< Back to latest news & events

Healthcare Scanner

Healthy data management for health apps

March 2021

With health and lifestyle apps becoming increasingly thirsty for users’ personal data, what steps need to be considered when you are processing sensitive data?

The increasing popularity of digital health and lifestyle apps has been a major trend over recent years. These applications often rely on users’ personal data and are therefore subject to regulatory requirements, particularly Special Category data, that need to be satisfied to ensure compliance and offer peace of mind to users that their data is not being misused.

When processing personal data, that is data that relates to an identified or identifiable natural person, the requirements put in place by data protection legislation will need to be complied with. Within the European Union this will be governed by the General Data Protection Regulation (GDPR) and in the UK what is referred to as the UK GDPR.

Where personal data is being used, the entity determining the purposes of such processing will need to ensure that processing is carried out:

  • within the principles set out within data protection legislation
  • relying on a lawful basis and in certain circumstances applying exceptions
  • in line with notification requirement included within data protection legislation

Lawful basis for health and lifestyle apps

Assuming that processing is in line with the principles, which is not in itself a given, the lawful basis which is relied on for health and lifestyle apps will usually be that the processing is necessary for the performance of a contract to which the user is subject to, i.e. their use of the app. An alternative basis for some elements of an app’s processing may also be that such use is within the provider’s legitimate interests. However, such interest needs to not be overruled by a user’s own rights and freedoms, so an assessment of use relying on this basis should be carried out by providers before assuming that such use is legitimate. A user’s consent can also be used as a lawful basis for processing personal data. However, for processing of non-Special Category data, using consent should be avoided for reasons discussed below.

Data protection legislation also provides that certain ‘Special Categories’ of personal data need additional steps. For data concerning health, as well as other forms of Special Category personal data, there is a general prohibition on processing and a greater standard of protection, and so greater care should be used. To legitimately process this data an exemption allowed by legislation will need to be applied. In the case of health and lifestyle apps the requirement of consent may be the only option available though, in certain cases, that the data is being processed for medical reasons may be applied if certain requirements are met.


If relying on a user’s consent, data protection legislation requires that such consent is a clear affirmative act, freely given, specific, informed and unambiguous. This is generally seen as a high standard of consent and so if a provider is relying on consent for any aspect of data processing, thought needs to go in to ensuring this standard is met. Where a user is consenting to a set of separate processes, consent needs to be provided for each process, and the user has the right to withdraw their consent at any time for all or each process, such withdrawal being as easy to notify as the original consent was to give. Given these requirements, technical measures will need to be adopted by the provider to ensure that consent is managed appropriately, and given the challenges of obtaining and managing consent it would be prudent to use an alternative lawful basis if legitimately available. Further to these requirements, legislation requires providers to be able to demonstrate that such consent has been has obtained.

Part of effectively obtaining a level of consent that complies with these requirements will require an appropriate level of information being supplied to users in a clear, easy to understand form. Further to this, there is a wider requirement for apps to provide transparency around their use of all of a user’s personal data including certain specific information. Where such transparency is not provided, and where use of a user’s personal data falls outside of their expectations, such processing is likely to be outside of the scope of the data protection principle. To comply with this requirement, apps should include details of their activities within a Privacy Notice that is clearly drafted and easily accessible to users. When a user first signs up to an app and when material additional personal data is being obtained, it may be appropriate for an app to use a pop up or similar to:

  • advise users that their personal data is being obtained
  • provide brief details
  • clearly signpost to their more detailed Privacy Notice

When things go wrong

Where an app does not comply with the requirements of data protection legislation there is a risk that users may find that their personal data is being used in a way they did not expect or in more extreme circumstances, in a way that is not appropriate. These concerns can then lead to complaints and potential investigation by the Information Commissioner’s Office (in the UK), who have powers to investigate, require changes, and potentially levy fines. In more extreme cases, particularly where demonstratable loss has been suffered by users, there is a risk of direct litigation.


If you already have or are looking to launch a health and lifestyle app, then how you keep in line with data protection legislation should be kept under ongoing review and it should be clear to users what you are doing with their personal data. With consideration and understanding of the relevant legislation, management of more contentious activities and an appropriate level of transparency, risks in this area can be effectively managed in an effort to work toward compliance.


This article was prepared by HGF Legal Director Michelle Davies and Senior IP Solicitor James Talbot.

Latest updates

Exam Success!

HGF are delighted to announce success for many of our colleagues in the recent exams on becoming qualified attorneys and would like to congratulate them on this fantastic achievement. Martyn …

Read article

In2ScienceUK continues to promote diversity and inclusion in STEM and IP with its award winning programme

HGF are proud sponsors of In2ScienceUK, a charity that gives young people from low-income backgrounds the opportunity to gain essential insights into science, technology, engineering, and mathematics (STEM) careers with …

Read article

Spotting innovation in digital health – and can you patent it?

Intellectual Property (IP) can add significant value to your business, providing a competitive edge over the market, as well as demonstrating sound business planning to help secure investment. There are …

Read article

Innovation at the heart of UK medtech strategy

The UK Department of Health and Social Care has recently published the government’s first ever medical technology strategy in an effort to accelerate access to innovative technologies. The strategy document …

Read article

How medtech start-ups can supercharge their IP for fundraising

Why is IP important for fundraising? Intellectual property (IP) rights underpin the value of most medtech start-up companies. IP rights include patents, design rights, trade marks, copyright and trade secrets …

Read article

What is EUDAMED and how will it affect your IP strategy?

The “European database on medical devices”, or “EUDAMED”, is the EU’s IT system created by the new Medical Devices Regulation (MDR) and In Vitro Diagnostics Medical Devices Regulation (IVDR). When …

Read article