There is a proliferation of wearable technology as mainstream consumer products. The ways in which these new technologies record, quantify and track our physical parameters are unprecedented. For example, when synched with sensors in wearables and smart phones, apps for Apple and Android devices offer medication reminders, fertility cycle tracking, blood glucose monitors and even ECG monitoring, which connect to phones with Bluetooth capabilities. This is a trend known as the 'quantified self'.
This means that wearables and smart phones now serve as mechanisms for storing vast amounts of personal information, and there are concerns that companies may be at risk of breaching privacy protection laws by using and commercialising that personal information.
1. Collection of personal or sensitive information
The extent to which privacy compliance will affect wearables and apps will depend on whether their operation involves the collection, use, handling or processing of Personal Information or Sensitive Information.
- Personal Information is broadly defined under the Privacy Act 1988 (Cth) as information or an opinion about an identified individual or an individual who is reasonably identifiable from that information. There is no requirement that information be "private" or "confidential" to fall within the scope of Australian privacy laws.
- There is also a risk that data collected by wearables or health apps could constitute Sensitive Information, which includes health, genetic or biometric information about an individual, or information about an individual's race, ethnicity, religious beliefs, sexual preference or practices, or criminal record.
As a general rule, medical and health technology companies should always query whether the collection of certain types of information is necessary. In basic terms, if data is not collected the functionality of the wearable device is not subject to the Privacy Act.
2. Different forms of using and commercialising "wearable data"
Given the commercial, clinical or other value of collecting and analysing data, we are seeing rapid developments in the commercialisation of data collected from wearables and mobile phone apps. Relevant examples include:
- In December 2014, the University of New South Wales announced a new project which aims to make these devices secure and trusted enough to transfer the information collected into the mainstream healthcare system.
- Secure, remote medical monitoring would assist practitioners to improve diagnosis and care for their patients at a significantly reduced cost. However, security is still a vital concern that must be dealt with before wearable data can be employed on a large scale by the healthcare system.
- AIA Australia offers life insurance premium discounts as a reward for customers who take part in the AIA Vitality Program and share their wearable data.
- Members earn "vitality points" by providing the results of their AIA Vitality health review, as well as proof of exercise (in the form of pedometer results from their Fitbit devices).
- Whilst health insurers are prohibited from offering cheaper insurance to "healthier" customers, the Vitality program is a community program to tackle a "chronic illness epidemic" which will ultimately lower health premiums.
- Medibank Private has also developed a program that encourages customers to share their wearable data.
- Customers who provide proof from their wearable device of walking 10,000 steps per day will receive the equivalent of $100 worth of Flybuy points.
- Medibank issued a statement in late 2014 confirming that it did not use the wearable data to adjust pricing or deny services.
- In general, more insurance companies are moving towards individualised risk assessment and risk profiling, and, conceivably, one day in the future, this "wearable data" could affect how insurance premiums are calculated.
3. Confidentiality and security implications - full extent unknown
Given that the wearables market is still developing in Australia, the full extent of the privacy, confidentiality and security implications of data collected by wearables will not be known for some time.
- For example, researchers at UK-based Context Information Security (CIS) have demonstrated the ease of monitoring and recording Bluetooth Low Energy (BLE) signals transmitted by mobile and wearable devices.
- The CIS research indicates that even with basic hardware or a smartphone, it could be possible to identify and locate a particular device within 100m in the open air, which raises confidentiality concerns, particularly for celebrities, politicians and other prominent individuals.