The Article 29 Data Protection Working Party (Working Party), an independent EU advisory body on data protection and privacy, responded to a request from the European Commission made in the framework of the Commission’s mHealth initiative to clarify the definition of data concerning health in relation to lifestyle and wellbeing apps. (See more here, and here for our blog post on the European Commission’s Summary Report of the mHealth consultation.)
In its latest paper on health data in apps and devices, the Working Party supports a broad definition of health data, distinguishing the following three categories of health data:
- The data are inherently/clearly medical data, especially those generated in a professional, medical context.
- The data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person.
- Conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate, legitimate or otherwise adequate or not).
The Working Party’s paper contains a number of practical examples of what clearly constitutes health data and what generally does not (relatively low impact lifestyle personal data). The paper also identified a grey area for data which may not qualify as health data at first sight but which may be deemed health data, depending on the intended use and type of processing. Or, as the Working Party states: “If seemingly innocuous raw data are tracked over a period of time, combined with other data, or transferred to other parties who have access to additional complementary datasets, it may well be that even the seemingly most innocuous data, combined with other data sources, and used for other purposes, will come within the definition of ‘health data’.”
The Working Party considers explicit consent as the most likely legal ground for processing health data. Especially in this context, the need for transparency is very high and the Working Party requires, among other things, that data controllers clearly inform users “whether the data are protected by any medical secrecy rules or not.”
Without going into much further detail the Working Party also touches on other key data protection principles, namely purpose limitation and security, and also reflects about the further processing of health data for research purposes.
The Working Party’s criteria for the definition establish a rather low threshold for information in apps and devices to qualify as health data. Classifying information as health data imposes stricter obligations on data controllers (e.g., requiring explicit consent or other narrow legal grounds, increased transparency and security requirements). Lifestyle app and device developers and manufacturers will need to bear this in mind when developing new apps and devices.