GDPR for digital health: developing EU privacy-compliant apps

According to the EU Commission, mHealth (Mobile Health) covers health practices supported by mobile devices, monitoring devices, and other wireless devices. Digital health applications include fitness tracking apps, medical reference apps, and nutrition apps, collecting data about users’ health status, lifestyle activity, physiological status, geo-positioning, and genetics.

According to the EU Data Protection Directive, data used by mHealth apps is classified as “sensitive” and requires a higher level of protection.  Sensitive data includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs or health.

Classification is clear, but sometimes it is difficult to determine if data is sensitive or not. Let's use the classification of health-tracking apps as an example.

What is health data?

According to the definition given by Article 29 Data Protection Working Party, an independent UE body with advisory status, health data (in relation to mHealth) is:

  • medical data providing information about the physical or mental health status of someone (the data subject), generated in a professional medical context.
  • raw data collected by apps or devices that can be used to induce, individually or aggregated with others, someone’s health status or health risk.
  • data that, in general, permit the induction of someone’s health status or risk independently from the accuracy, legitimacy or adequacy of this induction.

This definition covers a broad range of apps, from medical references and nutrition to diagnostics and fitness tracking applications.

What is sensitive data?

According to the EU Commission’s Green Paper on mHealth, fitness tracking apps are intended to maintain or improve healthy behaviours, quality of life and well-being of individuals.

In practice, it is difficult to discern whether or not such apps collect sensitive data. The fitness tracking app that counts the number of steps during a single walk does not store sensitive data if that data cannot be combined with other data about the same data subject. And if the specific medical context in which this app is used is unavailable. In this case, the data is just raw, relatively low-impact lifestyle personal data (if the app does not include the location data), and the knowledge about that person’s health cannot be inferred from them.

However, collected raw data can be easily combined with other datasets and become sensitive data. In doubtful cases, the notion of what constitutes health data should be approached broadly: any data related to a person’s physical and mental health could be sensitive if the circumstances surrounding the data collection and processing suggest it is.

In fact, the latest Article 29 Working Party’s Opinion points out that the assessment must be done only on a case-by-case basis. Fitness data generated in the medical context that can lead to inferring other health information will be surely considered health/sensitive data.

For example, data about our jogging activity is not considered sensitive. However, when this data is combined with heart rate, or when it is analyzed and compared with data from other people, it can reveal sensitive information about our ability to perform a stressful activity. For instance, an insurance company could infer that we fall into a category of people having higher propensity to face some health issues, thus increasing our insurance or denying our request. In addition, fitness tracking apps supporting our jogging activity usually collect also geo-positioning data, making them by default sensitive.

The diagram below shows the relations between different categories of data managed by mHealth and fitness tracking apps.

Outlook: the EU General Data Protection Regulation

The proposed EU GPDR is pending approval, and it is extensive (but not exhaustive) about health data definition. According to it, health data is all data related to the health status of a data subject, and it’s collected for the purpose of deducting the health status of someone, such as:

  • Information about the registration of the individual for the provision of health services.
  • Information on payments or eligibility for health care with respect to the individual.
  • A unique set of numbers or symbols assigned to an individual.
  • Any information about the individual.
  • Information derived from the testing or examining a body part or bodily substance, including biological samples.
  • Identification of a person as a healthcare provider to the individual.
  • Any information on a disease, disability, medical history, clinical treatments, or the actual physiological or biomedical state of the data subject independent of its sources, such as from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.

The GDPR embraces a broad set of data within the health category, including fitness-tracking apps.

Does my app or service need to comply with Data Protection laws?

Collecting sensitive data does not necessarily imply the need to comply with requirements related to sensitive data management.

  • If you do not collect sensitive data,  then choose a lower level of protection. You as a data controller must only implement norms about personal data protection.
  • If your app collects sensitive data, then choose one of the following:
  • If data is not transmitted outside the device, then there is no need to comply with strict requirements.
  • If data is processed also (or only) outside the device, developers must comply with Articles 8 (2), (3) and (4) of the Data Protection Directive and implement all administrative and technical requirements.

Developers secure storage for sensitive data and ensure sufficient protection. Although storing data on a device can facilitate deletion in the case of grant revoking or app deletion, a client-server architecture is safer in the case of device thefts or damages. Losing the device implies also losing sensitive data.

Are you wondering if the data your apps collect needs to comply with Data Protection laws? Take a 60-second compliance test.

How to be GDPR compliant?

Complying with GDPR is challenging. Developers must fulfil administrative and technical requirements. From the administrative point of view, they must ask users for explicit consent and provide clear and accessible information on data processing activities, including the Privacy Policy.

From a technical point of view, they must implement safeguards for data transmission and storage, as well as proper management procedures for collecting data. To facilitate satisfying all those requirements, we offer developers a cost-effective, simple-to-use, and secure service that is fully compliant with current EU laws and guidelines for health data management.

For more information about all obligations, see our analysis in another post: tips for achieving privacy law compliance.