question whether complying with the GDPR is sufficient to ensure data-driven services are also morally justified. The need for more than the legal perspective with regard to data is for instance shown by the publication of The Ethics Guidelines for Trustworthy AI, which were established in 2019 by an independent High Level Expert Group on Artificial Intelligence set up by the European Commission, and state good data governance as one of their key requirements. This paper is written as part of the project "Data driven service innovation: compliancy and transparency by design", which was set up to develop an integrative framework for data-driven services that supports the translation of big data research into applied services in accordance with the "privacy by design" and transparency that the General Data Protection Regulation (EU 2016/679) requires. It consists of a case study and describes the design of one specific personalized data-driven service within the framework of this project: an app that supports allied health students of a University of Applied Sciences in the execution of a "Preventive Health Check" (PHC). The PHC is an accessible option for (local) citizens to gain insight into and get personal advice on aspects of health and lifestyle, based on (basic) health information and (sometimes) simple tests. Citizens can attend a PHC without appointment and in familiar surroundings. The students have a conversation with the citizens, perform simple tests and provide them with an advice, all under supervision of their lecturers. The main question of the project is how the design of the app can meet the GDPR requirements of privacy and transparency not only from a legal, but also from a moral point of view.
We suggest that the above-mentioned legal norms (which we assume to be ultimately grounded in values) can be incorporated in a robust manner into the intended app through Value Sensitive Design. Value Sensitive Design can be described as "a theoretically grounded approach to the design of technology that accounts for human values in a principled and comprehensive manner throughout the design process" (Friedman et al., 2006, p. 349). Designers are enabled to design technologies in such a way that they do not only promote "instrumental values such as functional efficiency, safety, reliability, and ease of use, but also the substantive social, moral, and political values to which societies and their peoples subscribe" (Flanagan et al., 2008, p. 322). Applying a Value Sensitive Design approach, enables us to broaden the legal perspective with additional human value considerations. In our project we follow the Value Sensitive Design steps as described by Flanagan et al. (2008): (1) the discovery of relevant values; (2) the translation of these values into design specifications and (3) verification whether they have been successfully embodied or expressed in the design (Ibid.,. We link these steps to the conceptual, empirical and technological perspectives that, according to Friedman & Hendry (2019), are iteratively applied in Value Sensitive Design. The case study focuses on the second step.
Although Flanagan et al. (2008) provides us with a stepby-step plan, it does not tell us how these steps should be implemented practically. Especially the second step, the translation of values into design specifications, calls for attention as it is a crucial step in Value Sensitive Design, but few research has been done on how this translation can be made (Van de Poel, 2013). Winkler & Spiekermann (2018) found in a review of VSD projects from 1996 to 2016 that of the 113 papers only 17 applied the complete tripartite methodology. In their overview of 20 years of Value Sensitive Design, Friedman & Hendry (2019) discuss 17 instruments and techniques that have been used over the years by various VSD projects. These techniques are either unique to VSD or existing techniques that were adapted to use in VSD. Friedman & Hendry indicate that the list is not exhaustive and that new or newly adapted techniques and instruments are likely to be added over time. They argue for an iterative and integrative approach during the entire design process, the use of a variety of empirical valueelicitation methods and the elicitation of stakeholder values throughout the design process as well as applying a value sensitive evaluation process through the deployment phase (Friedman & Hendry, 2019).
In our study we adapt an existing technique, the "moral dialogue" (Isaacs, 1999;Morrell, 2004) and an existing instrument, the ethical matrix (Mepham et al., 2006), to apply them in Flanagan et al.'s step 2 in VSD. We applied the moral dialogue as a technique for value elicitation. Our motivation was to increase stakeholder interaction and to create a common understanding of values and norms. The ethical matrix was introduced as an instrument for value representation. We were looking for a means to provide oversight of how different stakeholders regarded the positive and negative impacts of the values identified. How values are specified, depends on the kind of technology that is designed and is thus context-dependent (Van der Poel, 2021). Therefore, we do not wish to argue in general that the Value Sensitive Design approach should be supplemented with the methods of the moral dialogue and the ethical matrix, but we want to show that they worked well to go through the step of translation of values into design specifications in this specific case.
The contribution of our study is threefold: (1) extension of the legal perspective with a VSD approach; (2) introduction of two additional techniques for the empirical perspective; (3) establishment of a value-sensitive co-creation approach to data-driven service innovation.

Case description
The app that we use as a case in this paper, is developed on request of the teaching clinics of a University of Applied Sciences. The teaching clinics provide a hybrid learning environment for allied health students who deliver care to real patients under supervision of their lecturers. Citizens can make use of the services of the educational clinics for free, in the areas of dental care, skin therapy, eye care, and speech and language therapy.
In line with (inter)national challenges and changes, the teaching clinics are shifting their focus from merely "illness" to a more holistic approach (cf. Huber et al., 2011) and to creating more awareness of "public health" and prevention (for both citizens and students). This shift requires professionals to be able to work "interprofessionally" (work together with people from one or several other professions) and to act as "health advocates" (e.g. identifying "citizensat-risk" and providing health literacy education). To meet these challenges, the teaching clinics have started to offer Preventive Health Checks (PHCs) in the neighborhood. The PHCs entail the presence for (part of) a day of students and lecturers from several disciplines of the teaching clinics in, for example, a library or neighborhood center where passersby can have a "PHC" performed, without charge and without appointment. Based on a short list of basic (healthrelated) questions, information about their functioning in daily life, and personal preferences, the citizen can have a more in-depth advice (sometimes including additional basic health tests) from one or more of the disciplines mentioned above. Based on the outcomes of the PHC the citizen is presented with a personal advice, for instance about lifestyle or to visit a local (health) professional. As there is no treatment relation during the PHCs, citizens will not be diagnosed or receive treatment in this context.
To support students in their task of performing the PHC, the teaching clinics asked for an assisting app, to be used by students. The app should support the student in all steps in the PHC, from intake questions, to routing to the relevant disciplines, to assessment of relevant health related questions and performing relevant tests and, finally, providing a suitable personal advice. In VSD terms, the direct stakeholder of the app is the student, while the citizen and the lecturer can be regarded as the most relevant indirect stakeholders.
Step one: the discovery of relevant values The first step in the Value Sensitive Design of the PHC app is the discovery of relevant values (Flanagan et al., 2008). This step belongs to what Friedman & Hendry (2019) characterize as the "conceptual level" in Value Sensitive Design and aims to find the values that are relevant to a design project based on an analysis of legislation, policy documents and literature (Flanagan et al, 2008, p. 334 (Brey, 2010, p. 46).
Since our study specifically focuses on compliancy to privacy and transparency legislation, it might seem like we can skip this first step as it is clear beforehand that privacy and transparency are the relevant values. But these values cannot be understood in a vacuum. As was stated before in the introduction the specification of values is context-dependent and part of that context is formed by other values that are inspiring or informative for the design project at stake.
The first value that comes to mind as we look for values that are inspiring or informative for the development of the PHC app, besides privacy and transparency, is health. In legislation and policy the value of health is closely related to the value of (distributive) justice, i.e. the fair and equal distribution of goods and services among people (See e.g. the Constitution of the World Health Organization, preamble). As health itself cannot be fairly and equally distributed, because it is a "natural" good that is not directly under our control (Rawls, 1971), theories of distributive justice typically focus on the fair and equitable distribution of healthcare instead of health. Other values that are closely related to health(care), especially in combination with technology, are trust and informed consent (Yagmai et al. 2017). These values and how they are related to the PHC app will be discussed in more detail later on. The prioritization of these values depends on the context and may change over time (Van de Poel, 2021).

Step two: the translation of values into design specifications
The second step in the Value Sensitive Design of the PHC app is the translation of the discovered values into design specifications (Flanagan et al., 2008). This step is divided into operationalization and implementation. Operationalization involves the definition and articulation of the values found in concrete terms, for they may be abstractly conceived (Ibid.,. The designers need "to address questions about the origin and scope of relevant values, their conceptual meaning, and the basis of their prescriptive force" (Ibid., p. 325). The definition of the relevant values still takes place at the conceptual level, but the articulation (i.e. how these values are conceived by the stakeholders) takes place at what Friedman & Hendry (2019) call the "empirical level" in Value Sensitive Design. The implementation of these value concepts into corresponding design specifications takes place at what is characterized by Friedman & Hendry (2019) as the "technological level" in Value Sensitive Design.

Methodology
The definition of the relevant values will be based on a brief analysis of legislation, policy documents and literature. The articulation gets more attention in this paper and will be established by means of a "moral dialogue" by lecturers involved in the PHC (Isaacs, 1999;Morrell, 2004). The purpose of this phase is to investigate how the values identified from a conceptual perspective are weighed and experienced by the parties directly involved. An implicit source of value articulation are the designers. Because they have numerous open-ended alternatives as they proceed through the design process, their values, often unconsciously, shape the design in significant ways (Flanagan et al., 2008, pp. 334-335). Another relevant source of further value articulation are (potential) users (Ibid., p. 336). To learn their stand on the values, they must be involved in the design process. Therefore, to perform our empirical and technical investigations, we conducted a series of eight workshops with four lecturers who supervise the students during the PHCs. These lecturers were actively involved in the creation of the PHC set-up and are still engaged in the further development of the PHC. They have many years of experience in teaching. We chose to perform this first series of workshops with lecturers for two reasons: first of all, because of the explorative nature of the first phase (ideation in terms of service innovation process). Secondly, we wanted to explore the various design options from a professional educational perspective. The app should not only support the students in executing the PHC, but should also allow for an optimal learning experience. However, once the ideas became more tangible, we organized a workshop with students as well. In later stages of the design and development process, further participation by students is planned. Each workshop took two hours and was recorded.
Nine workshops were held, as depicted in Table 1, resulting in a global design for the PCH app. The workshops are discussed in more detail further on.
After building a shared idea of the app to be designed in the first two workshops, we held a "moral dialogue" in the third session (Isaacs, 1999;Morrell, 2004). This form of the "moral dialogue" originates in business ethics, but with some small adjustments we found it useful for our purposes as well. The purpose of the dialogue was to elicit the participants' norms with regard to the identified values in the context of the app, as well as identify any additional values the participants might deem important in regard to the proposed app.
The setup was as follows: the lecturers were interviewed in pairs. One of the authors interviewed one lecturer with regard to each of the abovementioned values while the other lecturer made notes on sticky notes. The lecturers were asked to elaborate on how they interpreted the value within the context of the PHC, how the value might emerge during a PHC, where thresholds might be crossed and what would be acceptable or unacceptable to them. In a Socratic manner the lecturers were stimulated to reflect on their personal norms. Not with the intention to identify incoherence as such, but to provide nuances to the values. In this way, it emerged, for instance, that transparency is extremely important, but there are cases in which full transparency is not desirable. During the dialogue, the other lecturer made notes of the conversation on sticky notes. After each of the four lecturers was interviewed in this way, all sticky notes were collected and put on the wall, clustering them per value. The four lecturers were then invited to walk along the wall and discuss among themselves the clusters of sticky notes. By asking each other questions and reflecting on each other's notes a shared meaning was formed. In terms of the continuum of paradigms for eliciting values discussed by Fischhoff (1991) our approach can be considered a partial perspectives paradigm: values are elicited by asking open ended questions, talking through implications and "looking for trouble".

Operationalization: the definition and articulation of the relevant values found
Privacy is not only a value, it is also an important human right enshrined in, for example, article 8 of the European Convention on Human Rights (ECHR). As was indicated in the introduction, detailed legal guidance and explicit regulation on the protection of privacy can be found in the GDPR, at least with respect to European jurisdictions. It is striking that neither the ECHR nor the GDPR provide a definition of privacy. In (legal and moral) literature, a clear definition of privacy is not available either. This is because "an adequate conceptual vocabulary regarding privacy does not exist, nor does an adequate institutional grammar" (Cohen, 2018, p.1). What privacy entails, seems to be largely dependent on the context. In the context of the PHC app privacy is linked to data protection, quality and integrity of data and access to data. Article 9 of the GDPR offers specific guidance with regard to data concerning health. It prohibits the processing of data concerning health, but also lists exceptions to this prohibition, of which the following three may apply to the PHC app: users are informed about the purpose(s) of processing their health data and have given their consent to process these data for those purposes (sub a); the processing of health data is necessary for the purpose of preventive medicine (sub h) or the processing of health data is necessary to ensure high standards of quality and safety of health care and there are suitable and specific measures taken to safeguard the rights and freedom of data subjects (sub i).
The participants of the workshop associated the value of privacy with the confidentiality of medical and personal data. These data should be handled carefully and it should always be clear for which purpose they are collected. Security measures should be taken to ensure that unauthorized people do not have access. The participants realized that for research purposes medical and personal data can reveal interesting new information if linked to, for instance, demographic information, but found it questionable whether that would be morally defensible. They also indicated that people might not provide the correct medical or personal data as they might give socially desirable answers to the questions asked.
Just like privacy, transparency is also a right protected by the GDPR. It grants data subjects the right to receive concise, easily accessible and easily understandable information about the processing of their data and their rights on this matter (article 12 GDPR; EU 2016/679 recital 58). From a moral point of view, transparency is usually not seen as an end in itself, but as an important prerequisite for the realization of other values. After all, if it is not transparent what moral values are at stake, people cannot act to protect them.
The participants of the workshop associated the value of transparency with "openness": citizens participating in PHCs need to be informed beforehand with whom, why and for which purposes their medical data are shared in plain language. Transparency was also associated with (a lack of) openness in another respect. If the outcome of the PHC indicates serious health threats, this needs to be communicated in neutral terms, on a factual level. Since the students are not allowed to deliver a diagnosis they cannot communicate with which disease a particular test outcome is associated and have to refer to a medical professional for further examination. This might lead to ethical dilemmas.
A definition of the value of health in concrete terms is found in the preamble to the Constitution of the World Health Organization. It defines health as "a state of complete physical, mental and social well-being and not merely the absence of disease or infirmity" (Constitution of the World Health Organization, preamble). This definition is however criticized. Most criticism relates to the "absoluteness of the word "complete" in relation to wellbeing" (Huber, 2014, p. 47). Currently, health is more often seen as a dynamic concept with multiple dimensions (Huber et al., 2011). Six main dimensions of health are distinguished, namely: "bodily functions, mental functions & perception, spiritual/ existential dimension, quality of life, social & societal participation, and daily functioning" (Huber, 2014, p. 56). Huber defines health, therefore, as "the ability to adapt and to self-manage" (Huber et al., 2011).
The participants of the workshop associated the value of health with quality of life, (physical, social and mental) wellbeing, prevention, autonomy (right to make one's own health choices, self-direction), safety (of care offered) and transparency (it should be clear what is a healthy lifestyle and what not). It was articulated that people may have different opinions on what a healthy lifestyle is and that scientific insights in this respect have developed over the years. It is seen as a strength that the PHCs are easily accessible as they are offered at libraries and community centers, close to the target groups. An important norm with regard to health is the harm principle: caregivers should never harm their patients. The students should, therefore, be instructed well on what to do when the outcomes of the PHC indicate serious health threats and when to turn to their lecturers for assistance. It should always be verified if citizens have enough knowledge to understand the advice given in order to prevent harm. What is safe to advise may differ from case to case.
As was mentioned before, the value of health is closely related to the value of distributive justice. The capability view is best suited to study the meaning of this value with regard to the PHC app. In a nutshell, the capability approach entails that the freedom of people to achieve well-being is a matter of what they "are able to do and to be, and thus the kind of life they are effectively able to lead" (Robeyns, 2016). Within this approach, there are different opinions on what this means for the distribution of goods and services that are constituent to well-being among them. Some argue one should look at what a specific person needs and deserves, where others "are guided by some conception of the standard needs and endowments of human beings" (Pogge, 2002, p. 23-24). In a much-quoted paper in The Lancet Ruger applies the capability view of distributive justice to health (Ruger, 2004(Ruger, , p. 1075). According to Ruger it "gives special moral importance to health capability: an individual's opportunity to achieve good health and thus be free from escapable morbidity and preventable mortality" (Ibid., p. 1076). From a capability point of view, the PHC app thus realizes the value of distributive justice if it empowers individuals to improve their health.
The participants of the workshop associated the value of distributive justice with accessibility (both in the sense of "tailored to the local neighborhood" and "low in cost", in fact: the PHC is for free) and equality (same quality of health information for everyone). A moral problem is that it is questionable whether the PHCs offer the same care and health information for everyone as the students are only supervised by their lecturers to a limited extend and the quality thus depends on the skills of the particular student, who is still in training and gaining expertise, and who is not allowed to deliver a diagnosis or formal medical advice. Language barriers can endanger the accessibility. A strength of the PHCs with regard to distributive justice could be that they also make regular healthcare more accessible (by means of advising people who do not know their way in the healthcare system, but found their way to the easily accessible PHCs).
Trust can be defined as "a psychological state comprising the intention to accept vulnerability based on positive expectations of the intentions and behaviors of another" (Rousseau et al., 1998, p. 315). It entails two types of expectations: predictive expectations about how someone or something is likely to behave and normative expectations about how someone or something should behave (Faulkner, 2007). Trusting, therefore, requires acceptance of some risk or vulnerability, for example that the trusted person or technological application might be unable or might be unwilling to act in your best interest. In healthcare settings, trust usually refers to the doctor-patient relationship (Beauchamp & Childress, 2009;O'Neill, 2002). But with regard to the PHC app, it also implies trust in the technology and, indirectly, in its designers. Moreover, not only the health of the persons concerned but also personal information about them is at stake. Even if the app does not damage the health of the persons concerned their trust in the data application can still be violated, for example if information about them has been accessed by individuals or companies that the user was not aware of. These factors complicate the trust relationship.
The participants of the workshop associated the value of trust with reliability, professionality, expertise, sensitivity, (legal) rules, keeping promises and the security of medical and personal data. It is emphasized that it is not only important that citizens trust the students performing the PHC, but also that students and their lecturers trust each other and that they show confidence. Citizens trust they get the best advice and the most up-to-date information, but is that always justified? It is emphasized that trust is the most important value and that a good organization of the PHC process is important, because a good organization reflects trustworthiness.
Informed consent is a vital aspect of any discussion of sensitive or personal information, especially if it concerns health (Weckert & Henschke, 2010, p. 194). The term "informed consent" has two components: an information and a consent component. The information component entails that the persons concerned must be provided with all relevant information and must comprehend this information. The consent component entails that any effective consent must be voluntary and gives clear authorization for a specified procedure to go ahead (Beauchamp & Childress, 2009in Weckert & Henschke, 2010. For the purposes of this paper informed consent can be defined as voluntary agreement after understandable information has been provided.
The participants of the workshop associated the value of informed consent with privacy and transparency. It is important that citizens give consent on the basis of precise information, but how much they are able to apprehend, depends on the citizen population. It is important that citizens are given the opportunity to ask questions and that healthcare professionals provide the information they deem necessary. It should always be made clear to citizens what consent entails for them. It is preferred that informed consent is arranged in a conversation, not through a form. At the moment there is a wish to reuse the data collected with the PHCs in medical research but it is unclear how to arrange this, especially since the data of the PHCs are anonymous.
After discussing the values derived from the conceptual analysis, the participants were asked if there were any additional values that could be of importance for the development of the PHC app. In order to help them, they were given a general list of human values (see appendix). Three additional values were mentioned: helpfulness, responsibility and sustainability. Helpfulness is related to the desire to help citizens improve their wellbeing. The importance of helpfulness is evidenced by claims that it is unethical not to provide adequate follow up advice to the PHC. The participants clearly feel their primary objective is to help the individual citizen. Responsibility arose several times, especially in relation to not being in a treatment relation. Because they are not in a treatment relation, the students cannot provide formal medical advice or a diagnosis, even if they identify health risks. Still, they feel responsible for the citizen's health. This generates tensions between what is legally allowed and what they feel they should do. Sustainability is related to the desire to develop an app that enables future improvements, for example by developing ways of collecting data for research purposes with the PHC app.
An analysis by the authors of the outcomes of the moral dialogue revealed two more values, that were not explicitly identified as such by the participants but were clearly underlying their remarks: security and autonomy. Security was mentioned especially in terms of making the students feel secure in performing the PHC. Students should not be brought in a position where they cannot act adequately. Autonomy appeared in the discussion about the value of health and entails in that context that citizens have the right to make their own health choices.
Thus, the dialogue not only led to a more contextual articulation of the values identified from the literature, but it also revealed five additional values that were important to the participants.

Implementation of the value concepts into corresponding design specifications: the technological level in value sensitive design
As mentioned before, the final part of step 2 in Flanagan et al. (2008) is implementation. Implementation involves the transformation of "value concepts into corresponding design specifications" (Flanagan et al., 2008, p. 340). Sometimes it may turn out that it is impossible to embody all values found into the design (Ibid., p. 342). Also, tensions may occur between values of different stakeholders, or even between different values of the same stakeholder.
In the fourth till seventh workshop, we iteratively translated the articulation of the values from the third workshop into design choices. To be able to balance all relevant values of all stakeholders throughout the entire design process, we used the instrument of the ethical matrix (Mepham et al., 2006). The ethical matrix has its origin in the agriculture and food industry and serves as an instrument to evaluate the ethical impact of technological innovations. It exists of a 3 × 4 matrix with stakeholder groups on one dimension and the three ethical principles of well-being, autonomy and fairness on the other. In the cells the impact of the technological innovation under consideration on the stakeholders with regard to the principles is specified (Fig. 1).
For our purposes, we adapted the original matrix to use in a VSD project (Fig. 2), replacing the three ethical principles proposed by Mepham with the generic concept of values and the agricultural stakeholders with the generic concept of stakeholders.
The ethical matrix combines stakeholders, values and impacts in one diagram. It can be used to structure value discussions, compare design alternatives and evaluate implementations against value aims. It supports the essential iteration between the conceptual, empirical and technical investigations. In a VSD project, the first step in building an ethical matrix, thus becomes to fill in the relevant values and stakeholders as identified in the conceptual phase of the project. In our case, the values are the values identified in the second step of our approach (i.e. privacy, transparency, health, distributive justice, trust, informed consent, helpfulness, responsibility, sustainability, security and autonomy). The stakeholders are the direct and indirect stakeholders of the app (i.e. student, lecturer, citizen, municipality, and in future maybe companies offering PHCs to their employees).
We next used this ethical matrix with the twelve values and the five stakeholders throughout workshops four to seven to record the translation of the values into various design choices. We started by filling out a matrix for the app as a whole (workshop 4). We drew the matrix on the wall and asked the participants to fill in the cells with potential benefits and harms of the proposed app. This exercise generated a number of potentially harmful consequences of the app. For instance, the fact that if the app would present an automatically generated, fully comprehensive advice to the student this would have a negative impact on transparency for both citizen and student, and on responsibility for the student. Next, we decided to design alternative options for potentially harmful parts of the app, such as the advice presentation, and compare each of these alternatives by completing a separate matrix for each alternative in the follow-up workshops. We thus developed a series of completed matrices for various design choices. To illustrate the process, we show in Fig. 3 the overall setup of the app (a) as well as four design alternatives for one aspect of the app, the generation of an advice for the student to give to the citizen (b) and elaborate a bit more on our approach.
As mentioned above, we first used the ethical matrix to discuss the design characteristics of the mockup shown in Fig. 3a in terms of their potential positive or negative impact on the identified values for each of the stakeholder groups concerned. This discussion helped generate additional awareness of the potential impact of the app on the values of the various stakeholders and it also brought focus to the design characteristics that had most impact on these values. One of these characteristics appeared to be the way in which the advice would be presented to the student. We used the ethical matrix approach again in a follow-up workshop, zooming in on this specific design characteristic. Based on a governance framework for decision making (Smit & Zoet, 2019) we presented four design alternatives, varying from 1) the advice being drafted completely by the student, to 2) generally relevant advice being shown to the student for the student to tailor towards the citizen by selecting the most relevant one, to 3) advices being suggested by the app with the student being able to deviate from the advice, to 4) the advice being generated completely by the app, with no control for the student other than alerting the lecturer (Fig. 3b). For each of these four alternatives the participants completed an ethical matrix posted on the wall, by walking past the matrices and discussing the pros and cons of each alternative in terms of potential harms and benefits to the various a b Fig. 3 a Mockup of PHC app: overall design, b Four design alternatives for generating advice stakeholders. Figure 4 illustrates the matrix for design alternative 1 where the student has minimal support from the app in formulating an advice. Some cells in the matrix are empty because not every value is impacted for every stakeholder, depending on the design investigated.
After reflecting on the four completed matrices the participants discarded alternatives 1 and 4 because the matrices showed too many negative impacts. In alternative 1 (Fig. 4), in which the student formulates the advice without any assistance of the app, there is no transparency about what the advice is based on. It also puts a much larger burden on the responsibility of both student and supervisor regarding the correctness of the advice, leading to less security. The question arose whether it would be fair to make a student responsible for formulating an advice without support from the app. The main advantage of alternative 1 is that it leaves much autonomy to the student. Alternative 4, with an entirely automatically generated advice, had a very negative impact on the autonomy of the student. In the end the lecturers opted for a combination between design alternatives 2 and 3, with the right mixture of advice being suggested by the app and freedom for the student to tune, discard or add to the advices suggested, receiving feedback on the ultimate advice they arrive at.

Step three: verification whether the relevant values have been successfully embodied or expressed in the design of the PHC app
To validate the outcome we organized an eighth workshop with three students. In this session the students discussed the design of the app among themselves regarding whether they would want to use such an app, what advantages and disadvantages they see to the app, what they would change before using the app and what they think is most important in such an app. The lecturers and researchers made notes of the discussion and checked whether the values identified in the ethical matrix could be recognized in the students' discussion. These notes were then discussed with the students. One additional value that arose from the student discussion was the value of access. The students stressed the potential of using the app in the communication with the citizen who is not always fluent in Dutch, by providing for instance visualizations.
Use of the ethical matrix helped us articulate the potential impacts of the various design choices as well as keep track of all options under consideration. In the next phase we will extend the sessions with students and also involve citizens who attend the PHC.

Conclusion
In this paper we have shown how we incorporated the privacy by design and transparency the GDPR requires into a preventive health check (PHC) app we are developing through value sensitive design (VSD). The PHC app is an app that supports allied health students of a University of Applied Sciences in the execution of a "Preventive Health Check", which is an accessible option for (local) citizens to gain insight into and get personal advice on aspects of health and lifestyle, based on (basic) health information and (sometimes) simple tests.
The contribution of our study is threefold: (1) extension of the legal perspective with a VSD approach; (2) introduction of two additional techniques for the empirical perspective of VSD: the moral dialogue and the ethical matrix; (3) establishment of a value-sensitive co-creation approach to data-driven service innovation, that uses the ethical matrix to structure and trace the value elicitation and operationalization process.
In the design process we followed the first two Value Senstive Design steps as described by Flanagan et al. (2008): (1) the discovery of relevant values; (2) the translation of these values into design specifications. We linked these steps to the conceptual, empirical and technological perspectives that, according to Friedman & Hendry (2019), are iteratively applied in Value Sensitive Design. The step-by-step plan of Flanagan et al. does not tell how the above-mentioned steps should be implemented practically. According to Friedman & Hendry (2019) the techniques that have been used over the years by various VSD projects are either unique to VSD or existing techniques that were adapted to use in VSD. In an inventarisation of techniques used, they have indicated that new or newly adapted techniques and instruments are likely to be added over time.
The first step of Flanagan et al.'s plan we conducted by means of a tested method. We analyzed legislation, policy documents and literature in order to discover which values were relevant to our design project. We came to the conclusion that the privacy and transparency required by the GDPR cannot be understood in a vacuum and that besides these values the values of health, distributive justice, trust and informed consent were also relevant.
For the second step we adapted existing techniques. We articulated the relevant values (i.e. established how they are conceived by the stakeholders) by means of a "moral dialogue" (Isaacs, 1999;Morrell, 2004). The concept of the "moral dialogue" used originates in business ethics, but with some small adjustments we found it useful for our purposes as well. We used a combination of individual dialogues exploring each of the values in depth within the context of the PHC followed by a collective reflection upon the results, thus developing a shared meaning. This not only led to a more contextual articulation of the values identified from the literature, but it also revealed five additional values that were important to the participants, namely: helpfulness, responsibility, sustainability, security and autonomy.
We translated the resulting value concepts to design specifications by means of an adaptation of the ethical matrix by Mepham et al. (2006), making it more suitable to a VSD approach. After establishing the two dimensions of stakeholders and values for the app, the lecturers involved completed a series of matrices expressing potential harms and benefits for the app as a whole as well as for various high-impact design choices within the app. This enabled us to compare design alternatives in terms of beneficial and harmful consequences and to base our design on a wellconsidered weighing of positive and negative impacts on human values.
We found that the moral dialogue added a more context specific definition of the values found in the conceptual research and led to increased awareness of ethical issues. The use of the ethical matrix, iteratively going back and forth between design and values in increasing detail, provided traceability that contributed to robustness in design. The resulting series of completed matrices for various levels of design forms a transparent trace of the numerous value discussions throughout the design process. The final design decisions were based on a far richer discussion than a purely functional, or legal, discussion of the design.

Appendix
Overview of values Data availability Transcripts and/ or reports of the meetings are available upon request.
Code availability Not applicable.

Conflicts of interest Not applicable.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http:// creat iveco mmons. org/ licen ses/ by/4. 0/.