At the end of last week, the EU Data Protection Supervisor (EDPS) published an excellent document entitled Mobile Health – Reconciling technological innovation with data protection. To quote the press release:
Failure to deploy data protection safeguards will result in a critical loss of individual trust, leading to fewer opportunities for public authorities and businesses, hampering the development of the health market. To foster confidence, future policies need to encourage more accountability of service providers and their associates; place respect for the choices of individuals at their core; end the indiscriminate collection of personal information and any possible discriminatory profiling; encourage privacy by design and privacy settings by default; and enhance the security of the technologies used.
The document itself contains much of interest. To this editor, who has heard many people poo-poo the importance of wellbeing data, it was good to see:
Lifestyle and well-being data will, in general, be considered health data, when they are processed in a medical context (e.g. the app is used upon advice of a patient’s doctor) or where information regarding an individual’s health may reasonably be inferred from the data (in itself, or combined with other information), especially when the purpose of the application is to monitor the health or well-being of the individual (whether in a medical context or otherwise). (Page 5)
As someone who gets concerned at turning people off sharing their health data, it was nice to see the recognition that:
If the legislator, the regulators and controllers were to fail to properly identify personal and sensitive data (for example, taking the position that in no circumstance lifestyle information can be considered as sensitive health information), users would be deterred from using mHealth. (Page 7)
It was good to see the recognition of the importance of Big Data is:
As it allows establishing connections -and thus extracting additional conclusions- from sets of previously unrelated data, Big Data will provide new insights for medical research, that were impossible to obtain before. (Page 9)
Moving to recommendations, the EDPS suggests:
It is crucial, in particular, that controllers and processors make an effort to improve transparency on the way they process, share and re-use personal data as well as on the purposes they aim at.
In this respect, granting data subjects the choice to limit the processing of mHealth data locally – on their smart devices, rather than on a remote server – is one of the important safeguards mHealth apps and devices should implement. Also, giving individuals the option to freely allow the sharing/transfer of the personal data to a third party or not by the controller is an important feature all mHealth applications and devices should incorporate. All these options should be smart and easy to implement even by non-expert users, based on a clear and easy readable notice.
Designers and manufacturers should apply the same level of creativity and dynamicity they usually display in introducing attractive devices and apps to also provide individuals with effective and user-friendly privacy notices and setting options. As a result, individuals should be able to set options relevant to their privacy and data protection with the awareness that this is an important element of the devices and apps’ use, in their own personal interest, and not a boring formality or a useless burden. (All page 13)
Finally on Page 17, the conclusions:
mHealth offers a wealth of new opportunities, in terms of better and more responsive healthcare for individuals, better disease prevention and lower healthcare costs for welfare systems and greater opportunities for businesses. However, in order to achieve a situation where all the three categories above may fully benefit from these developments, everyone needs to accept the responsibilities that come with opportunities.
In particular, we draw the attention on the responsibility to individuals and to the need to preserve their dignity and their rights to privacy and self-determination. In a context of rapid economic change and dynamic interaction among various private and public operators, these fundamental principles should not be overlooked and private profit should not translate into a cost for society.
In this respect, data protection principles and rules provide guidance in a sector which is still largely unregulated. If duly complied with, they will increase legal certainty and trust in mHealth, thus contributing to its full development.
Great stuff – sadly there seems no linkage with EU Green Paper responses, or the resultant work underway in the EU on preparing a code of conduct on mHealth data privacy that this editor is on the drafting committee of.