Tips on Clearing the Mist for Good
To effectively address the need, a new Code of Conduct on privacy for mobile health applications has been introduced, aiming to provide specific and accessible guidance on how EU data protection legislation should be applied by mHealth mobile developers. On 7 June 2016, the Code of Conduct was formally submitted for comments to Article 29 Data Protection Working Group. Once approved, app developer
s will be able to sign the Code on a voluntary basis and thereby commit to following its rules.
The Code has been drafted to be understandable to non-legal experts such as SMEs and individual developers. Guidance on EU data protection rules is particularly important as app developers design the software which runs on smartphones and therefore decide the extent to which the app will access and process different categories of personal data in the device and/or through remote computing resources. As a result, by following the Code’s provisions and guidelines, app developers will be assisted in making responsible and informed choices which comply with European data protection law.
Personal data includes information on the user (such as their name, address, or contact information), device identifiers, location data and other information regarding an identified or identifiable natural person. Moreover, health data concerns personal data which relates to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status. The Code also maintains that health data includes personal data that has a clear and close link to the health status description of a person. Raw sensor data, for instance, can be used in itself or in combination with other data to draw a conclusion about the actual health of someone.
There are several examples through which an app developer may easily understand whether her app project processes or does not process health data. In particular, the Code points out an important distinction (which we have already highlighted in one of our previous articles) between lifestyle data and data concerning health. It explains that the first category includes data on an individual’s habits and behavior that does not inherently relate to that individual’s health. However, one must note that if the data is used to measure or predict health risks (e.g. risk to injury or heart attacks) and stored in order to analyze and evaluate the user’s health, then the app does process health data.
Furthermore, the Code provides a series of practical guidelines for app developers, such as individuals and companies and private and public sector organizations. These guidelines ensure compliance to EU data protection laws. One of the most important, is obtaining user consent. The Code points out that app developers must obtain, prior to the app’s installation, the users’ free, specific and informed consent in order to process their data for the purposes described by app developers. On health data, the consent must be explicit while it is not sufficient that they don’t protest after having been informed of the intended use of their data. Furthermore, it is particularly important that app developers are able to demonstrate that users have provided their consent as explained above.
Another important principle which must be respected in the design phase of the apps is to only collect and process health data for specific and legitimate purposes. In particular, such purposes must be clearly defined before any data processing takes place and must be linked with the functionality of the app. If the personal data is to be used for a purpose other than the one described, it must be completely anonymized before re-use in order to avoid any possible identification of an individual. Otherwise, obtaining again the users’ free, informed and explicit consent is required.