Something else your phone knows about you
Data privacy protection was a critical issue that emerged in a consultation on the European Commission green paper on mobile health, published in January 2015. The Commission expressed concerns about inappropriate processing of data collected through m-health apps. In an Economist Intelligence Unit survey conducted in 2014, nearly half the respondents said they shared concerns that their data would not be secure on mobile health devices. Well-publicised incidents have highlighted practices where some apps and personal devices collect more data than is strictly necessary for their own function and do not provide sufficient notice of the uses that will be made of it, including an intention to share data with third parties. Data privacy concerns may present the biggest barrier to the wider take up of e-health apps and services, and companies will need to look for ways to balance the trust equation.
We expect e-health will lead to a renewed emphasis on data minimisation and a focus on the validity of bundled consents to data usage, heightened enforcement and stronger penalties and new conundrums created by cross-border transfers of health data.
E-health will cause regulators to revisit the method and quality of data privacy consents
Personal data in e-health services can include biometric data, physical assessment and test results, medical records and mental health information. In some jurisdictions health data is classified as a separate category of ‘sensitive personal data’ that is the subject of specific, more stringent requirements. For example, certain local data privacy law regimes require an individual’s express consent to collect and process their sensitive personal data, and higher standards of security must also be implemented to protect health data against unauthorised access and use.
The European Commission green paper confirmed that the principle of ‘data minimisation’ proposed to be introduced in the EU would apply to e/m-health; namely, ‘app developers should only collect, process and store the personal data that is absolutely necessary for the purpose of the collection’. This in turn leads to increased demands for e-health providers to be more specific about what data they are collecting.
The method used to obtain consent is also likely to come under closer scrutiny from privacy regulators in the EU and beyond. On the other hand, providers of health apps will have practical concerns regarding how to provide the required information in a transparent and user-friendly way on a small-screen, mobile device.
On this issue, data privacy authorities have become wary of bundled consents, where service providers notify and request consents for a large number of uses of personal data at the same time. Individuals must consent to all purposes notified if they want to receive any part of a service. Privacy authorities are unlikely to allow e-health service providers to ‘compel’ consents from individuals for purposes that are not closely linked to the delivery of the service.
E-health providers will need to allocate resources to devise suitable privacy statements for each product and revisit consent collection mechanisms to avoid potential violations. Standardised general terms and conditions are unlikely to be effective in many cases in the context of e-health services and apps.
New EU data privacy regulation: the new high-water mark
The European Union is discussing a new EU-wide Data Privacy Regulation. The EU Council circulated the most recent draft in December 2014.
Under the draft EU Regulation, consent to process all personal data – not limited to sensitive health data – will need to be unambiguous, explicit, voluntary and revocable. Further processing will generally not be allowed. Opt-out methods of consent probably won’t be acceptable in future either.
This requirement could affect vendors of health apps globally. The territorial scope of the new Regulation is still under discussion. Current proposals would extend the effect of European data privacy rules to data controllers and data processors that operate in the EU, irrespective of whether they are physically located in the EU or where the data is actually processed. The EU Regulation may also apply to data controllers and data processors that operate outside the EU to the extent that they process personal data of EU data subjects.
While the healthcare industry is used to obtaining informed consent for drug trials under drug and device regulations, tech companies and telcos may be less accustomed to the new levels of transparency that will be required.
Potential exemptions for medical research
Under the draft EU Regulation, consent must be purpose specific, and further processing is generally not allowed. However, a limited exemption to permit further processing for scientific research is proposed in the current draft for processing of personal data, which is deemed not incompatible with the purpose(s) for which the data was originally collected (subject to certain safeguards, designed to minimise the use of personal data, such as pseudonymising the data). The recitals to the draft Regulation indicate that allowable scientific purposes would include fundamental research, applied research, privately funded research and public health studies.
Statutory exemptions from the data privacy law requirements for personal data processing could cover certain uses of e-health data in other countries as well. For instance, existing exemptions under the data privacy laws of Singapore and Hong Kong allow the use of personal data for research purposes without notifying the individual concerned or obtaining their consent. This exemption is not limited to private or academic research. It would also include research for profit or commercial activities, if the resulting research does not identify any individual.
Analyse data flows: managing cross-border transfers
M-health apps and wearable monitoring devices could in principle collect data from any location in the world, with data that is not stored locally often being transferred for processing at a central collection point, which may be in a different country to the user. Transferring sensitive personal data requires express consent or another legal justification in many jurisdictions.
In 2014, the US Federal Trade Commission (FTC) analysed health apps. According to the FTC’s report, 12 health apps transferred sensitive personal data to 76 third parties without the users’ knowledge and, without their consent. Non-compliance with data privacy law requirements could lead to high penalties when transferring sensitive personal data abroad.
In France, for instance, the French Public Health Code tightly restricts the storage of health data. Storing health data on cloud-based solutions, for example, needs to be carefully planned and implemented. In the EU, disclosing sensitive information to recipients in countries without an adequate level of data protection is, in general, prohibited. Many companies in the US rely on the Safe Harbour exemptions. However, according to recent discussions of national regulators, this exemption could soon be revoked, which would require US companies to re-evaluate their international data transfer flows and practices.
These are all issues that create significant practical compliance obstacles and that companies will need to work through on an individualised basis, depending on where the data is collected and processed.
Heightened enforcement likely
The Commission reported in its recent public consultation that most respondents favour strong privacy and security principles for m-health. The Commission has said that during 2015 it will come forward with a set of policy responses based on the results of the public consultation. It has also indicated that it will consider a specific code of conduct or guidelines for m-health.
In November 2014, the UK Information Commissioner’s Office (ICO) surveyed practices in the use of data-enabled medical devices and apps. The ICO stated that it was examining the use of medical devices in the healthcare sector and was seeking the views of data protection specialists, among others. The survey included questions asking whether organisations had implemented specific policies and procedures, information governance and incident response processes, and an ‘end of life’ policy for defunct/decommissioned devices.
These are among several indicators that signal a heightened interest on the part of data privacy regulators, which is likely to presage new enforcement.
Some national privacy authorities also recognise that legislative amendments may be needed to introduce specific offences for unauthorised use of sensitive personal data and enhanced standards for data anonymisation and pseudonymisation. Individuals may be more vulnerable to exploitation and discrimination through unauthorised use of their sensitive personal data, compared with personal data in general. For example, in an employment context, disclosing a job applicant’s medical condition to an employer without the applicant’s consent could lead to claims of discrimination.
The Hong Kong Privacy Commissioner for Personal Data (PCPD) has noted the potential issues that the unauthorised use of e-health data in the form of sensitive personal data may trigger and that there is a need to introduce offences such as civil penalties for unauthorised access1 . Under the current Hong Kong Personal Data Privacy Ordinance, the PCPD has powers to issue an enforcement notice to remedy a misuse of personal data. An offence is only committed if the data controller fails to comply with that notice. The PCPD has argued for creating a specific offence to govern the misuse of electronic health record data.
This is one example of likely moves to strengthen enforcement measures and powers available to data privacy regulators to intervene against misuse of e-heath-related personal data.