Digital health technologies are a growing presence in our day-to-day lives - from the step-counter in your smartphone, to online consultations with a GP, to artificial intelligence (AI) virtual patient monitoring. The term 'digital health' captures technology of varying complexity, all with the similar aim of engaging with and improving an individual's health and lifestyle, while improving efficiency. Given the evolution and rising popularity of these technologies on the consumer market, we look at some important data protection considerations that are setting the tone in this new era of digital health products.
What's so special about health data?
As health, genetic or biometric data is particularly sensitive, its misuse poses greater risks to data subjects. The GDPR therefore designates it as a 'special category of personal data' that must be given additional protections. Digital health technology companies need to take care if processing this category of data.
When trying to make their app 'fit for purpose', our digital health technology clients often ask us questions like:
How do I process health data lawfully?
What privacy notices and pop-up messages should my app display?
If my digital health app uses AI, does that impose any additional restrictions?
Are there any restrictions around using automated decision-making?
Processing health data lawfully
Someone can only process special category data lawfully under GDPR if:
They have a lawful basis for the data processing in the same way as for processing other personal data. A common example of a lawful basis under Article 6 of the GDPR is contractual necessity or legitimate interests, and
They can also satisfy one of the exceptions in Article 9(2) of the GDPR. A common example of an exception is the data subject explicitly consenting to the processing of their special category data
No link between the two is required. In other words, the choice of lawful basis under Article 6 does not affect the special category condition that applies.
Generally speaking, a data controller that provides digital health technologies to users may choose to rely on obtaining the user's 'explicit consent' in order to lawfully process the special category data. Consent has a specific meaning for the purposes of the GDPR and must be given by a clear affirmative act, freely given, specific, informed, and unambiguous.
For example, if the digital health technology involves the use of a fitness app, the data...