In a recent letter sent to the European Commission (the Commission) in a response to a request to clarify the scope of the definition of health data concerning lifestyle and wellbeing apps, the EU Article 29 Data Protection Working Party (WP29) has provided criteria, as set out in an annex to the letter, to determine when data processed by apps and devices constitutes health data for data protection purposes.
Under the existing EU Data Protection Directive (the DPD), health data qualifies as a special category of data requiring a higher level of data protection – the processing of this data is prohibited unless an exception applies.
However, the DPD doesn’t define what constitutes health data. The increased development of lifestyle and wellbeing apps, whose very function is to collect and process personal data, but which may or may not constitute health data, has brought this issue to the forefront in the present context. In addition, as noted by WP29, the delayed proposed EU Data Protection Regulation (the DPR) also addresses the issue.
WP29, recognising the complexity and difficulties of this area and acknowledging the many grey areas, identifies what it considers to be three types of personal data that qualify as health data, summarised as follows:
- Medical data – data that are inherently/clearly medical data;
- Raw sensor data – data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person; and,
- Conclusions data – data where conclusions are drawn about a person’s health status or health risk, irrespective of whether these conclusions are accurate or inaccurate, legitimate or illegitimate, or otherwise adequate or inadequate.
WP29 recognizes that it may not always be necessary for lifestyle and wellbeing apps to transmit any data outside of a device, and that if the data processing only takes place on the device itself, and no personal data are transmitted outside the device, the data protection rules won’t apply to the use due to the exception for purely personal use under the DPD.
Consent is of course a key issue in all of this. According to WP29, if a data controller collects data through an app or a device, and it concerns apps with a medical purpose, such as apps through which patients can share data on symptoms and compare which treatments work best for them, or, where health data can be reasonably inferred from the data tracked by the application, such as apps to track food and exercise in an effort to lose weight, a data controller will have to rely on a derogation from the general prohibition in the DPD of the processing of personal health data. With regard to apps and devices that allow for the inference of health data the most likely derogation is explicit consent.
Further, many lifestyle apps and devices also process location data and read data collected through one or more sensors on a mobile device. According to WP29, even if the wellbeing data collected through the app are not to be regarded as health data, because a person’s health status cannot be determined from the data, the combination with location data or other information read from the device would still make it necessary for a data controller to obtain the unambiguous consent of a person/the data subject, as required under the DPD in combination with the requirements of the EU ePrivacy Directive.
For WP29 the principle of information transparency is inseparably connected to consent. To this end a data controller must clearly inform users whether the data are protected by any medical secrecy rules or not. Further information must also be made available as to whether the data will be combined with other data stored on the device or collected from other sources and clear examples of the consequences of such combination of data, what the purposes are of further processing, and, to what third parties the data may be transferred. This information must be made available in a clear and easily accessible manner before users decide on installing apps or buying devices, including before downloading the app.
When the processing involves health data, further processing for different purposes, i.e. outside the professional health care domain, is strictly limited. Here a data controller must define clear compatible and legitimate purposes of the data processing.
Needless to say, WP29 also advises on the use of proper anonymisation techniques and other security measures, including privacy by design and data minimisation.
Finally, WP29 expresses its support for the amendments proposed by the European Parliament to the DPR requiring a strict consent requirement for the processing of personal health data which is necessary for historical, statistical or scientific research purposes, along with the European Parliament’s proposed exceptions to this requirement of explicit consent where the research serves high public interests, cannot possibly be carried out otherwise, and other safeguards are applied.
Having something now in the way of guidance when addressing the issue of health data and data protection is welcome, especially when put in the context of the continued growth in use of health apps and devices, but given the complex nature of this field a continued incremental and cautious approach is likely, even when the DPR is finally adopted should that day finally come !
Andre Bywater and Jonathan Armstrong are lawyers with Cordery in London where their focus is on compliance issues.
Andre Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784