What does your health & lifestyle app really say about you?
May 07, 2015
A growing Internet of Things and Big Data market means that understanding the definition of what constitutes ‘health data’ is more important than ever. Smart watches, medical wristbands, fitness and GPS trackers, condition management devices – some of these clearly collect health data about you, others may not appear to until these are combined with other data to produce a medical conclusion. In any event, currently health data can only be processed in exceptional circumstances, but there are some practical solutions to this high bar.
In February of this year the Article 29 Data Protection Working Party (WP29) wrote a letter in response to a request to clarify the scope of the definition of health data in relation to lifestyle and wellbeing apps. The letter contained an Annex which detailed WP29’s findings. It was found that “personal data are health data when:
- the data are inherently/clearly medical data;
- the data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person; or
- conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate or inaccurate, legitimate or illegitimate, or otherwise adequate or inadequate).”
This definition was formulated with the General Data Protection Regulation (GDPR) in mind. In its current incarnation the proposed definition clearly covers information collected from freely available health and wellbeing apps. Apps qualify for as little as showing a link to obesity, for example, but also for more obvious data collection such as glucose monitoring or any other bodily sensor, provided the data is not simply held on the device.
The definition also covers a situation where a data controller uses any available data to “identify disease risks”. Therefore apps with medical research functions using big data should also be aware that they are processing health data.
App varieties that should be especially aware of the definition are ones which can share data on symptoms, ones which issue medication reminders, ‘healthier choice’ lifestyle tools, fitness and food tracking solutions, and correlative apps linking sleep, mood, exercise, diets and other lifestyle choices.
The Annex gives specific examples of grey areas in an attempt to further clarify the position. These are cases where data is combined with other data to draw a conclusion about the actual health status of the person. As the report states, it may be that “seemingly the most innocuous data, combined with other data sources, and used for other purposes, will come within the definition”. The report highlights targeted adverts as a particularly sensitive area for this.
Equally important but more obvious are instances where data controllers process data which can lead to the above conclusions. These combinations of data by way of processing to infer connections that may lead to any form of correct or incorrect medical diagnosis will constitute processing of health data. The controller must obtain informed consent from a privacy perspective. From a cyber security perspective a controller is at greater risk if it transpires that the app in fact shares data it purports not to. The domestic exception would apply to devices that can ensure that data remains solely on the data subject’s device as this would be ‘personal use’.
The most obvious ground for permissible processing of health data is by way of explicit consent. This derogation is part of the current exceptions to the prohibition in Data Protection Directive 95/46/EC (Art. 8 (2) a). This should be obtained before any processing takes place and should contain a clear and transparent description regarding the nature of the processing. All data protection principles should then be followed.
This involves clearly informing users if data is protected by medical secrecy rules, what combinations may be drawn from further processing and the inferences that could be made, and which third parties data is transferred to. In relation to security, ‘privacy by design’ should be considered from the outset and secure anonymisation techniques, laid out in the ICO’s guidance of May 2014, must be adhered to.
Finally, the processing of health data for historical, statistical and scientific research purposes could be exempt from the prohibition under the GDPR. WP29 have voiced concerns if a low threshold is set for these exemptions. Any research escaping the explicit consent requirements must serve “high public interest” and is recommended to be very narrowly construed, along with the other two potential exemptions.
 “Protecting personal data online: Learning from the mistakes of others”