You searched for:
The Cookie Jar
Health data in apps and devices
Over the past few years we have seen exponential growth in the development of health and fitness based apps and devices. From a simple wrist band that monitors steps taken, to apps providing cognitive behavioural therapy, apps that predict female fertility and even devices that work together with an app to provide detailed fitness and health profiling, we are as a society becoming more and more dependent on apps to monitor our health and wellbeing. And this is only likely to continue, as we see the development of more sophisticated technologies, which are becoming commonplace for use amongst healthcare professionals, as well as by individuals.
 
One thing that all of these apps and devices tend to have in common is that they collect data, often in large volumes. In the majority of cases this will include personal data. ‘Personal data’ is any data from which a living individual can be identified, either from that data alone or in combination with other available data. This wide definition will include anything from an individual’s name and address, to an individual’s mobile device information.
 
The Legal Framework
 
The Data Protection Act 1998 (‘DPA’) requires organisations that process personal data to put certain protections in place to safeguard this data. ‘Processing’ essentially means any activity that can be carried out in relation to data, such as collecting, using, storing, sharing and deleting. Organisations that develop, manufacture, sell or otherwise make available apps and devices that process personal data must therefore ensure that this ‘processing’ is compliant with the DPA. In practice the party that is responsible for compliance with the DPA is the entity that ‘determines the purposes for which and the manner in which any personal data are, or are to be, processed’, known as the ‘data controller’ under the DPA.
 
The DPA also identifies a special category of personal data, known as ‘sensitive personal data’, which is subject to additional protections. In principle, sensitive personal data should not be processed unless a specified condition is met, in addition to the general conditions required to be met for any processing of personal data.
 
Amongst the various types of personal data that can be classified as ‘sensitive’, is the category of physical or mental health data. However, the DPA does not elaborate upon the scope of this category of data. Traditionally, one might have viewed health data as the type of data that would be held in an individual’s medical records held by its GP. However, with the evolution of new and wide-ranging health and fitness based technologies, the question of exactly what this category of health data covers has become an important one. In order that the providers of these technologies can ensure that they are complying with the DPA, they need to have clarity as to the types of personal data that they are handling. For example, is an app that monitors hours of sleep or steps taken considered to be collecting health data?
 
As a result of the uncertainty in this area, the European Commission made a request to the Article 29 Working Party (‘WP29’), an independent group set up under the European data protection Directive to advise on data protection and privacy matters, for clarification of the scope of ‘health data’ in the context of lifestyle and wellbeing apps. The WP29 responded on 5th February this year, with a letter and annex setting out its detailed guidance (‘Guidance’).
 
What is Health Data?
 
In its Guidance, the WP29 acknowledged that health data is one of those most complex areas of sensitive personal data and that the interpretation of this term varies widely between different European Member States. The purpose of its Guidance was therefore to provide some clarity in this hugely complex area, in order to enable providers of health and fitness based apps and devices to better understand their obligations under the DPA.
 
The first category of health data identified by the WP29 is data that is inherently considered to be health data and essentially comprises medical data. This category includes data relating to an individual’s physical or mental health status as generated in a professional healthcare context. For example this will include records relating to medical appointments, diagnosis, illnesses, treatment and other medical history relating to an individual. This category will also include data generated by apps and devices in a professional healthcare context.
 
However, the Guidance is clear that existing interpretations of health data under the data protection Directive go significantly beyond medical records to include, for example, the fact that an individual has broken a limb, wears glasses, has certain allergies, is a heavy smoker or is a member of a support or self-help group such as Alcoholics Anonymous. Other typical examples of health data include data around an individual’s purchases of medical products or devices, data submitted to public authorities in connection with claiming benefits such as disability allowances and data relating to an individual’s participation in health screening.
 
The WP29 makes it clear that ‘ill health’ does not need to be established in order for data to comprise health data. For example, if someone has supplied bodily substances such as blood or urine, for testing, or weight and height data for the calculation of a body mass index reading, the results will be considered health data, whether or not they fall within the healthy limits. Further, the source of data will not affect whether or not it is to be considered health data. For example, the fact that an individual’s weight or blood pressure is measured by a personal app or device, rather than by a medical professional, makes no difference in terms of the categorisation of the data as health data.
 
The Guidance further clarifies that health data will include data relating to an individual’s future health status. For example, if an app is used to predict an individual’s likelihood of developing a particular disease (e.g. predicted cancer or diabetes risk resulting from input data relating to weight, sedentary lifestyle or smoking habits), that prediction, as well as the source data used to make the prediction, will be health data.
 
A further interesting clarification provided by the WP29 is that where an app or device collects seemingly innocuous, raw data over a period of time, this data may be considered health data, particularly where it is combined with additional data sets and / or used for additional purposes. For example, a wristband that monitors basic physical activity such as distance walked, that links with an app tracking food consumption, may be used for the purpose of evaluating an individual’s overall health and well-being over a time period. The data collected will therefore be health data. This is a particular concern for technologies which provide for ‘profiling’ of individuals based on wide-ranging data relating to an their personality, body, mind, habits and even location. The definition of health data will even stretch so far as to cover an app which analyses social media posts to detect individuals suffering from depression.
 
However, the WP29 does recognise that certain, innocuous data collected by health and fitness apps and devices will not be health data. This is generally the case where the data collected does not enable the data controller to draw any form of conclusion about an individual’s health status. For example, if an app simply measures the number of steps taken during a single walk, without combining this information with any other data, this is unlikely to be considered health data. An important consideration is therefore the intended use of the data and whether it can be used to draw conclusions about the user’s health. In general, a single recording of e.g. an individual’s heart rate on its own may not be considered health data. However, the equivalent data collected on several occasions over a period of time, particularly if combined with other data such as age, is likely to enable some form of profiling or the ability to draw conclusions about the individual’s health, rendering both the input data and these conclusions as health data. Interesting, the WP29 identifies that any conclusions drawn do not need to be accurate, legitimate or adequate in order to comprise health data.
 
In summary, the WP29 finds that the wide-ranging categories of health data discussed in its Guidance fall into three key categories of health data for the purposes of apps and devices:
 
  • Data that are inherently or clearly medical data.
  • Data that are ‘raw sensor data’ that may be used alone or together with other data to draw a conclusion about an individual’s health status or health risks.
  • Conclusions drawn about an individual’s health status or health risks, whether or not accurate, legitimate or adequate.
 
The Guidance is very helpful for those that currently, or intend in the future to provide health or fitness related apps and devices. The broad scope of the term ‘health data’ identified by the WP29 means that even the collection of quite basic data relating to an individual’s habits and routines may be enough to comprise health data for the purposes of the DPA.
 
How to Comply
 
Of course, having established that they are processing health data, providers of apps and devices will need to ensure that they are complying with the relevant provisions of the DPA in relation to sensitive personal data. In addition to complying with the general principles for processing any personal data under the DPA, an additional condition must be met in order for the processing of sensitive personal data to be permitted. The most relevant of these conditions to providers of apps and devices is obtaining the explicit consent of their users to the processing of their health data. In order for this consent to be valid, the provider of the app or device will need to notify its users, before they decide to install an app or buy a device, of:
 
  • the categories of personal data that it may process about the end user (including all relevant categories of health data);
  • the purposes for which it may process the personal data;
  • the categories of third parties to whom the personal data may be disclosed (if any); and
  • any other information necessary for the processing of users’ personal data to be fair, which will include any information about the provider’s processing activities that would not be reasonably obvious to the users concerned.
 
Having provided this notice, the provider must obtain the users’ explicit consent to the processing of their personal data as detailed in the notice. An obvious way to deal with this in the context of an app, is drafting a privacy policy, which is made available to the user as part of the app download process and in respect of which the user must click an ‘I accept’ button, prior to downloading the app.
 
Exception to the Application of the DPA
 
The WP29 does identify an exception to the application of the DPA to health data in its Guidance. Essentially in situations where all processing of the health data takes place on the device itself, and no such data is transmitted outside the device, the DPA will not apply. This is because this data is being used purely for the user’s own personal purposes, and is not being processed by the provider of the app or device.
 
Conclusion
 
In summary, the WP29 has identified a very wide scope for the definition of ‘health data’ for the purposes of the application of the DPA to providers of health and fitness related apps and devices. As a result, organisations that develop, manufacture and supply these technologies will need to carefully assess the data that they process. To the extent that this includes any health data, in view of the WP29 guidance, these organisations will need to ensure that they are complying with the DPA and in particular, the provisions in respect of sensitive personal data.