Following a request by the European Commission, the Article 29 Working Party has published a letter with the purpose of clarifying the scope of the definition of health data in relation to lifestyle and wellbeing apps. The Annex to the letter sets out criteria to determine when data processed by such apps and devices will be considered to be health data.
The classification is important to data controllers as a higher level of protection applies to the processing of health data, which is regarded as "sensitive personal data" under the Data Protection Directive (95/46/EC).
What is "health data"?
The Working Party, in the Annex to the letter, describes the broad scope of health data and recognises that non-health data, when used or processed in a particular way or combined with other data, can become health data.
In summary, the Working Party has narrowed down the criteria such that data will be considered health data when:
- the data is inherently/clearly medical data;
- the data is raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person; or
- conclusions are drawn about a person's health status or health risk (irrespective of whether these conclusions are accurate or inaccurate, legitimate or illegitimate, or otherwise adequate or inadequate).
This will be important for those who develop, sell and host certain "lifestyle" apps to bear in mind. These apps may initially gather personal information pertaining to a individuals' lifestyle, such as the person's eating and exercise habits, which may not itself considered to be medical/health information. However, if that information is aggregated with other facts about a person that would enable conclusions to be drawn about the person's health over time, such as their possible risk to diabetes or obesity-related diseases, then the information may be considered "health data" and therefore subject to stricter data privacy requirements.
Exceptions to the prohibition on the processing of "health data"
If a data controller collects health data from the device, the data controller will need to rely on an exception to the prohibition in order to collect and process such data.
The most obvious and common exception is explicit consent, and the Working Party stressed the importance of users being provided with clear and prior information about the well-defined purposes of the processing in order to provide legitimate consent. Such information should be made available in a clear and easily accessible manner before users decide to download and install an app or buy a device.
In the context of lifestyle apps, the need for explicit consent could present practical challenges for data controllers particularly in terms of (i) balancing the need to give individuals sufficiently clear information relating to the data collected by the app to meet the Directive's "fair processing" requirements whilst maintaining flexibility regarding the purposes for which the data will be used; and (ii) obtaining updated consents if the purposes for which the data is used change over time.
Further processing of "health data" for historical, statistical or scientific research purposes
In light of the discussions surrounding the draft General Data Protection Regulation currently in consideration, the Working Party took the opportunity to address the current rules and the proposed exception for further processing of health data for historical, statistical or scientific research purposes.
The Working Party has called on the European Commission to ensure that under the General Data Protection Regulation, the further processing of health data should only be permitted after the explicit consent of the user has been obtained, or if the narrow exceptions defined by the European Parliament apply.