< Back to latest news & events

Healthcare Scanner

Healthy data management for health apps

March 2021

With health and lifestyle apps becoming increasingly thirsty for users’ personal data, what steps need to be considered when you are processing sensitive data?

The increasing popularity of digital health and lifestyle apps has been a major trend over recent years. These applications often rely on users’ personal data and are therefore subject to regulatory requirements, particularly Special Category data, that need to be satisfied to ensure compliance and offer peace of mind to users that their data is not being misused.

When processing personal data, that is data that relates to an identified or identifiable natural person, the requirements put in place by data protection legislation will need to be complied with. Within the European Union this will be governed by the General Data Protection Regulation (GDPR) and in the UK what is referred to as the UK GDPR.

Where personal data is being used, the entity determining the purposes of such processing will need to ensure that processing is carried out:

  • within the principles set out within data protection legislation
  • relying on a lawful basis and in certain circumstances applying exceptions
  • in line with notification requirement included within data protection legislation

Lawful basis for health and lifestyle apps

Assuming that processing is in line with the principles, which is not in itself a given, the lawful basis which is relied on for health and lifestyle apps will usually be that the processing is necessary for the performance of a contract to which the user is subject to, i.e. their use of the app. An alternative basis for some elements of an app’s processing may also be that such use is within the provider’s legitimate interests. However, such interest needs to not be overruled by a user’s own rights and freedoms, so an assessment of use relying on this basis should be carried out by providers before assuming that such use is legitimate. A user’s consent can also be used as a lawful basis for processing personal data. However, for processing of non-Special Category data, using consent should be avoided for reasons discussed below.

Data protection legislation also provides that certain ‘Special Categories’ of personal data need additional steps. For data concerning health, as well as other forms of Special Category personal data, there is a general prohibition on processing and a greater standard of protection, and so greater care should be used. To legitimately process this data an exemption allowed by legislation will need to be applied. In the case of health and lifestyle apps the requirement of consent may be the only option available though, in certain cases, that the data is being processed for medical reasons may be applied if certain requirements are met.

Consent

If relying on a user’s consent, data protection legislation requires that such consent is a clear affirmative act, freely given, specific, informed and unambiguous. This is generally seen as a high standard of consent and so if a provider is relying on consent for any aspect of data processing, thought needs to go in to ensuring this standard is met. Where a user is consenting to a set of separate processes, consent needs to be provided for each process, and the user has the right to withdraw their consent at any time for all or each process, such withdrawal being as easy to notify as the original consent was to give. Given these requirements, technical measures will need to be adopted by the provider to ensure that consent is managed appropriately, and given the challenges of obtaining and managing consent it would be prudent to use an alternative lawful basis if legitimately available. Further to these requirements, legislation requires providers to be able to demonstrate that such consent has been has obtained.

Part of effectively obtaining a level of consent that complies with these requirements will require an appropriate level of information being supplied to users in a clear, easy to understand form. Further to this, there is a wider requirement for apps to provide transparency around their use of all of a user’s personal data including certain specific information. Where such transparency is not provided, and where use of a user’s personal data falls outside of their expectations, such processing is likely to be outside of the scope of the data protection principle. To comply with this requirement, apps should include details of their activities within a Privacy Notice that is clearly drafted and easily accessible to users. When a user first signs up to an app and when material additional personal data is being obtained, it may be appropriate for an app to use a pop up or similar to:

  • advise users that their personal data is being obtained
  • provide brief details
  • clearly signpost to their more detailed Privacy Notice

When things go wrong

Where an app does not comply with the requirements of data protection legislation there is a risk that users may find that their personal data is being used in a way they did not expect or in more extreme circumstances, in a way that is not appropriate. These concerns can then lead to complaints and potential investigation by the Information Commissioner’s Office (in the UK), who have powers to investigate, require changes, and potentially levy fines. In more extreme cases, particularly where demonstratable loss has been suffered by users, there is a risk of direct litigation.

Conclusion

If you already have or are looking to launch a health and lifestyle app, then how you keep in line with data protection legislation should be kept under ongoing review and it should be clear to users what you are doing with their personal data. With consideration and understanding of the relevant legislation, management of more contentious activities and an appropriate level of transparency, risks in this area can be effectively managed in an effort to work toward compliance.

 

This article was prepared by HGF Legal Director Michelle Davies and Senior IP Solicitor James Talbot.

Latest updates

Agritech Thymes: Arusha Protocol Enters into Force

Since being introduced in July 2015, the Arusha protocol for the protection of novel plant varieties in Africa has finally entered into force on the 24th November 2024, after ratification …

Read article

HGF office closures in December 2024 and January 2025

Please note that our offices will be closed for business in accordance with national holidays on the following dates.  Please plan accordingly and provide us with your instructions in advance …

Read article

Central Division takes pragmatic approach to late-filed submissions and revokes VMR’s patent for lack of inventive step

In Njoy v VMR (UPC_CFI_308/2023), the Paris Central Division confirmed that the “front loaded” provisions of the UPC should be interpreted in line with the principles of proportionality and procedural …

Read article

Celebrating Success – Director Promotions

We are proud to announce that 7 of our team have been promoted to director effective from 1 December 2024! These promotions recognise the outstanding contributions demonstrated by these individuals, who …

Read article

G2/24: A new referral to the Enlarged Board seeks to clarify whether a third party who intervened during appeal proceedings can acquire full appellant status

In the referring decision, T1286/23, the Board of Appeal referred the following questions to the Enlarged Board of Appeal: After the withdrawal of all appeals, may the proceedings be continued …

Read article

UPC first FRAND judgment results in injunction against OPPO

Panasonic Holdings Corporation v Guangdong OPPO Mobile Telecommunications Corp. Ltd & anor UPC_CFI_210/2023 – Mannheim Local Division (Tochtermann, Böttcher, Brinkman & Loibner) – 22 November 2024. The UPC issued its …

Read article