As an increasing number of devices generate health and lifestyle data, data controllers and individuals need to understand when data requires special protection.
What's the issue?
As smart healthcare takes off, an increasing number of devices are generating data relating to health and lifestyle. From apps which tell you how many calories you're burning, to smart nappies which tell you, well, you know what they tell you, to smart carpets which know if a person has a heavy fall, to remote patient monitoring and medication management, this is both one of the most valuable applications of the Internet of Things and the most sensitive in terms of the data it generates as medical data is sensitive personal data which is more strictly regulated than other types of personal data. But what type of data should be considered as health data? Even the European Commission was unclear and asked the Article 29 Working Party (comprising European data protection regulators) to clarify the issue.
What's the development?
The Article 29 Working Party (WP) has written to the European Commission in response to its request to clarify the scope of the definition of health data in relation to lifestyle and wellbeing apps. After an analysis of different types of health data set against the proposed definition of health data to be used in the new General Data Protection Regulation, the WP summarises health data as being:
- data which is inherently / clearly medical data;
- raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person; and/or
- data setting out conclusions which are drawn about a person's health status or health risk (whether or not they are accurate or legitimate or otherwise adequate or inadequate).
What does this mean for you?
If you process any data which comes within the WP's definition of health data, you will need to treat that data as sensitive personal data and comply with additional obligations under the Data Protection Act 1998, including the requirement to obtain explicit consent.
The WP notes that health data which is processed only on the device itself and is not transmitted outside the device will be covered by the exception for purely personal use. Where health data is processed, the data controller needs to be able to rely on one of the Article 8 (of the EC data protection Directive) derogations. With regards to apps and devices which allow for the inference of health data, the WP underlines that the most likely derogation is that of consent. This is also true of data which may only be regarded as health data when combined with location data or other information read from the relevant device. The WP goes on to underline that the principle of transparency is "inseparably connected" to the legal ground of consent. The WP says the data controller must clearly inform users of:
- whether or not the data is protected by any medical secrecy rules;
- how the data will be combined with other data stored on the device or collected from other sources and give clear examples of the consequences of the combination of the data;
- what the purposes of any further processing are; and
- any third parties to whom the data may be transferred.
The WP says that the purpose limitation is another key provision. The data controller must define clear, compatible and legitimate purposes of the data processing. The WP also recommends the application of proper anonymisation techniques and other security measures including privacy by design and data minimisation, as recommended in its opinion on apps on smart devices.
The WP finishes by expressing concern that concepts around pseudonymisation, currently being discussed in the context of the proposed General data protection Regulation, should not allow a 'lighter touch' regime in relation to pseudonymised data.