On February 5, 2015, the European Article 29 Data Protection Working Party issued a paper which clarifies the scope of the definition of "Health Data" in relation to lifestyle and wellbeing apps. The paper provides criteria to determine when data processed by such apps and devices constitute health data.
The paper identified three types of health data:
- Data which is clearly medical data (i.e. data regarding an individual’s physical or mental health status within a professional/medical context);
- Raw sensor data that can be used by itself or in combination with other data to draw a conclusion as to the actual health status or health risk of a person (e.g. an app which collects information concerning specific foods eaten, as opposed to a number of steps to be taken); and
- Conclusions that are drawn regarding a person’s health status (irrespective of whether these conclusions are accurate, legitimate or otherwise inadequate).
The paper also notes that the considerations regarding health data is also a matter of scale. For example, a single registration of a person's weight, blood pressure or pulse/heart rate (if not excessive in absolute terms), does not allow for the inference as to the actual or likely future health status of that person. Furthermore, if the data processing only takes place on the device itself, and no personal data is transmitted outside the device, the law will not apply to the user due to the exception that its use is purely a personal one.
The paper provides for the broad classification of health data, which is not limited to “medical data” in the strict sense of this term. The Working Party also referred to the definition of health data in the Proposed Data Protection Regulation, which indicates several additional categories which fall within the scope of health data.
The Working Party has also clarified the strict requirements that should be taken into account when processing such data (obtaining explicit consent, clear definitions, compatible and legitimate purposes for the data processing, as well as the requirement to implement proper anonymization techniques and other risk-reducing measures, such as privacy by design and data minimization).