As the functionality and appearance of wearable devices improves, users are becoming ever keener to engage in the self-profiling offered, recording details of their physical activity, sleep patterns and diet, sharing this data on social media and comparing it with their peers. The data derived from the use of these wearable devices (“mHealth Data”) is rich and informative, has many applications and is therefore considered to be commercially valuable. When applied to life sciences and healthcare, this data has the potential to lead to cheaper and more effective medical research, but also to permit enhanced patient management and treatment as well as the deployment of medical care remotely. However, in order to be usable, mHealth Data must be lawfully collected.
As mHealth Data will normally include information in relation to a data subject’s physical or mental health, it will be likely to be viewed as ‘sensitive personal data’ under the current EU Directive and implementing legislation and therefore subject to more rigorous obligations in relation to its collection and processing. As such, a data subject’s prior consent will need to be obtained to the processing of mHealth Data for it to be lawfully processed, unless an exemption applies. The circumstances in which consent will not be required include those where processing is required for preventive medicine, medical diagnosis, provision of care or treatment or the management of health care services where processing is carried out by a healthcare professional or person subject to equivalent obligations of secrecy. These exemptions are not however widely construed and consent is required more often than not.
According to the Information Commissioner, the consent to data processing currently required must be express and given with knowledge of: (i) the specific processing details; (ii) the type of information (or even the specific information) to be processed; (iii) the purposes of the processing; and any special aspects that may affect the data subject, such as any disclosures of the data that may be made to third parties.
This requirement causes significant issues in the context of mHealth Data. Owing to the inevitably small screen size of most wearables, it is practically difficult to provide users with even the briefest of privacy statements on the devices themselves, let alone the information required by the legislation. The requirement that users are informed of all the proposed uses of their data when it is collected (notwithstanding the practical difficulties) provides further problems. The commercial value of mHealth Data lies largely in its potential for multiple uses – some of which will not be knowable on the data being collected. It won’t work for all the potential uses of the data to be set out in brief either – each potential use of the data must be clearly explained to the data subject or the data will not be lawfully collected. Collectors of mHealth Data also cannot lawfully compel their users to give detailed consent in return for access to services, unless the relevant data is required for the proper provision of the services offered.
The GDPR will bring even more stringent rules regarding consent, further narrowing the circumstances in which it can be viewed as properly given. Under the GDPR, consent to the collection of mHealth Data must be freely given by a clear affirmative action, unambiguous, revocable, informed, specific and, in the case of sensitive data (referred to in the GDPR as "special categories of data"), explicit. This raises the bar significantly for mHealth Data.
However, the GDPR eases the burden in other ways. It applies less stringent rules on data collectors in relation to personal data which is processed by them in such a way that it can no longer be attributed to data subjects without the use of additional and separately kept information. In addition, the exemptions to the processing of personal data without the data subject’s consent have been widened to include data processing for scientific (research) purposes, and data processing for health purposes is permitted for important grounds of public interest. This provides greater flexibility for organisations involved in data processing for scientific research and public health reasons.
The requirement under the GDPR that data controllers adopt the principle of privacy by design in relation to the technology used to collect personal data may also assist collectors in complying with obligations in relation to consent in respect of mHealth Data. Wearables and associated applications which permit users to more easily give and withdraw their consent to data processing on a granular basis, manage the dataflow between themselves, data collectors and third parties and receive notifications of transparent privacy information from controllers, will not only assist with compliance but also inevitably give users of wearables more confidence in the ability of those who process their data to do so lawfully and securely. Consequentially, GDPR is likely to necessitate a greater level of collaboration between data controllers and device manufacturers (where these are not the same entity) to ensure that devices and wearables are designed and built to the principle of privacy by design and compliance with the GDPR in mind.