30. September 2019

Transmission of health data: pitfalls in health apps & fitness trackers

    Digitisation is permeating all areas of life. Also, especially within the health care sector, the eagerness to spur the digital transformation is immense – equally from state and private sides. Thus, the market is already well-filled with a variety of fitness trackers and health apps today. Even health insurances promote the use of their own apps and the purchase of fitness bracelets with premiums. However, in view of the increasing trend of self-measurement, this development is no surprise. The digitalisation of the health sector has the potential to significantly improve the quality of medical care: more reliable diagnoses by using artificial intelligence (AI), extensive development of rural areas through new communication channels, drastic reduction of public expenditure by optimising health care.

    The key question: what should be considered when transmitting health data?

    Fitness trackers develop their full potential only in conjunction with a corresponding app that visualises the collected data pleasantly and understandable. Mostly, users must first register and create a new profile in order to fully benefit from the app. This profile and the collected personal data are usually transmitted to a central server, stored and synchronised continuously. The requirements placed on such data transmission are tightened by the fact that the data to be processed is regularly health data. In addition, hackers are following the development of the self-optimisation market closely, because wearables have become a popular target. Payment data, user and health data are the focus. In this respect, from a technical point of view, data controllers must ensure greater security of data. So, what should be considered with regard to such transmission?

    Legal challenges – tightened requirements within the health sector

    1. The combination of individual data also leads to personal reference
    Unquestionably, the scope of the General Data Protection Regulation (GDPR) is open to application in case data collected via a fitness bracelet or an app (user profile, IP address etc.) is processed since it bears direct personal reference. In addition, it regularly affects particularly sensitive health data. Thus, the combination of a fitness bracelet and an app can even allow recording of ECGs. In order to receive e.g. optimised training recommendations, more data could be entered by the user. However, it must be considered that the combination of individual data may allow drawing conclusions regarding the health state of the person affected. Like this, the so-called “Body Mass Index” (BMI) can be derived by combining additionally indicated data such as weight, age and size. Therefore, companies are often unaware of the specific amount of processed health data. However, a complete capture of the processed data is necessary in order to be able to fulfil the comprehensive transparency and information requirements under Article 13 GDPR.

    2. Use Privacy Impact Assessment for your own gain
    The common Blacklist of data protection authorities shows: If measured data of sensors, installed in fitness bracelets or smartphones (heart rate monitors, acceleration sensors, etc.), are stored centrally, a data protection impact assessment (DPIA) is regularly to be carried out in accordance with Article 35 GDPR. This obligation to conduct a DPIA should not be seen as a chore by companies, but as an opportunity. DPIAs help companies to evaluate what data they are processing and what they have to be aware of when submitting data in order to comply with the General Data Protection Regulation. By this means, challenges regarding data protection and data security can be identified at an early state in the development in order to prevent later legal complications and penalties.

    3. Know specific legal bases for the processing of health data
    If health data are processed (including transmission), data controllers are not provided with the regular legal basis of Article 6 (1) GDPR. Accordingly, the processing of health data remains inadmissible despite the existence of one of the legal bases of that article. The lawfulness of the processing of health data is governed exclusively by Article 9 (2) GDPR. If health data is collected and processed via a fitness tracker or a corresponding app, the consent of the person affected must regularly be obtained.

    In general, the same requirements apply to the granting of consent under Article 9 (2) (a) GDPR, as to the granting of consent under Article 6 (1) (a) GDPR. However, due to the sensitivity of health data and therefore the narrow interpretation of exemptions for formulating declarations of consent, data controllers should be particularly rigorous and fully informed about the processing intended. Especially the fact, that the data does not remain on the end device but is transmitted to a central server of the enterprise should be highlighted and presented comprehensively.

    In addition, if companies intend to process the personal data for a purpose which is not necessary for the provision of the actual service, the so-called prohibition of coupling must be considered. For example, if the data is to be further processed for marketing purposes, such consent may not be combined with the central consent form, but instead the consent must be obtained separately. The same applies in case of transfer to third parties, which is common in the field of health apps.

    Checklist Consent

    • voluntary
    • for certain cases (general consent is inadmissible)
    • delivered in an informed and unmistakably manner
    • understandable and easily accessible form
    • clear and simple language

    4. Choose conscientious data processors
    Server operators on the one hand and providers of apps and fitness trackers on the other hand are often not identical. The server operation is rather outsourced to a specialised service provider (so-called outsourcing), who then is able to inspect the personal data. Such a service provider is regularly qualified as a data processor, so that the conclusion of a data processing agreement becomes relevant. In accordance with Article 28 (1) and (3) (c) GDPR – and in order to avoid reportable data breaches – data controllers must ensure by contract that also the service provider adopts adequate, state-of-the-art safeguards for the protection of data (technical and organisational measures) whilst processing health data. This applies especially in the context of highly sensitive health data.

    Due to existing or advantageous infrastructures, companies often fall back on providers from abroad such as Amazon Web Services. In doing so, it is necessary, that data controllers must raise the following questions: has the commission decided by resolution that the respective country shows an adequate level of protection regarding data protection matters? Has the provider been certified under EU-US Privacy Shield? If this is not the case, data controllers and their processors must provide for appropriate guarantees under Article 46 (1) GDPR, such as standard contractual clauses.

    The safety of health data plays a key role

    Data security has a special importance in the context of health data processing. Hackers show increasing interest in wearables and health apps and, unfortunately, providers oppose only in the rarest of cases with appropriate safeguards. This deficiency is crucial when it comes to an app that is used by hospitals, e.g. for the purpose of monitoring patients. In this context, the continued availability, confidentiality, and integrity of health data is predominantly important. Compromising single connections and manipulating individual measured data can lead to health-damaging or even life-threatening false diagnoses.

    In addition, data controllers should not only protect the connection between end device and server from so-called “man-in-the-middle” attacks, but also focus on the transfer between wearable and app, as this is also a popular target of hackers. An encryption of connections (Secure Sockets Layer, short: SSL) should therefore be flanked by the encryption of the transmitted data (keyword “hashing”) by default.

    Especially from a technical point of view, that is an opportunity to stand out from the competition.

    Reliable anonymisation of health data remains a difficult part

    Whenever possible, personal data should be anonymised. In this way, the scope of application for GDPR is left, so that there is significantly less administrative effort concerning the use of data.

    With regard to health data, however, successful anonymisation within the meaning of the GDPR (re-identification impossible) seems doubtful. For example, a 2013 study has shown that 4 to 5 blood glucose or cholesterol levels out of around 60,000 patients are enough to allow unambiguous identification of affected individuals.

    In this respect, at least the pseudonymisation of personal data should be promoted.

    Recommendation for action and Conclusion

    Data protection and technical challenges associated with the processing of health data are considerable. For this reason, companies must consider their obligations in order to be able to survive on the market of fitness trackers and health apps in the long term.

    In order to avoid data breaches and life-threatening incidents, data controllers should, first of all, take care of particularly secure connections between the tracker, app or smartphone and server. The transfer to third parties should be avoided, if possible. Ideally, companies operate servers on their own. For the purpose of financing, it makes sense to dispense with advertising and, alternatively, develop paid-for apps that impress with particularly high data security levels.

    Newsletter

    Stay up to date about Data Protection!