As smart healthcare takes off, an increasing number of devices are generating data relating to health and lifestyle. From apps which tell you how many calories you're burning, to smart nappies which tell you, well, you know what they tell you, to smart carpets which know if a person has a heavy fall, to remote patient monitoring and medication management, this is both one of the most valuable applications of the Internet of Things and Big Data and the most sensitive as much of the data Connected Health or m-health generates will be medical data which is sensitive personal data and is more strictly regulated than other types of personal data.
The justifications for processing sensitive personal data are narrower than for processing other personal data and the most commonly available one will be that the processing is being carried out with the consent of the person providing it – the data subject. Given these stricter requirements, it is essential to be able to distinguish between the different types of personal data being collected but what type of data should be considered as health data? Even the European Commission was unclear and asked the Article 29 Working Party (comprising European data protection regulators) to clarify the issue.
In response, the Article 29 Working Party (WP) wrote to the European Commission earlier this year to clarify the scope of the definition of health data in relation to lifestyle and wellbeing apps. After an analysis of different types of health data set against the likely definition of health data to be used in the proposed General Data Protection Regulation (GDPR), the WP summarised health data as being:
- data which is inherently / clearly medical data;
- raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person; and/or
- data setting out conclusions which are drawn about a person's health status or health risk (whether or not they are accurate or legitimate or otherwise adequate or inadequate).
The WP notes that health data which is processed only on the device itself and is not transmitted outside the device will be covered by the exception for purely personal use.
Where health data is processed, the data controller needs to be able to rely on one of the Article 8 (of the EC data protection Directive) derogations. With regards to apps and devices which allow for the inference of health data, the WP underlines that the most likely derogation is that of consent. This is also true of data which may only be regarded as health data when combined with location data or other information read from the relevant device.
The WP goes on to stress that the principle of transparency is "inseparably connected" to the legal ground of consent. The WP says the data controller must clearly inform users of:
- whether or not the data is protected by any medical secrecy rules;
- how the data will be combined with other data stored on the device or collected from other sources and give clear examples of the consequences of the combination of the data;
- what the purposes of any further processing are; and
- any third parties to whom the data may be transferred.
The WP says that the purpose limitation is another key provision. The data controller must define clear, compatible and legitimate purposes of the data processing. The WP also recommends the application of proper anonymisation techniques and other security measures including privacy by design and data minimisation, as recommended in its Opinion on apps on smart devices.
The WP finishes by expressing concern that concepts around pseudonymisation, currently being discussed in the context of the proposed GDPR, should not allow a 'lighter touch' regime in relation to pseudonymised data.
The European Data Protection Supervisor (EDPS) has also recently published an Opinion on 'Mobile Health – reconciling technological innovation with data protection'. The Opinion is aimed at all stakeholders including app developers, app stores, device manufacturers and advertisers.
Chief among the recommendations of the EDPS are:
- the EU legislator should, when making future policy, foster accountability and allocation of responsibility of those involved in the design, supply and functioning of apps;
- app designers and publishers should use privacy by design and by default, designing products in such a way as to increase transparency and avoiding collecting more data than required to perform the expected function;
- Big Data collected from m-health should only be used to the benefit of the individuals. Practices like profiling, which might be detrimental, should be avoided; and
- the legislator should enhance data security and encourage the application of privacy by design and default.
The EDPS does not say anything particularly new or radical in this Opinion but follows the general trend towards the concepts of embedded privacy as the default. As with the WP Opinion, the emphasis is on user transparency and control and ensuring that data is not used for wider purposes than provided. The EDPS acknowledges the potential value of Big Data in the health sector provided it has a positive impact, or at least no negative impact, on the individuals concerned. The Opinion also sets out particular applications of data protection to m-health and is a useful guideline in that respect. It also looks forward to the probable impact the GDPR will have in this sector.
As a follow up to its m-health green paper, the European Commission is laying the groundwork for an industry-led code of conduct for mobile app developers in relation to privacy and security as consumer trust is seen as a vital ingredient in the development of the market. The Commission is also intending to respond to business demand for guidelines or standards for quality criteria of lifestyle and wellbeing apps. The Commission intends to set out policy plans in more detail later this year.
Of more wide ranging importance will be the GDPR. Originally published by the Commission in early 2012, the GDPR, which will introduce a new, harmonised European data protection law, has just entered the trilogue stage. This is the point at which the Commission, the European Parliament and the Council agree a final version of the law. Only once a compromise has been reached can the GDPR progress but there is considerable political will to push this through, not least because it is urgently required to bring data protection law up to date and in line with new technologies like those in the Connected Health sector.
The GDPR is likely to enshrine the concept of privacy by design and default into law. It is also expected to introduce a number of new rights including to prevent profiling, to allow data portability and the right to be forgotten online. The GDPR will also clarify what is meant by consent. All of these factors are going to be relevant to those collecting personal data through Connected Health, whether or not it is sensitive personal data, and stakeholders would be well advised to take the GDPR into account even though it is not yet in force.
Dos and don'ts
- conduct a privacy impact assessment before you begin to process personal data;
- include privacy by design and default in devices and apps;
- anonymise data wherever possible;
- determine whether the data is health data in which case you will need to treat that data as sensitive personal data and comply with additional obligations under the Data Protection Act 1998, including the requirement to obtain explicit consent;
- be as transparent with the individual as possible about what you are doing with their data;
- give the individual as high a level of personal control over their data as possible;
- make sure the data is secure.
- hold on to data for longer than you need it;
- transfer data to third parties without appropriate consents and safeguards;
- use the data for purposes which may be harmful to the individual like profiling;
- use the data for any purpose beyond the scope of its original lawful collection.