Privacy guidelines for health apps

It's important to be aware if your business is processing health data from users through the website or mobile app you're developing.

If you are collecting health data, you'll need to comply with stricter rules when handling the personal data being processed from your users and your Privacy Policy must be updated accordingly.

But what types of information are considered to be health data? Find out.

What is health data

The Article 29 Working Party clarified what is being classed as health data in respect of the data being processed by health and wellbeing apps.

They identified 3 main scenarios where personal data that's being processed by health and wellbeing apps will be considered to be health data:

• Data that is clearly or inherently medical data
• Raw data that the app has obtained from sensors, which is processed by the app and can be used independently or combined with other data to come to a conclusion about the user's health status or potential health risks
• Where conclusions can be drawn about the user's health status or health risks based on information gathered by the app

If the data being processed by your app falls under one of these 3 categories, you're processing health data.

This is a wide definition, which is not limited to only medical data and includes all information relevant to the user's health status. It does not matter the context the information was gathered in and whether or not the information points to the individual being in ill health - it is still considered to be health data.

The Working Party also refers to the proposed regulation, which clarifies that:

Information derived from the testing or examination of a body part of bodily substance, information about disease risks and information about the actual physiological or biomedical state of an individual independent of its source, also fall into the category of health data.

Information may be considered to be health data not only because of its nature but also because of the way it is processed.

This means that tracking information over time that seems to be insignificant in itself could be considered to be health data if it is combined with other data.

For example a person's height and weight are collected for BMI calculation, and then combined with information from a pedometer. This could be used to calculate increased disease risk, so it would be considered to be health data when used in this sort of combination.

However, it must be possible to show the relationship between the information collected and the ability to establish the health of an individual, based on the information on its own or the data in combination with other data.

Privacy guidelines for health apps

Here's a checklist to help you determine whether your website or mobile app collects health data:

1. Express consent must be obtained unless the data is being processed in a strict medical context. This consent must be explicit.
2. You will always need to get an explicit consent when your health or wellbeing website/app processes the location of the user, e.g. asks the user for the current location.

   Here's how an iOS app asks the user for the current location:

   

3. Clear and accessible information regarding what type of data you collect (both personal data and health data) must always be provided to users before they install the app.

   You can meet this sort of requirement by making sure that the URL of your Privacy Policy is available on the App Store page and you have a link to this agreement in all communications to your users: on your website (in the footer), in your emails (in the email's footer), and so on.

   Here's how the Privacy Policy URL of Slack is displayed on the App Store page:

   

   Here's how it's linked on the website:

   

   And here's how its Privacy Policy page is linked on Slack's iOS app:

   

4. The following must be disclosed to users:
   • If their data will be protected by medical secrecy.
   • If their data will be collated with other data collected from other sources or data already stored on the device.
   • The reasons why the data will be processed and who it will be disclosed to should be made clear to the user.

     These reasons must be compatible and legitimate.

     If the above is not disclosed to the user, their consent can be deemed to be invalid.

5. Definitions that you use in your Privacy Policy must be clear.
6. Implement proper anonymization techniques and other risk reducing measures: privacy by design and data minimization.

Examples of health apps

myfitnesspal

A common example of a health and well-being app is the MyFitnessPal app. To find its Privacy Policy you must go to the Help screen:

Its Terms of Service and Privacy Policy agreements aren't separated on different screen; they are on the same page:

MapMyRun

The Privacy Policy of the MapMyRun app is accessed through the Settings menu and is placed separately from their Terms of Service page:

Sleep Cycle

The Sleep Cycle app's Privacy Policy could not be found on the iOS menu screen:

If you are currently drafting a Privacy Policy for a health and wellbeing mobile app or website, make sure you follow the above checklist whether you process health data or not.

If your mobile app is built for iOS, use HealthKit. HealthKit is described as:

An entirely new way to use your health and fitness information. The new Health app gives you an easy to read dashboard of your health and fitness data. And we've created a new tool for developers called HealthKit, which allows all the incredible health and fitness apps to work together, and work harder, for you. It just might be the beginning of a health rebellion.

If you have an app that processes health data, you should make sure it is compatible with Apple's HealthKit to make sure users have an even easier way to manage the way their health data is being processed.