25 June 2019
It's important to be aware if your business is processing health data from users through the website or mobile app you're developing.
But what types of information are considered to be health data? Find out.
The Article 29 Working Party clarified what is being classed as health data in respect of the data being processed by health and wellbeing apps.
They identified 3 main scenarios where personal data that's being processed by health and wellbeing apps will be considered to be health data:
If the data being processed by your app falls under one of these 3 categories, you're processing health data.
This is a wide definition, which is not limited to only medical data and includes all information relevant to the user's health status. It does not matter the context the information was gathered in and whether or not the information points to the individual being in ill health - it is still considered to be health data.
The Working Party also refers to the proposed regulation, which clarifies that:
Information derived from the testing or examination of a body part of bodily substance, information about disease risks and information about the actual physiological or biomedical state of an individual independent of its source, also fall into the category of health data.
Information may be considered to be health data not only because of its nature but also because of the way it is processed.
This means that tracking information over time that seems to be insignificant in itself could be considered to be health data if it is combined with other data.
For example a person's height and weight are collected for BMI calculation, and then combined with information from a pedometer. This could be used to calculate increased disease risk, so it would be considered to be health data when used in this sort of combination.
However, it must be possible to show the relationship between the information collected and the ability to establish the health of an individual, based on the information on its own or the data in combination with other data.
Here's a checklist to help you determine whether your website or mobile app collects health data:
Here's how an iOS app asks the user for the current location:
Here's how it's linked on the website:
These reasons must be compatible and legitimate.
If the above is not disclosed to the user, their consent can be deemed to be invalid.
If your mobile app is built for iOS, use HealthKit. HealthKit is described as:
An entirely new way to use your health and fitness information. The new Health app gives you an easy to read dashboard of your health and fitness data. And we've created a new tool for developers called HealthKit, which allows all the incredible health and fitness apps to work together, and work harder, for you. It just might be the beginning of a health rebellion.
If you have an app that processes health data, you should make sure it is compatible with Apple's HealthKit to make sure users have an even easier way to manage the way their health data is being processed.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.