Mobile Health:  mHealth Apps and Data Protection

A recent Deloitte research paper has predicted that global revenues for mHealth market will grow from $2.3bn in 2013 to $21.5bn by 2018, with the European market being the largest mHealth market by 2018 (US$ 7.1bn) posting 61% annual growth.

The nature of health apps can stretch from medical dictionaries, diagnostic libraries and medical calculator apps. An example of an emerging mHealth app is Stemp – an app which continuously takes a patient’s temperature. Health and medical apps put massive amounts of knowledge and capability in the hands of both patients and doctors.

The benefits of health apps are far reaching – easy access, speed in treatment and diagnosis, reducing hospital stays/patient doctor time. MHealth apps have been compared to a self check out at a supermarket – where appropriate the patient/customer can handle the information themselves. However the mHealth industry is rife with legal issues, primarily that of data protection.

Data Protection and Privacy

Medical data is inherently more strictly regulated than other types of personal data. Under the Data Protection Acts 1988-2003, sensitive personal data requires additional obligations such as the requirement for the data controller to obtain explicit consent before obtaining the data. Examples of mHealth apps which could easily breach the Data Protection Acts include apps which require an input of information, apps which count a person’s footsteps/heartbeat or apps which analyse a photo. Where this information is stored and who is privy to the information is crucial in determining if the app is in breach of Data Protection laws.

Section 2(1)(c) of the Data Protection Act provides inter alia that personal data –

(i) shall be kept only for one or more specified and lawful purposes, [and]

(ii) shall not be used or disclosed in any manner incompatible with that purpose or those purposes.

The Irish Data Protection Commissioner’s case studies already show that health data is already a focus. In Case Study 1/97 a hospital patient’s data was disclosed for research. The Data Protection Commissioner found that the data had been not obtained fairly for this purpose as the patient did not know at the outset that their data would be used for research and had not consented to this use.

The potential for data to be inadvertently viewed by others is also a factor to be considered when looking at mHealth. In Case Study 6/96 the complainant enquired about an instalment payment scheme in a shop. The assistant checked some background information on a screen, which was in public view to others in the shop. Upon investigation the DPC found that the requirement to provide adequate security had been contravened, and the positions of these screens could be made more secure and private. While not medical data you can see a similar issue arising where medical data is displayed on devices that could be viewed by others.

Due to the private nature of sensitive personal data, there is narrow justification for processing this type of data and along with obtaining explicit consent the data controller must adhere to Section 2(1) c of the Data Protection Act as outlined above.

The recognition for increased data protection regulation is widespread across the European Union. Article 29 of the EU Directive establishes a “Working Party on the protection of Individuals with regard to the processing of personal data“. It is generally known as the “Article 29 Working Party”.  It is made up of a representative from the data protection authority of each EU Member State (including the Irish Data Protection Commissioner), the European Data Protection Supervisor and the EU Commission.

The Working Party summarised health data as being:

• data which is inherently / clearly medical data;
• raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person;
• data setting out conclusions which are drawn about a person’s health status or health risk (whether or not they are accurate or legitimate or otherwise adequate or inadequate).

The Working Party notes that health data which is processed only on the device itself and is not transmitted outside the device will be covered by the exception that it is purely for personal use.

The Working Party states that the data controller must clearly inform users of:

• whether or not the data is protected by any medical secrecy rules;
• how the data will be combined with other data stored on the device or collected from other sources and give clear examples of the consequences of the combination of the data;
• what the purposes of any further processing are; and
• any third parties to whom the data may be transferred.

The European Commission is currently laying the groundwork for an industry led code of conduct for mobile app developers in relation to privacy and security. The Commission stated that “the purpose of this code is to foster citizens’ trust in mHealth apps, raise awareness of and facilitate compliance with EU data protection rules for app developers.” This is another example of a clear understanding of the gravity and importance that mHealth apps will bring to individuals in the future.

An effort to introduce an Electronic Health Record (EHR) system was initiated by the Dutch Ministry of Health, Welfare and Sport in 2008. It was cancelled due to a unanimous decision by the Senate of the Dutch Parliament in 2011 as the data security of the EHR system could not be guaranteed. Access to sensitive information could not be limited to the data needed for a particular purpose and all health data was accessible to those that were privy to information on the system. It’s unsurprising that this system was cancelled as factors such as specified purpose and explicit consent in obtaining information, in Irish Law, would be inherently breached.

Council of the EU has adopted its position on the draft proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Data controllers would be bound by more pronounced obligations than those in the current data protection directive in relation to the information to be provided to data subjects prior to obtaining informed consent for processing personal data. However, the Draft introduces a specific definition of personal health data. Data concerning health is defined as:

“Data related to the physical or mental health of an individual, which reveal information about his or her health status.”

Article 33(1) of the Draft Regulation would require data controllers to perform an impact assessment prior to the processing of certain data which is likely to result in a high risk to the protection of the rights and freedoms of data subjects. The Draft Regulation includes a non-exhaustive list of certain types of data which require a prior impact assessment including:

• Processing of data based on profiling and on which decisions are based that produce legal effects concerning data subjects or severely affect data subjects; and
• Processing of sensitive personal data such as health data in circumstances where the data is processed for the purposes of taking decisions concerning data subjects on a large scale.

The maximum monetary penalty imposed could be up to €1,000,000 or two percent of the total of the previous annual worldwide turnover of a data controller or data processor for any intentional or negligent beach of the Draft Regulation.

It’s clear from the above that the there is a widespread acknowledgement within the EU and Ireland of the necessity to implement specific data protection rules as the mHealth industry gains traction. The final text of the Draft Regulation is due by the end of 2015 and will be one to watch. It is also clear that our current laws do not offer the full protection required due to the vast nature of these apps. Although there is much ambiguity surrounding the effect and extent of the information held in the apps, there is unanimous agreement that mHealth is rapidly increasing and will continue to drastically change and influence the healthcare industry. MHealth developers cannot afford to ignore the data protection implications of their products and services and data protection consideration must be built in at feasibility study stage and no later. Prevention is better than cure!

Contact Linda Hynes for more information.

Disclaimer

This publication is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Ogier Leman for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.