This month, the Office of the Privacy Commissioner of Canada (“OPC”) has been examining Internet-connected or wireless health devices that collect data on individuals.[1] What the OPC is looking for is whether or not the companies that make, distribute or have access to such devices are compliant with Canada’s privacy legislation, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) in order to identify concerns and increase awareness of privacy rights and responsibilities. This article discusses the impact of the OPC’s examination on health technology companies and what they need to be aware of.

Types of Mobile Health Devices and Technologies

While the Privacy Commissioner has indicated a particular interest in reviewing fitness trackers, smart scales and sleep monitors, their review is not limited to these devices. There are many other health-related devices or appliances that collect and transmit data, often by means of an app or software that is integrated with the sensors in the device. “Smart” heart monitors, insulin pumps, contact lenses and implants are already commercially available or in development. These devices provide humans with the ability to monitor their basic physiology, as well as the possibility of enhanced capabilities. For example, Monash University in Australia is developing a bionic eye which uses a digital camera mounted on glasses to capture images which are then wirelessly transmitted to implanted ceramic microelectrodes in the human brain.[2] These innovative technologies could literally make individuals who are blind see again and may be tremendously beneficial for society generally. However, the information that these technologies collect could also be exploited by corporations, governments and hackers for more nefarious purposes, which is why the regulators are aggressively taking action.

Privacy Implications of Connected Health Devices

The OPC has acknowledged that the information generated by human bodies is uniquely personal, and as such it can be highly sensitive. When information is collected and digitized through wearable computing devices and connected with other online and offline information, the impacts on privacy can be profound. While an individual may use health devices for their own medical or recreational purposes, the consequences of misuse of information generated from these devices could be much farther reaching. For example, health related data has the potential to be shared or compiled with other data sources and used to make decisions about an individual’s future insurability, employability or for other discriminatory practices.[3]

One of the main privacy issues with wireless health devices is transparency with respect to how data is used and the inability to obtain meaningful consent. Given the relatively small size of health devices and the sensitivity of the information being monitored, the challenge is to provide users with relevant information at the right time and in a form and format that they can access and understand about how their data will be handled, the privacy risks and the ability of the user to make a choice. Under PIPEDA, the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except in certain limited circumstances. In obtaining consent, the reasonable expectations of the individual are also relevant. The consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting at or before the time of collection. Furthermore, if information is later to be used for a purpose not previously identified, that new use must be identified and consent secured prior to use for the new purpose. Timing is of the essence with respect to Canadian privacy law compliance. In Englander v. TELUS Communications Inc., 2004 FCA 387, the Federal Court of Appeal found that brochures which incorporate details about data activities given out after collection (or even use) cannot be relied upon to determine whether consent was obtained in time.

Another privacy issue with electronic health devices is the potential lack of control that individuals have over their personal information. Once the information is transmitted wirelessly or over the Internet, it may be stored permanently elsewhere or intercepted, without the ability of individuals to delete or correct their information. Principle 4.6 of Schedule 1 of PIPEDA requires personal information to be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. In Nammo v. TransUnion of Canada Inc., 2010 FC 1284, the Federal Court held that an organization’s obligations to assess the accuracy, completeness and currency of personal information used is an ongoing obligation. Principle 4.5.3 of Schedule 1 of PIPEDA states that personal information that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous. Personal information needs to be kept secure. Users should have the ability to manage their personal information and this may be difficult to do if the health device data is shared with other parties.

The OPC has also examined online behavioural advertising and found activities related to health issues to be sensitive information that should not be used for the delivery of targeted advertisements without the individual’s express consent. Such was the case in PIPEDA Report of Findings #2014-001, where Google attempted to serve targeted advertisements for medical devices to people conducting searches on sleep apnea.

What This Means for Health Technology Companies

Hardware and software manufacturers, health device retailers, data collectors, cloud service providers, data aggregators, analyzers or any health technology or mobile device companies that handle sensitive personal information related to a person’s health, in particular over the Internet, should ensure that they have put in place these key practices and procedures:

  • obtain meaningful consent at the proper time from the individual whose personal information it is as it relates to the specific types of personal information being collected, how it is stored, used and disclosed to whom and for what specific purposes;
  • provide individuals with the possibility to opt out;
  • review and update websites and other publications, communications, brochures, etc. to provide sufficient information about the data and personal information being handled;
  • maintain and regularly review and update the written privacy policy and make it publically available to ensure all guidelines and regulations are complied with under current Canadian law;
  • develop data retention and security policies for personal information, including developer and staff training;
  • update and expand end user Terms of Service;
  • draft and negotiate contracts with any other parties that may receive, access, store, handle, process, distribute or provide personal information, to ensure adequate contractual protections are in place for Canadian privacy law compliance and information security controls;
  • review any targeted advertising programs that may use personal data; and,
  • integrate privacy principles and safeguards into organizational practices, policies and procedures.