Healthy data management for health apps

With health and lifestyle apps becoming increasingly thirsty for users’ personal data, what steps need to be considered when you are processing sensitive data?

The increasing popularity of digital health and lifestyle apps has been a major trend over recent years. These applications often rely on users’ personal data and are therefore subject to regulatory requirements, particularly Special Category data, that need to be satisfied to ensure compliance and offer peace of mind to users that their data is not being misused.

When processing personal data, that is data that relates to an identified or identifiable natural person, the requirements put in place by data protection legislation will need to be complied with. Within the European Union this will be governed by the General Data Protection Regulation (GDPR) and in the UK what is referred to as the UK GDPR.

Where personal data is being used, the entity determining the purposes of such processing will need to ensure that processing is carried out:

• within the principles set out within data protection legislation
• relying on a lawful basis and in certain circumstances applying exceptions
• in line with notification requirement included within data protection legislation

Lawful basis for health and lifestyle apps

Assuming that processing is in line with the principles, which is not in itself a given, the lawful basis which is relied on for health and lifestyle apps will usually be that the processing is necessary for the performance of a contract to which the user is subject to, i.e. their use of the app. An alternative basis for some elements of an app’s processing may also be that such use is within the provider’s legitimate interests. However, such interest needs to not be overruled by a user’s own rights and freedoms, so an assessment of use relying on this basis should be carried out by providers before assuming that such use is legitimate. A user’s consent can also be used as a lawful basis for processing personal data. However, for processing of non-Special Category data, using consent should be avoided for reasons discussed below.

Data protection legislation also provides that certain ‘Special Categories’ of personal data need additional steps. For data concerning health, as well as other forms of Special Category personal data, there is a general prohibition on processing and a greater standard of protection, and so greater care should be used. To legitimately process this data an exemption allowed by legislation will need to be applied. In the case of health and lifestyle apps the requirement of consent may be the only option available though, in certain cases, that the data is being processed for medical reasons may be applied if certain requirements are met.

Consent

If relying on a user’s consent, data protection legislation requires that such consent is a clear affirmative act, freely given, specific, informed and unambiguous. This is generally seen as a high standard of consent and so if a provider is relying on consent for any aspect of data processing, thought needs to go in to ensuring this standard is met. Where a user is consenting to a set of separate processes, consent needs to be provided for each process, and the user has the right to withdraw their consent at any time for all or each process, such withdrawal being as easy to notify as the original consent was to give. Given these requirements, technical measures will need to be adopted by the provider to ensure that consent is managed appropriately, and given the challenges of obtaining and managing consent it would be prudent to use an alternative lawful basis if legitimately available. Further to these requirements, legislation requires providers to be able to demonstrate that such consent has been has obtained.

Part of effectively obtaining a level of consent that complies with these requirements will require an appropriate level of information being supplied to users in a clear, easy to understand form. Further to this, there is a wider requirement for apps to provide transparency around their use of all of a user’s personal data including certain specific information. Where such transparency is not provided, and where use of a user’s personal data falls outside of their expectations, such processing is likely to be outside of the scope of the data protection principle. To comply with this requirement, apps should include details of their activities within a Privacy Notice that is clearly drafted and easily accessible to users. When a user first signs up to an app and when material additional personal data is being obtained, it may be appropriate for an app to use a pop up or similar to:

• advise users that their personal data is being obtained
• provide brief details
• clearly signpost to their more detailed Privacy Notice

When things go wrong

Where an app does not comply with the requirements of data protection legislation there is a risk that users may find that their personal data is being used in a way they did not expect or in more extreme circumstances, in a way that is not appropriate. These concerns can then lead to complaints and potential investigation by the Information Commissioner’s Office (in the UK), who have powers to investigate, require changes, and potentially levy fines. In more extreme cases, particularly where demonstratable loss has been suffered by users, there is a risk of direct litigation.

Conclusion

If you already have or are looking to launch a health and lifestyle app, then how you keep in line with data protection legislation should be kept under ongoing review and it should be clear to users what you are doing with their personal data. With consideration and understanding of the relevant legislation, management of more contentious activities and an appropriate level of transparency, risks in this area can be effectively managed in an effort to work toward compliance.

This article was prepared by HGF Legal Director Michelle Davies and Senior IP Solicitor James Talbot.