Digital Health applications collecting personal and sensitive data must comply with Data Protection Laws. For application developers identifying relevant laws, extracting rules and obligations and implementing them within their applications could be extremely challenging, expensive and risky.
To achieve compliance, developers should consider privacy during the whole application development life cycle.
This is also known as the Privacy by Design principle and is one of the fundamental principles of the EU General Data Protection Regulation (GDPR). Achieving compliance means fulfilling different types of rules and obligations that can be divided into three categories:
- Administrative requirements e.g. collecting consents, notifying Data Protection Authorities, writing Privacy Impact Assessment.
- Technological requirements e.g. implementing safeguards such as encryption or access control.
- Physical requirements e.g. ensuring physical safety and access to servers or documents.
Identifying service liability chain
Before starting to identify what are the exact requirements for the specific application, developers must first understand what is their role within the service liability chain. According to EU laws, there are 3 different roles:
- Data Subject: is an individual who is the subject of personal/sensitive data.
- Data Controllers: are those who control the contents and use of personal data. They are either legal entities such as companies, government bodies, NGOs, or individuals such as app developers distributing apps.
- Data Processors are those who process personal data on behalf of a data controller for some specific purpose. For example, it could be agency working on marketing, financial enquiries.
Application developers can act as:
- Data Controllers in case they provide their services directly to consumers or subjects. This is typical for fitness or disease tracking apps, for instance diabetes tracking.
- Data Processors in case they sell their services to health or public institutions. These are apps delivered by physicians, hospitals, private clinics to their consumers.
The Ultimate Guide on GDPR and HIPAA compliance
Obligations for Data Controllers managing personal data
Data controllers that manage personal data must ensure:
- That subjects’ rights are observed (i.e inform them, give them access to their data).
- Collection is done only for specified, explicit and legal purposes.
- That the criteria for making data-processing legitimate are observed. For example, provide clear consent forms, privacy policies, contracts, or legal obligations.
- Confidentiality of the processing of data.
- That, when a transfer of data occurs to countries outside the EU, these countries guarantee an adequate level of protection.
- Dispose of data once customers leave.
- Usually, personal data processing does not require special security safeguards and administrative obligations. This rule does not apply if data controllers manage sensitive data.
Obligations for Data Controllers managing sensitive data
In addition to the obligations valid for personal data, Data Controllers must:
- Ask data subjects for explicit consent, as per the data protection Directive (95/46/EC).
- Notify the supervisory Data Protection Authority, that monitor and investigate data breaches.
- Administrative staff have access only to non-sensitive data.
- All employees or third-party are trained on privacy and have signed a confidentiality contract.
Implement technical safeguards according to best practices in data protection techniques, including:
- Access control (authorisation and authentication) procedures.
- Secure transmission between mobile app and server (TLS).
- Data encryption (both when at rest and when in transit) and integrity verification on the server side.
- Audit of all accesses to data.
- Protect logical server security perimeters.
- Preventing unauthorised physical access to the IT infrastructure.
- Implement pseudonymisation or anonymisation where possible.
- Limit retention period.
- Ensure that the data storage location is chosen in accordance with existing legal requirements.
- Ensure that access to data is tracked and documented by the system.
- Unauthorized access attempts are recorded and reported immediately to the Data Controller.
- Additional safeguards like risk assessment are recommended.
Complying with data protection laws is challenging. Chino.io helps companies which are developing health applications to ensure GDPR and HIPAA compliance by offering them a Data Security Platform.
The Platform offers a set of APIs to store and manage sensitive health data, implementing all data security, GDPR and HIPAA requirements (e.g. data encryption, consent management, etc).