According to the EU Commission, mHealth (Mobile Health) covers health practice supported by mobile devices, monitoring devices, and other wireless devices. Digital health applications include fitness tracking apps, medical reference apps, and nutrition apps, collecting data about users’ health status, lifestyle activity, physiological status, geo-positioning, and genetics.
According to the EU Data Protection Directive, data used by mHealth apps is classified as “sensitive” and require a higher level of protection. Sensitive data includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs or health.
Classification is clear, but sometimes it is difficult to determine if data is sensitive or not. Let's use the classification of health tracking apps as an example.
What is health data?
According to the definition given by Article 29 Data Protection Working Party, an independent UE body with advisory status, health data (in relation to mHealth) is:
- medical data providing information about the physical or mental health status of someone (the data subject), generated in a professional medical context.
- raw data collected by apps or devices that can be used to induce, individually or aggregated with others, someone’s health status or health risk.
- data that in general permit to induce someone’s health status or risk independently form accuracy, legitimacy or adequacy of this induction.
This definition covers a broad range of apps, from medical references, nutrition, to diagnostics and fitness tracking application.
The Ultimate Guide on GDPR and HIPAA compliance
What is sensitive data?
According to [EU Commission’s Green Paper on mHealth, fitness tracking apps are intended to maintain or improve healthy behaviors, quality of life and well-being of individuals.
In practice, it is difficult to discern whether or not such apps collect sensitive data. The fitness tracking app that counts the number of steps during a single walk is not storing sensitive data if that data cannot be combined with other data about the same data subject. And if the specific medical context in which this app is used is not available. In this case, the data is just raw, relatively low impact lifestyle personal data (if the app does not include the location data) and the knowledge about that persons’ health cannot be inferred from them.
However, collected raw data can be easily combined with other datasets and become sensitive data. In doubtful cases, the notion of what constitutes health data should be approached broadly: any data related to a person’s physical and mental health could be sensitive if the circumstances surrounding the data collection and processing suggest it is.
In fact, the latest Article 29 Working Party’s Opinion points out that the assessment must be done only on a case-by-case basis. Fitness data generated in the medical context that can lead to inferring other health information will be surely considered health/sensitive data.
For example, data about our jogging activity is not considered sensitive. However, when this data is combined with heart rate, or when it is analyzed and compared with data from other people, it can reveal sensitive information about our ability to perform a stressful activity. For instance, an insurance company could infer that we fall into a category of people having higher propensity to face some health issues, thus increasing our insurance or denying our request. In addition, fitness tracking apps supporting our jogging activity usually collect also geo-positioning data, making them by default sensitive.
The diagram below shows the relations between different categories of data managed by mHealth and fitness tracking apps.
Outlook: the EU General Data Protection Regulation
The proposed EU GPDR is pending approval and it is extensive (but not exhaustive) about health data definition. According to it, health data is all data related to the health status of a data subject and it’s collected for the purpose of deducting health status of someone, such as:
- Information about the registration of the individual for the provision of health services.
- Information on payments or eligibility for health care with respect to the individual.
- Unique set of numbers or symbols assigned to an individual.
- Any information about the individual.
- Information derived from the testing or examination of a body part or bodily substance, including biological samples.
- Identification of a person as a provider of healthcare to the individual.
- Any information on a disease, disability, medical history, clinical treatments, or the actual physiological or biomedical state of the data subject independent of its sources, such as from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic tests.
The GDPR embraces a broad set of data within the health category, including the fitness tracking apps.
Does my app or service need to comply with Data Protection laws?
Collecting sensitive data does not necessary implies the need to comply with requirements related to sensitive data management.
Use this decision tree to determine what you need to do:
- If you do not collect sensitive data, then choose a lower level of protection. You as a data controller must only implement norms about personal data protection.
- If your app collects sensitive data, then choose one of the following:
- If data is not transmitted outside the device, then there is no need to comply with strict requirements.
- If data is processed also (or only) outside the device, developers must comply with Article 8 (2), (3) and (4) of the Data Protection Directive, and implement all administrative and technical requirements.
Developers secure storage for storing sensitive data and ensure a sufficient protection. Although storing data on a device can facilitate the deletion in the case of grants revoking or app deletion, a client-server architecture is safer in the case of device thefts or damages. Losing the device implies also losing sensitive data.
Wondering if the data your apps collect need to comply with Data Protection laws? Take a 60 seconds compliance test.
How to be GDPR compliant?
From a technical point of view, they must implement safeguards for data transmission, storage and proper management procedures for collecting data. To facilitate satisfying all those requirements we offer to developers a cost-effective, simple to use, and secure service that is fully compliant with current EU laws and guidelines for health data management.
For more information about all obligations see our analysis in another post: tips for achieving privacy law compliance.