The European Data Protection Supervisor (“EDPS”), Giovanni Buttarelli, has published an opinion on Mobile Health (“mHealth”) (1). The opinion acknowledges concerns raised in relation to individuals’ rights to privacy and protection of their personal data, and highlights aspects of data protection for mHealth which the EDPS believes might be overlooked or underestimated by developers and suppliers of lifestyle and well-being mobile apps. The opinion provides a number of recommendations for the integration of data protection requirements in the design of mHealth apps and in relation to the need for legislators to encourage privacy by design and allocate responsibility for data protection appropriately between all mHealth stakeholders.
mHealth is a rapidly growing sector which stems from the convergence of information communications technology and healthcare. It includes lifestyle and wellbeing apps designed to deliver health-related services through smart devices which often process personal information about users’ health. Recent estimates (2) suggest that there are over 97,000 mHealth apps currently available, of which 70% target consumer fitness and welfare and 30% target health professionals (3).
The development of mHealth has great potential for improving healthcare and the lives of individuals and the quality of the conclusions that may be drawn from users’ information is likely to improve with the more widespread use of, and accessibility to, Big Data.
However, the increasing popularity of these lifestyle and well-being apps has highlighted concerns regarding the use of sensitive personal health data. Since misuse of health data, including drawing incorrect conclusions about a person’s health or well-being, may be irreversible and have long-term consequences for the individual, it is important that appropriate legal safeguards are in place to ensure that such data is not misused.
Data Protection Implications of mHealth
The first part of the opinion discusses the most relevant data protection implications of mHealth. To determine whether data protection compliance issues arise in relation to an mHealth app it is necessary to establish whether the data processed by it includes any personal data.
The EDPS considers that, in principle, data processed in the context of mHealth are likely to be personal data as they relate to identified or identifiable individuals. Further, pseudonymous data (data which on its own appears anonymous as it does not include any data explicitly identifying an individual) remains personal data as it can be re-identified to a particular individual not only by the data controller, but also by third parties through combination of that data with external information from other sources.
Having concluded that data processed are personal data, it is then necessary to consider whether data processed in the context of mHealth should be treated as health data falling under the stricter data protection regime applicable to sensitive personal data.
Although there is no definitive answer to this question, the EDPS considers that lifestyle and well-being data will, in general, be considered health data when processed in a medical context, or where information regarding the individual’s health may reasonably be inferred from the data (in itself, or combined with other information), especially when the purpose of the application is to monitor the health or well-being of the individual. Although the forthcoming General Data Protection Regulation will give more granularity on what constitutes health data for data protection purposes (4), in the absence of a clear definition in the meantime, the notion of what constitutes health data should, according to the EDPS, be construed broadly.
The second, and perhaps most important part of the opinion highlights a number of key recommendations relating to mHealth which the EDPS believes would bring about substantial benefits in the field of data protection, thereby safeguarding the interests of the users of lifestyle and well-being apps:
the EU legislator should, in future policy-making measures in the field of mHealth, foster accountability and allocation of responsibility of those involved in the design, supply and functioning of apps. This should include designers and device manufacturers. The EDPS also considers that a code of conduct elaborated by mHealth stakeholders with the contribution of data protection agencies might also help encourage a coherent application of existing data protection rules in relation to mHealth;
app designers and publishers should design devices and apps to increase transparency and the level of information provided to individuals in relation to processing their personal data, and avoid collecting more data than is required in order to perform the expected function. App designers and publishers should embed privacy and data protection settings in the design of these apps, applying the same level of creativity and dynamicity they usually display in introducing attractive devices and apps to also provide individuals with effective and user-friendly privacy notices and setting options;
industry should use Big Data in mHealth for purposes that are beneficial to individuals, such as medical research, and avoid using them for practices that could cause them harm, such as discriminatory profiling for employment or insurance purposes; and
the EU legislator should enhance data security and encourage the application of privacy by design and by default through privacy engineering and the development of appropriate building blocks and tools.
Given the potential impact on users, from a practical compliance (and audit trail) perspective, app developers and organisations looking to deploy mHealth apps to customers or their workforce should consider undertaking a privacy impact assessment (5) to ensure they identify, consider and address privacy concerns and ensure adequate protection for users.
mHealth has the potential to transform health service delivery across the globe, with better and more responsive healthcare for individuals, better disease prevention and lower healthcare costs for welfare systems. However, legitimate concerns exist in relation to the security of individuals’ personal health data. The opinion by the EDPS accords with previous guidance issued by the European Commission (6) and by the Article 29 Working Party (7) on mHealth. It highlights the need for a multi-faceted approach to safeguarding individuals’ personal data, by means of enhanced regulation as well as encouraging the responsible participation of mHealth stakeholders, ensuring at the same time that progress in this important area is not unduly stifled.
Opinion 1/2015 “Mobile Health – reconciling technological innovation with data protection”.
Research2Guidance (2013), “The mobile health global market report 2013-2017: the commercialisation of mHealth apps”, Vol. 3.
Deloitte study “mHealth in a mWorld”, 2012.
The proposed Commission draft of the General Data Protection Regulation defines “data concerning health” as including “any information which relates to the physical or mental health of an individual, or to the provision of health services to the individual”. The more recent Council draft adopts a somewhat narrower definition: “data concerning health” means “data related to the physical or mental health of an individual, which reveal information about his or her health status”.
European Commission Green Paper on mobile health, 10 April 2014, COM(2014) 219 final, complemented by a Staff Working Document (SWD(2014) 135 final).
Article 29 Data Protection Working Party letter and annex – “health data in apps and devices”, dated 05 February 2015.