Big Challenges for Processing Health Data Under the GDPR
The GDPR treats health data as a special category of personal data. The absence of a definition may lead to uncertainties as to the qualification of certain data as health data, thus broadening the scope of the what is health data.
Some obvious examples of Health Data:
Clearly some data types are easy to define:
- Body fat %
- Cholesterol level
- Blood sugar
The WP29 Working Group (an advisory body made up of a representative from the data protection authority of each EU Member State) recently declared that the data collected by devices like Fitbit, Garmin etc… are special category data.
Employers are increasingly tempted to provide wearable devices to their employees in order to track and monitor their health and activity within and sometimes even outside of the workplace. However, this data processing involves the processing of health data, and is therefore prohibited.
Therefore, we need to include any tracking device or technology in this:
The New Reality – Health Data = Special Category Data = A wide range of health, fitness, activity data.
And it gets worse, processing of this data is prohibited unless under the following exceptions:
Provision of the individuals’ explicit consent. If the individual has purchased a tracking device to use for fitness, then this can be considered explicit consent. The data is being collected to fulfil a legal contract between the controller/processor and the individual.
Consent is never the optimum authorisation to process sensitive data because consent can be revoked. If this is part of a work initiative, it is highly unlikely that legally valid explicit consent can be given for the tracking or monitoring of such data. Due to the unequal relationship between employers and employees, employees are essentially not ‘free’ to give such consent in the first place.
If you are claiming that processing is necessary for purposes in the public interest, scientific or historical research purposes or statistical purposes and the controller or processor is not a government body, then they should be very hesitant to rely on this.
What is the reason for Data Collection
It is clear from the GDPR that medical data should be processed only for health-related purposes and only when this is in the best interest of the individual. This is especially linked to the consent provided by the individual.
This should also prevent companies using big data for different purposes, and in particular for marketing or other profitable actions.
Example – you have an app on your phone that records all of your exercises. This app is used by millions of other users throughout Europe. The App company shares all this usage data with a Sports Shoe manufacturer so they can get a better understanding of where to target their marketing spend, where their customers live etc… Even if the shared data is anonymised (is data ever properly anonymised??) – did the individual specifically consent to this? Is this in the best interests of the individual?
The answers are more than likely no. Companies collecting and processing health data need to define a clear and legitimate purpose for their use of the data.
How secure is the data?
Security of the data is a major concern for all companies dealing with personal data of this nature. Misuse of this data could lead to irreversible consequences for the individual. Security needs to apply to the complete data ecosystem. Companies should ensure that very few employees/developers can access the data, that the data cannot be exported easily, if it is shared – it is fully anonymised.
What if health data is processed in an employer/employee environment?
Earlier we discussed the recent findings from the WP29 group, who further states:
Given the unequal relationship between employers and employees—i.e., the employee has a financial dependence on the employer—and the sensitive nature of the health data, it is highly unlikely that legally valid explicit consent can be given for the tracking or monitoring of such data as employees are essentially not ‘free’ to give such consent in the first place. Even if the employer uses a third party to collect the health data, which would only provide aggregated information about general health developments to the employer, the processing would still be unlawful.
Currently, Real Madrid uses an Adidas GPS monitoring system for all their players. This tracks a lot of data including speed, acceleration, direction etc…this is used to manage how much players train and ultimately reduce injuries. This is a clear and legitimate purpose but because the players are employees – then Real Madrid and Adidas cannot rely on the consent of the players to collect this data.
The amount of data collected also needs to be interrogated. If the system collects 200 data points but the club is only using 20 data points as part of its legitimate purpose, then why collect the other 180 points? The collection of each data point needs to be interrogated and its proportionality verified.
Elite sports might seem like an extreme example but it points to the challenges faced by sports clubs (Controllers), the sports technology companies (Processors) and the individual players (data subjects).
The right to data portability is one of eight rights enforced by the GDPR. It allows individuals to obtain data being collect on them and then reuse it for their own purposes. The data must be received “in a structured, commonly used and machine-readable format”.
The WP29 working party makes special reference to fitness and activity trackers. This includes “observed data [such as] a person’s search history, traffic data and location data [or] other raw data such as the heartbeat tracked by fitness or health trackers”. So for the Real Madrid, this could be especially relevant. In July 2017, Alvaro Morata moved from Real Madrid to Chelsea for £60 million. We can assume that Real have a lot of personal and health data that belongs to Morata.
Did Morata ask for all of his personal data to be given to him so he could share with Chealse? Probably not, but post-GDPR, this could become the norm.
Is Real Madrid in a position to compile and send all Moratas data? Probably not.
What about deleting Moratos records when he leaves? Some will be medical data and covered by separate laws but some of it could be personal data that should be deleted. Real Madrid needs to interrogate each data point.
Are the technology providers (Addidas in the above example) providing any guidance?
What should Controllers and Processors of health data do?
Getting ready for the GDPR is a journey, and may require a number of steps (many of them onerous). It is clear, the sooner you start this process the better:
Get a Readiness assessment. This is a high-level overview of where the business is. It is never too early to start this.
The readiness assessment will highlight a number of privacy risks. A Data Protection Impact Assessment (DPIA) should be carried out on these risks.
The above actions will provide a sizable To-do list for anyone in the space.