In today's data-driven world, businesses are realizing the importance of data in improving their products and services. The digital health industry is no exception, as the value of health data available provides an incredible opportunity to drive product improvement and scale the market.
But, if you are running a business dealing with personal and sensitive data, you may have heard about this word: consent.
When you sign up a user to a platform, app, or similar, there is always a consent checkbox, even if it's the consent to the terms of service and declaring that the privacy policy was read.
This is one type of consent but not the only one.
In this blog article, we will go through this topic from the POV of a digital health startup and try to give you a better understanding of when you should ask for consent and why.
Are you ready to start this journey?
The scenario
Let’s assume we are a digital health startup developing an app and a device tracking blood pressure. We are in the B2B space where hospitals, clinics, and private doctors are our customers. We want to collect and process the data that is input into our app in order to conduct scientific or medical research and to improve our product or service.
Do I always have to ask for consent?
No, you don’t always have to ask for it. It may depend on the categories of data you want to collect and the exact purpose.
While consent is one lawful basis for processing, most of the time, it is not the most appropriate or the easiest to apply, which is why there are many others to choose from, such as:
- The performance of the contract: to supply goods or services requested or to fulfill your obligations under a contract. This also includes steps taken at their request before entering into a contract.
- Compliance with a legal obligation: if you are required by EU law to process the data for a particular purpose, you can.
- Protecting vital interests: you can process personal data if it’s necessary to protect someone’s life. This could be both the life of the data subject or someone else.
- A public task: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing, you can. Here we can also find scientific and medical research that can help the public system.Legitimate interest: you can process personal data without consent if you need to do so for a genuine and legitimate reason. Legitimate interest is the most flexible lawful basis for processing. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a justification for the processing.
Let’s make all of this clearer with an example: if you are a B2B service in a hospital (e.g., a service to analyse X-rays with AI), you probably don't need consent for the processing of patients' data. This is because your client (the hospital in this case) is the Data Controller who chose you as the tool (data processor) to carry out their assessment.
This doesn't mean, however, that you can use the data for a secondary purpose (or use, more on that later) or that you don't have to comply with GDPR - actually, the fact that the hospital is the Data Controller means that they are responsible for assessing that you are GDPR compliant, which they will require you to demonstrate before taking you in as a provider.
If you want to use some of the data to do product/service improvements, you will become the controller for that specific data and for that specific purpose, and thus, you will need to choose the most appropriate legal basis (and exception, if you process health data) for the processing that you want to implement.
Primary and secondary use of data
There are two main uses for data in the healthcare environment (and not only) that go under the name of primary and secondary use:
🔎 Primary use: all the health data that are collected directly from a patient in the context of health and social care provision for the purpose of providing health or care services to that patient.
🔎 Secondary use: the possibility of re-using health data that were collected initially in the context of providing care but which may later be re-used for another purpose. It may be exercised by public entities (including universities and public health laboratories for research purposes), regulators, med-tech companies, and small pharma.
If you want to collect data to test your blood pressure tracking device and train your AI algorithm, these fall under secondary use, and thus, it would require you to implement a system to collect the patients' Explicit Consent.
Let’s clarify one point: in the B2B healthcare space, where consent is not needed for primary use, you would ask for consent only for secondary use. The patient would still be able to use the service (or, more accurately, the hospital would still use the service for their patient), even though you won't be able to use the data for secondary use.
Remember: where someone consents to the processing of their personal data, you can only process the data for the purposes for which consent was given.
What type of consent do I need?
Keeping in mind the scenario we drew, there are two main types of consent available:
- One is Article 6 Consent which applies to all common types of personal data (so, no special categories of data) in general.
- The other is Article 9 Consent, also known as Explicit Consent. This is the one that you need to process special categories of data (sensitive and health data fall into this category). If you want to know more about sensitive data, check out this article.
Health data is considered a special category of personal data under the EU General Data Protection Regulation (GDPR), and as such, there are strict rules governing its collection, processing, and storage.
What if the data is anonymous
If you are processing data already anonymised by an external partner, you won’t need consent to do that. On the other hand, whoever is responsible for the anonymisation must always have consent or a proper alternative legal basis from the patients in order to perform it. In fact, if you perform anonymisation, you will need to access the former source of data - and thus sensitive information such as demographic, pathologies, and other sensitive information.
In any case, keep in mind that achieving pure anonymization is incredibly difficult.
Want to use data for product improvement?
Well, the answer is not that easy. Let’s start by asking ourselves the following questions:
1️⃣ What type of data do I need to improve my app?
This is the first thing you should ask yourself. Do you need analytics to improve the retention and usability of your product/service, or do you want to improve the sensibility and sensitivity of your AI algorithm by collecting health data? If you choose the second way, you will need to get explicit consent from the patients using your product.
2️⃣ Is there a way that you can improve the app without collecting health data?
If it is not necessary, you may not need consent. You could use your legitimate interest for the improvement of your services. For example, you could try to improve the efficiency of your app by keeping track of the time spent on the app and other relevant metrics (which can be considered not sensitive and can be processed under your legitimate interest). Keep in mind that in order to rely on this legal basis, you must verify (and document) that the interests or fundamental rights and freedoms of the data subjects are not heavily impacted.
On the other hand, if it is absolutely necessary for you to collect health data in order to improve the app, then explicit consent is necessary
3️⃣ What is the minimum amount of information that I need in order to achieve this purpose?
Here, the rule is one: don't collect more data than you need to fulfill a certain task (for example, you probably don't need someone's full name to send them online newsletters. You might collect their first name only then, or better yet, just an email address).
A quick tip. Here's an easy way to think about "data minimization:" If you can't justify why you need a piece of data, don't collect it.
Okay, I get it, I’m a data controller, and I need to collect explicit consent. What now?
Now that you figured out if you need (or do not need) explicit consent, you must find a way to inform the users about the purposes for which their data will be used and obtain their clear and specific consent for this use.
Keep in mind that in the B2B space, most of the time, you may not have direct contact with users or patients (the hospital, in this case, is your direct customer). You may need to get creative in order to collect your consent... This is important because you can’t use that data until you can verify and prove that consent has been collected.
Also, remember that obtaining consent is not a one-time event. You should regularly review your data collection and processing practices and obtain fresh consent if you plan to use the data for a new purpose or if there are significant changes to the way you handle the data.
Make sure that your consent request is correctly implemented. To be valid, your consent request should meet these criteria:
Be freely given.
- Be informed.
- Be given for a very specific purpose.
- Be explicit.
- Use clear and transparent language.
- Easy to withdraw.
Moreover, when collecting consent, you should:
- Provide clear and easy-to-understand information about the purpose for which the data will be used.
- Explain who will have access to the data.
- Provide information on how long the data will be kept.
- Give detailed information about the controller’s identity.
- Inform about the existence of the right to withdraw consent and how to do it.
- Insert any other relevant information that the data subjects need to know to make an informed decision.
Ensure that you have appropriate safeguards in place to protect the privacy and security of the health data, including appropriate technical and organisational measures to prevent unauthorised access, use, or disclosure of the data.
How Chino.io can help you
We are the one-stop shop for solving all digital privacy and security compliance aspects.
Successful compliance strategies evolve with you: for this reason, we have kickstart programs for startups developing their digital product. As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.
Chino.io makes compliant-by-design happen faster, combining legal know-how and data security technology for innovators.
To learn more, contact us and book a free 30-minute call with our experts.