Whether you were watching Jools Holland, the fireworks or out on the town on New Year’s Eve, I imagine that when the clock struck midnight you joined millions of others in celebrating and later proclaiming your resolutions for a healthier 2015. You may have even decided to do ‘Dry January’ or, as I called it, Dryer January.

For many gyms, January is the busiest month for new memberships, with attendance slowly dropping as resolutions are broken. New gym goers this year, however, have a helping hand thanks to the ever growing prominence of the fitness app and wearable technology. At the recent Consumer Electronics Show in Las Vegas there was an obvious focus on fitness and wellbeing with many fitness focussed wearables. These now track almost anything from sleep patterns and heart rate to glucose levels.

Take Jawbone for example. The third generation of their ‘UP’ fitness band is due to be released imminently and, as of today’s date, is described by Jawbone on its website as “the most advanced activity tracker known to man” able to “give you the full picture of your health”. The band will use electrical contacts pressed against the skin (as well as the more common accelerometer which detects activity) to measure resting heart rate and respiration rate, amongst many other things, and wirelessly sync your data to the UP app on your smartphone.

Apple’s new ‘Health’ app provides an easy-to-read dashboard displaying your health and fitness data. It aims to be a universal repository for personal health data and allows other apps to be connected to it including My FitnessPal, Map My Run and Nike+ Running. And there are many, many more fitness and health apps and wearables that I do not have time to mention here.
But it’s not the wearables and apps that are potentially revolutionary; it’s the data they collect and the subsequent use and analysis of that data. The analysis of the data should result in advice that helps users adjust their behaviour and improve their overall health and fitness. Before that advice can be given, however, the data from an app or wearable is uploaded to a developer’s servers for analysis. This data can either be processed positively to provide new and innovative services to a user, or be processed in a manner which may be either unknown or unwanted by that user e.g. shared with advertising platforms or data brokers. The latter is, of course, a serious privacy concern for many consumers.

Whilst some of the best known apps are developed by major technology companies, many are designed by small start-ups and some app developers are unaware of data protection requirements. In 2012, The Future of Privacy Forum (a think tank based in Washington, DC) found that only 61.3% of the top 150 apps had a privacy policy.

A lack of transparency by app developers regarding the manner in which data is being processed by their apps and wearables means many consumers are completely unaware of who has access to their data and what it is being used for. In many cases, this lack of transparency constitutes a breach of the Data Protection Act 1998 (DPA) by developers. The DPA exists to protect ‘personal data’, which is data relating to living individuals who can be identified from that data, or who can be identified from that data and other information which is in the possession of, or is likely to come into the possession of, a ‘data controller’ (a party to whom personal data is sent who decides how it is to be processed). It is easy to see how much of the data collected by a fitness app or wearable could be classified as personal data. 

Data controllers must comply with a number of data protection principles under the DPA, e.g. data must be processed fairly and lawfully; data must be adequate, relevant and not excessive in relation to the purposes for which it is processed; data must not be kept for longer than is necessary, etc. Fitness apps can satisfy many requirements under the DPA by setting out, in writing, how they process user data and seeking the consent of end-users for such processing, especially if the data is going to be used for not particularly obvious purposes, such as direct marketing. Some data, such as personal data consisting of information about the data subject's physical or mental health or condition for example, i.e. ‘sensitive personal data’, requires special treatment. Obtaining the explicit consent of a user is a necessity when a health or fitness app is processing sensitive personal data.

Fitness app developers must make it clear to end-users exactly who the data controller is with regard to their fitness apps. There are often many parties in the app ecosystem - app developers, app owners, OS and device manufacturers, analytics providers and other third parties. However, most of these parties will be ‘data processors’ (who are responsible for processing data on behalf of data controllers), as opposed to the ultimate data controller.

Knowing the identity of the data controller is key in the event that the DPA is breached and an end-user’s personal data has been processed illegally. Breaches of the DPA can result in criminal and civil liability for data controllers, as well as adverse publicity. The Ministry of Justice, for example, was fined £180,000 last year by the Information Commissioner’s Office for serious breaches of the DPA.

No doubt mindful of the issues set out above, Apple’s Health app has taken a pro-active role in respect of data security. It prohibits third party apps from connecting to it if they sell data to, or share data with, advertising platforms, data brokers or information resellers and it will not connect to any app which does not have a privacy policy. Not all apps are this pro-active.

It would be unthinkable for a doctor to sell information about her patients to a third party, so why is our approach to health and fitness apps so different? As these apps become more and more sophisticated, the data they collect and store will read increasingly like our medical records. Next time you download the hottest new fitness app in pursuit of that New Year’s resolution therefore, make sure you check whether it has a privacy policy and consider whether you are happy, as the owner of the personal data, with what data is being collected by the app and how it is being used.