According to the EU Commission, Mobile Health (mHealth) covers health practice supported by mobile devices, monitoring devices, and other wireless devices. To deliver such practices, applications that belong to mHealth categories, such as fitness tracking apps, medical reference apps, and nutrition apps, collect data about users’ health status, lifestyle activity, physiological status, geo positioning, genetics, and much more.
According to EU Data Protection Directive, those kinds of data used by mHealth apps are classified as “sensitive” and require a higher level of data protection, in addition to collecting consents from users and send notifications to Data Protection Authorities (DPA). Sensitive data includes also those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
Although this classification seems clearly defined, it is not always easy to understand if data collected by an app belong to sensitive data category or not. For example, in the case of health tracking apps, the classification is extremely challenging.
What is exactly health data?
According to the definition given by Article 29 Data Protection Working Party, an independent UE body with advisory status, health data (in relation to mHealth) is:
- medical data providing information about the physical or mental health status of someone (the data subject), generated in a professional medical context;
- raw data collected by apps or devices that can be used to induce, individually or aggregated with others, someone’s health status or health risk;
- data that in general permit to induce someone’s health status or risk independently form accuracy, legitimacy or adequacy of this induction.
This definition covers a broad range of apps, from medical references, nutrition, to diagnostics and fitness tracking application.
The ultimate guide on GDPR and HIPAA complianceDownload our FREE eBook now
When do fitness tracking apps manage sensitive data?
According to EU Commission’s Green Paper on mHealth, fitness tracking apps are meant to maintain or improve healthy behaviors, quality of life and well-being of individuals.
Sometimes it’s extremely difficult to understand whether or not such apps collect sensitive data. The Article 29 Working Party gives an example of a fitness tracking app that would count the number of steps during a single walk. The Article states that, if those data cannot be combined with other data about the same data subject, and if the specific medical context in which this app is used is not available, then the collected data do not require the extra protection as a special category of health data. In this case, according to the Article, these data are just raw, relatively low impact lifestyle personal data (if the app does not include the location data) and the knowledge about that persons’ health cannot be inferred from them.
However, collected raw data can be easily combined with other datasets and become sensitive data. In doubt cases, the notion of what constitutes health data should be created broadly: any data related to a person’s physical and mental health could be sensitive if the circumstances surrounding the data collection and processing suggest they are.
In fact, the latest Article 29 Working Party’s Opinion points out that the assessment must be done only on a case-by-case basis. Fitness data generated in the medical context that can lead to inferring other health information will be surely considered health/sensitive data. For example, data about our jogging activity may not be considered sensitive. However, when this data is combined with heart rates, or when it is analyzed and compared with data from other people, it can reveal sensitive information about our ability to perform a stressful activity. For example, an insurance company could infer that we fall into a category of people having higher propensity to face some health issues, thus increasing our insurance or denying our request. In addition, fitness tracking apps supporting our jogging activity usually collect also geo-positioning data, making them by default sensitive.
The diagram below shows the relations between different categories of data managed by mHealth and fitness tracking apps.
Outlook: the EU General Data Protection Regulation
The proposed EU GPDR is pending approval and it is extensive (but not exhaustive) about health data definition. According to it, health data are all data related to the health status of a data subject and it’s collected for the purpose of deducting health status of someone, such as:
- information about the registration of the individual for the provision of health services;
- information about payments or eligibility for health care with respect to the individual;
- a number, symbol or particular sign assigned to an individual to uniquely identify the individual for health purposes;
- any information about the individual collected in the course of the provision of health services to the individual;
- information derived from the testing or examination of a body part or bodily substance, including biological samples;
- identification of a person as provider of healthcare to the individual;
- any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
As we can see, the GDPR embraces a broad set of data within the health category, including the fitness tracking apps.
Does my app/service need to be complied with Data Protection laws?
Collecting sensitive data does not necessary implies the need to be complied with requirements related to sensitive data management. In order to understand if you must comply with, you must answer the following question:
- How and where collected data is processed?
This decision tree aims at helping to answer this question and understanding if your app needs to comply with data protection requirements.
First of all, developers must understand if they do or do not collect sensitive data within their apps:
- if an app does not collect sensitive data, data controllers must only implement norms about personal data protection, that is a lower level of protection;
- if an app collects sensitive data, data controllers must understand how they are processing collected data:
- if data is not transmitted outside the device, then there is no need to comply with strict requirements.
- if data is processed also (or only) outside the device, developers must comply with Article 8 (2), (3) and (4) of the Data Protection Directive, and implement all administrative and technical requirements.
It is important to note that storing users’ health data within (mobile) devices do not simplify security issues. Developers should use devices' secure storage for storing sensitive data and ensure a sufficient protection. Although storing data on a device can facilitate the deletion in the case of grants revoking or app deletion, a client-server architecture is safer in the case of device thefts or damages. Losing the device implies also losing sensitive data.
Wondering if the data your apps collect need to be complied with Data Protection laws? Let’s take a compliance test.
How to achieve Data Protection law compliance?
From a technical point of view, they must implement safeguards for data transmission, storage and proper management procedures for collecting data. To facilitate satisfying all those requirements we offer to developers a cost effective, simple to use, and secure service that is fully compliant with current EU laws and guidelines for health data management.
For more information about all obligations see our analysis in another post: tips for achieving privacy law compliance.
The ultimate guide on GDPR and HIPAA complianceDownload our FREE eBook now
You may also be interested in
- Dynamic IP addresses are now "personal data": why you should care about it (Chino Blog)
- EU General Data Protection Regulation
- Art. 29 Data Protection Working Party - Guidelines on Data Protection Officers
- Handbook on European data protection law
- Activity of the Data Protection in 2014 (Itialian)
- Cosa pensano gli italiani in Rete dell’mHealth (Italian)
- Cyber risk the most serious threat to business
- Cyber attacks major concern for small business owners
- Small firms need cybersecurity companies that can provide affordable solutions
- NIS directive: More cybersecurity for eHealth
- EU Data Protection Supervisor: Opinion 1/2015 on Mobile Health
- ENISA: Security and Resilience in eHealth Infrastructures and Services