There have been some pretty big claims about the potential of mHealth. One 2012 study predicted that in 2017 mHealth could potentially save a total of USD $99 billion in healthcare costs across the EU. The European Commission has also actively promoted the importance of mHealth following their 2014 consultation. One of the initiatives to emerge from the Commission has been the Privacy Code of Conduct for mHealth apps. The Code was drafted by a working group set up in January this year and the final draft was published on 7th June and submitted to the Article 29 Working Party for their consideration and approval. If and when it receives the Working Party’s approval it could then be relied upon by app developers wishing to demonstrate a good standard of data protection compliance. The Code is an example of the type of initiative that is increasingly likely to develop under the forthcoming EU General Data Protection Regulation (GDPR).
The Code is split into two sections.
The first section sets out the purpose and scope of the Code along with the governance mechanism for those developers who wish to adhere to its requirements. The General Assembly will supervise the governance of the Code but has no day-to-day operational tasks or decision making power. Members of the General Assembly will also provide an annual financial commitment to help underpin the working of the Code. The Governance Board will make decisions on the maintenance, interpretation and evolution of the Code. Separately a Monitoring body (designed to meet the criteria to qualify as a monitoring body under the GDPR) would enforce the Code. It is the Monitoring body that reviews applications from app developers to adhere to the Code and maintains the public registry of all app developers who have met the requirements. The Monitoring body can re-check app developers continued adherence to the Code and put in place mechanisms to deal with complaints from individuals.
The second section of the Code sets out the practical guidelines. These are:
- Consent of users: the need to obtain valid explicit consent from the data subject to collect and use their data
- Data Protection Principles – Purpose Limitation, Data Minimisation, Transparency, Privacy by design and privacy by default and data subject rights: these reflect principles at the heart of EU Data Protection rules
- Data Retention: the Code acknowledges that it can be difficult to irreversibly anonymise health data when the retention period expires
- Security: the requirement to carry out a Privacy Impact Assessment and adopt security measures recommended by ENISA
- Advertising on the app: any advertising must be authorised by the user but there is a difference in approach depending on whether the advertising involves the processing of personal data
- Use of data for secondary purposes: in instances where data could be used for scientific research or other big data analysis
- Disclosing data to third parties: ensuring that there’s an agreement in place with the third party is essential
- Data Transfers: complying with the rules around international data transfers
- Data Breach: what to do and whom to notify when a data breach occurs
- Children’s data: when apps are deliberately aimed at children
The development and use of mHealth apps raises a number of privacy issues. In particular the stakes are higher because the technology is ubiquitous and mobile and the data is often very intrusive and private to individuals. While we will need to wait and see whether the Working Party gives the Code an unequivocal ‘thumbs up,’ it remains a good starting point for app developers. In time it may require some changes to bring it fully in line with the requirements of the GDPR but its governance framework allows for further amendments in the future.
The Code can be accessed here.