< Back to latest news & events

Healthcare Scanner

Healthy data management for health apps

March 2021

With health and lifestyle apps becoming increasingly thirsty for users’ personal data, what steps need to be considered when you are processing sensitive data?

The increasing popularity of digital health and lifestyle apps has been a major trend over recent years. These applications often rely on users’ personal data and are therefore subject to regulatory requirements, particularly Special Category data, that need to be satisfied to ensure compliance and offer peace of mind to users that their data is not being misused.

When processing personal data, that is data that relates to an identified or identifiable natural person, the requirements put in place by data protection legislation will need to be complied with. Within the European Union this will be governed by the General Data Protection Regulation (GDPR) and in the UK what is referred to as the UK GDPR.

Where personal data is being used, the entity determining the purposes of such processing will need to ensure that processing is carried out:

  • within the principles set out within data protection legislation
  • relying on a lawful basis and in certain circumstances applying exceptions
  • in line with notification requirement included within data protection legislation

Lawful basis for health and lifestyle apps

Assuming that processing is in line with the principles, which is not in itself a given, the lawful basis which is relied on for health and lifestyle apps will usually be that the processing is necessary for the performance of a contract to which the user is subject to, i.e. their use of the app. An alternative basis for some elements of an app’s processing may also be that such use is within the provider’s legitimate interests. However, such interest needs to not be overruled by a user’s own rights and freedoms, so an assessment of use relying on this basis should be carried out by providers before assuming that such use is legitimate. A user’s consent can also be used as a lawful basis for processing personal data. However, for processing of non-Special Category data, using consent should be avoided for reasons discussed below.

Data protection legislation also provides that certain ‘Special Categories’ of personal data need additional steps. For data concerning health, as well as other forms of Special Category personal data, there is a general prohibition on processing and a greater standard of protection, and so greater care should be used. To legitimately process this data an exemption allowed by legislation will need to be applied. In the case of health and lifestyle apps the requirement of consent may be the only option available though, in certain cases, that the data is being processed for medical reasons may be applied if certain requirements are met.


If relying on a user’s consent, data protection legislation requires that such consent is a clear affirmative act, freely given, specific, informed and unambiguous. This is generally seen as a high standard of consent and so if a provider is relying on consent for any aspect of data processing, thought needs to go in to ensuring this standard is met. Where a user is consenting to a set of separate processes, consent needs to be provided for each process, and the user has the right to withdraw their consent at any time for all or each process, such withdrawal being as easy to notify as the original consent was to give. Given these requirements, technical measures will need to be adopted by the provider to ensure that consent is managed appropriately, and given the challenges of obtaining and managing consent it would be prudent to use an alternative lawful basis if legitimately available. Further to these requirements, legislation requires providers to be able to demonstrate that such consent has been has obtained.

Part of effectively obtaining a level of consent that complies with these requirements will require an appropriate level of information being supplied to users in a clear, easy to understand form. Further to this, there is a wider requirement for apps to provide transparency around their use of all of a user’s personal data including certain specific information. Where such transparency is not provided, and where use of a user’s personal data falls outside of their expectations, such processing is likely to be outside of the scope of the data protection principle. To comply with this requirement, apps should include details of their activities within a Privacy Notice that is clearly drafted and easily accessible to users. When a user first signs up to an app and when material additional personal data is being obtained, it may be appropriate for an app to use a pop up or similar to:

  • advise users that their personal data is being obtained
  • provide brief details
  • clearly signpost to their more detailed Privacy Notice

When things go wrong

Where an app does not comply with the requirements of data protection legislation there is a risk that users may find that their personal data is being used in a way they did not expect or in more extreme circumstances, in a way that is not appropriate. These concerns can then lead to complaints and potential investigation by the Information Commissioner’s Office (in the UK), who have powers to investigate, require changes, and potentially levy fines. In more extreme cases, particularly where demonstratable loss has been suffered by users, there is a risk of direct litigation.


If you already have or are looking to launch a health and lifestyle app, then how you keep in line with data protection legislation should be kept under ongoing review and it should be clear to users what you are doing with their personal data. With consideration and understanding of the relevant legislation, management of more contentious activities and an appropriate level of transparency, risks in this area can be effectively managed in an effort to work toward compliance.


This article was prepared by HGF Legal Director Michelle Davies and Senior IP Solicitor James Talbot.

Latest updates

Can AI replace patent attorneys?

OpenAI recently released a dialogue-based AI chatbot called ChatGPT, which is free for anyone to try out. You can try it here (https://chat.openai.com/chat). It’s been shown that it can set, …

Read article

HGF office closures in December 2022 and January 2023

Please note that our offices will be closed for business in accordance with national holidays on the following dates. Please plan accordingly and provide us with your instructions in advance …

Read article

Start of the UPC Sunrise Period delayed to 1 March 2023

The UPC sunrise period which was expected to start on 1 January 2023 has now been postponed to 1 March 2023. Consequently, the entry into force of the UPCA and …

Read article

Gender diversity at the UPC

In Europe, women remain grossly under-represented in research and innovation. A recent study by the European Patent Office (EPO) found that only 13.2% of inventors in Europe are women. The …

Read article
Event - 29th November 2022

LSPN Europe 2022

HGF is a silver sponsor of LSPN Europe 2022 on 29th November in London. This event will explore some of the biggest challenges facing the Life Sciences Patent Community right now …

Event details

Oral Proceedings by videoconference (VICO) in oppositions proceedings to become permanent

The pilot project for oral proceedings in opposition proceedings by video conference (VICO) started during the pandemic and has received positive feedback.[1] The President of the EPO has therefore declared …

Read article