New developments in health data processing (May 2015)

The increasing popularity of lifestyle and wellbeing apps and devices, allowing people to share all kinds of personal data concerning personality, body and behavioural patterns has recently prompted the European Commission to address concerns about data privacy in this sector. While the Data Protection Directive sets a high level of protection for health data, it does not define the scope of this particular data category. Therefore, the Commission requested the Article 29 Working Party to clarify the scope of health data in the context of wellbeing and lifestyle apps.

New definition of health data

As requested by the Commission, the Article 29 Working Party provided a definition of health data as well as a set of criteria to determine in which cases personal data should be considered health data within the meaning of the Data Protection Directive. Except for data that can be clearly classified as medical data (such as data on diagnosis, treatment, disabilities etc.) there are grey areas including data broadly referred to as lifestyle data. According to the new guidelines, these data must be assessed not only based on their character but also based on their intended use, either on their own or in combination with other information. The Article 29 Working Party designed a legal test which determines that a lifestyle data should be treated as health data when such data is inherently medical or when raw data sensed by a device can be used, by itself or in combination with other data, to draw inferences about the health status or health risk of a person, regardless of whether inferences are accurate, legitimate, adequate or not.

Impact of the new guidelines

In addition to clarifying the scope of health data, the Article 29 Working Party’s guideline outlines rules for their processing. To the extent the data is not transmitted outside the user’s lifestyle and wellbeing app, the data fall outside the remit of the Data Protection Directive as their use qualifies as purely personal use. If the processing of the health data does not occur solely on the device, such processing is allowed only in limited circumstances and in most cases would require explicit consent of the data subject. The Article 29 Working Party also opined on the scope of information that should be provided to the users before they install the app or buy the device and on security measures to be implemented.

The new definition of health data is a welcome step forward that will reduce ambiguity over what does and what does not constitute health data. The legal test proposed by the Article 29 Working Party is far from perfect, but provides for some much needed guidance and clarifies that not all data processed in the medical and wellbeing industry will necessarily have to be treated as health data. The providers of cloud-based solutions for the healthcare sector in particular will certainly welcome this greater clarity over health data that will help them to comply with regulatory requirements.