< Zurück zu den aktuellen Neuigkeiten & Events

Healthcare Scanner

Healthy data management for health apps

März 2021

With health and lifestyle apps becoming increasingly thirsty for users’ personal data, what steps need to be considered when you are processing sensitive data?

The increasing popularity of digital health and lifestyle apps has been a major trend over recent years. These applications often rely on users’ personal data and are therefore subject to regulatory requirements, particularly Special Category data, that need to be satisfied to ensure compliance and offer peace of mind to users that their data is not being misused.

When processing personal data, that is data that relates to an identified or identifiable natural person, the requirements put in place by data protection legislation will need to be complied with. Within the European Union this will be governed by the General Data Protection Regulation (GDPR) and in the UK what is referred to as the UK GDPR.

Where personal data is being used, the entity determining the purposes of such processing will need to ensure that processing is carried out:

  • within the principles set out within data protection legislation
  • relying on a lawful basis and in certain circumstances applying exceptions
  • in line with notification requirement included within data protection legislation

Lawful basis for health and lifestyle apps

Assuming that processing is in line with the principles, which is not in itself a given, the lawful basis which is relied on for health and lifestyle apps will usually be that the processing is necessary for the performance of a contract to which the user is subject to, i.e. their use of the app. An alternative basis for some elements of an app’s processing may also be that such use is within the provider’s legitimate interests. However, such interest needs to not be overruled by a user’s own rights and freedoms, so an assessment of use relying on this basis should be carried out by providers before assuming that such use is legitimate. A user’s consent can also be used as a lawful basis for processing personal data. However, for processing of non-Special Category data, using consent should be avoided for reasons discussed below.

Data protection legislation also provides that certain ‘Special Categories’ of personal data need additional steps. For data concerning health, as well as other forms of Special Category personal data, there is a general prohibition on processing and a greater standard of protection, and so greater care should be used. To legitimately process this data an exemption allowed by legislation will need to be applied. In the case of health and lifestyle apps the requirement of consent may be the only option available though, in certain cases, that the data is being processed for medical reasons may be applied if certain requirements are met.

Consent

If relying on a user’s consent, data protection legislation requires that such consent is a clear affirmative act, freely given, specific, informed and unambiguous. This is generally seen as a high standard of consent and so if a provider is relying on consent for any aspect of data processing, thought needs to go in to ensuring this standard is met. Where a user is consenting to a set of separate processes, consent needs to be provided for each process, and the user has the right to withdraw their consent at any time for all or each process, such withdrawal being as easy to notify as the original consent was to give. Given these requirements, technical measures will need to be adopted by the provider to ensure that consent is managed appropriately, and given the challenges of obtaining and managing consent it would be prudent to use an alternative lawful basis if legitimately available. Further to these requirements, legislation requires providers to be able to demonstrate that such consent has been has obtained.

Part of effectively obtaining a level of consent that complies with these requirements will require an appropriate level of information being supplied to users in a clear, easy to understand form. Further to this, there is a wider requirement for apps to provide transparency around their use of all of a user’s personal data including certain specific information. Where such transparency is not provided, and where use of a user’s personal data falls outside of their expectations, such processing is likely to be outside of the scope of the data protection principle. To comply with this requirement, apps should include details of their activities within a Privacy Notice that is clearly drafted and easily accessible to users. When a user first signs up to an app and when material additional personal data is being obtained, it may be appropriate for an app to use a pop up or similar to:

  • advise users that their personal data is being obtained
  • provide brief details
  • clearly signpost to their more detailed Privacy Notice

When things go wrong

Where an app does not comply with the requirements of data protection legislation there is a risk that users may find that their personal data is being used in a way they did not expect or in more extreme circumstances, in a way that is not appropriate. These concerns can then lead to complaints and potential investigation by the Information Commissioner’s Office (in the UK), who have powers to investigate, require changes, and potentially levy fines. In more extreme cases, particularly where demonstratable loss has been suffered by users, there is a risk of direct litigation.

Conclusion

If you already have or are looking to launch a health and lifestyle app, then how you keep in line with data protection legislation should be kept under ongoing review and it should be clear to users what you are doing with their personal data. With consideration and understanding of the relevant legislation, management of more contentious activities and an appropriate level of transparency, risks in this area can be effectively managed in an effort to work toward compliance.

 

This article was prepared by HGF Legal Director Michelle Davies and Senior IP Solicitor James Talbot.

Aktuelle Neuigkeiten

Dresden & Salzburg Seminar: Erfolgreicher Patentschutz in Europa – Von der Anmeldung bis zur Verteidigung

HGF freut sich, Sie zu unserem kommenden deutschsprachigen Seminar zum Thema „Erfolgreicher Patentschutz in Europa – von der Anmeldung bis zur Verteidigung“ in Salzburg und Dresden einzuladen. Das Seminar bietet …

Weiterlesen

Agritech Thymes: Einer der ältesten Rebsortenschutzrechte in Europa wird für ungültig erklärt

Die italienischen Gerichte verhandelten kürzlich einen Fall der Verletzung eines Sortenschutzrechts (PVR) von Sun World International LLC zum Schutz der Rebsorte Sugraone und der entsprechenden Marke „Superior Seedless“. Die Angeklagten: …

Weiterlesen

HGF führt zukunftsweisende und integrative Elternurlaubspolitik in UK ein

Mit der Einführung der neuen zukunftsweisenden und integrativen Elternurlaubspolitik ist HGF das erste Unternehmen im Bereich des geistigen Eigentums im Vereinigten Königreich, das allen berechtigten Kolleginnen und Kollegen ungeachtet ihres …

Weiterlesen

HGF sind Platin-Sponsoren des Dublin IP and R&D Summit

HGF ist stolz darauf, Platin-Sponsor des IP- und F&E-Gipfels zu sein, der am 4. und 5. September 2024 stattfindet. Diese zweitägige Veranstaltung wird an folgenden Orten abgehalten: Tag 1 – …

Weiterlesen

Pro-Manchester Creative Conference

HGF ist stolz darauf, Premium-Sponsor der Pro-Manchester Creative Conference zu sein, die am 20. September im UA92 in Manchester stattfindet. Auf der Konferenz werden die digitale Transformation, Produktivitäts-Hacks für das …

Weiterlesen

Patente und KI – Ein Interview mit ChatGPT

Es besteht kaum ein Zweifel daran, dass KI einen erheblichen Einfluss auf unser Leben und unsere Branchen haben wird. Der Bereich des geistigen Eigentums wird davon nicht ausgenommen sein. Kommentatoren …

Weiterlesen