Ireland: GDPR And Digital Health: Is Your Software ‘Fit' For Purpose?

Last Updated: 29 August 2019
Article by Mark Adair

Digital health technologies are a growing presence in our day-to-day lives - from the step-counter in your smartphone, to online consultations with a GP, to artificial intelligence (AI) virtual patient monitoring. The term ‘digital health’ captures technology of varying complexity, all with the similar aim of engaging with and improving an individual’s health and lifestyle, while improving efficiency. Given the evolution and rising popularity of these technologies on the consumer market, we look at some important data protection considerations that are setting the tone in this new era of digital health products.

What’s so special about health data?

As health, genetic or biometric data is particularly sensitive, its misuse poses greater risks to data subjects. The GDPR therefore designates it as a ‘special category of personal data’ that must be given additional protections. Digital health technology companies need to take care if processing this category of data.

When trying to make their app ‘fit for purpose’, our digital health technology clients often ask us questions like:

  • How do I process health data lawfully?

  • What privacy notices and pop-up messages should my app display?

  • If my digital health app uses AI, does that impose any additional restrictions?

  • Are there any restrictions around using automated decision-making?

1. Processing health data lawfully

Someone can only process special category data lawfully under GDPR if:

  • They have a lawful basis for the data processing in the same way as for processing other personal data. A common example of a lawful basis under Article 6 of the GDPR is contractual necessity or legitimate interests, and

  • They can also satisfy one of the exceptions in Article 9(2) of the GDPR. A common example of an exception is the data subject explicitly consenting to the processing of their special category data

No link between the two is required. In other words, the choice of lawful basis under Article 6 does not affect the special category condition that applies.

Generally speaking, a data controller that provides digital health technologies to users may choose to rely on obtaining the user’s ‘explicit consent’ in order to lawfully process the special category data. Consent has a specific meaning for the purposes of the GDPR and must be given by a clear affirmative act, freely given, specific, informed, and unambiguous.

For example, if the digital health technology involves the use of a fitness app, the data controller may require the user to check an onscreen box indicating his or her consent to the specific data processing in question. In order for this consent to be ‘informed’, the data controller must provide adequate and transparent information to the data subject. An example of how to do this is by displaying a written privacy notice and informing the individual about the right to withdraw their consent at any time.

2.Transparency: privacy notices and information

Data controllers collecting special category health data from users of their digital health technologies face more challenges than those collecting ‘normal’ personal data. Processing personal data in a transparent manner is a key requirement to show compliance with the GDPR. However, fitness trackers and health apps often do not inform individuals exactly what, and how much, of their health data these technologies will process by, and for what purposes. To address this, digital health technology companies should be as transparent as possible regarding the information they show to user about the processing activities.

A good starting point is a carefully drafted and publicly available privacy notice. Under the GDPR, privacy notices must provide clear, intelligible and concise information to individuals on what personal data is collected, and how that data is processed. In particular, when dealing with vulnerable adults or children, information about data processing must be especially transparent; drafting privacy notices appropriate to the level of understanding of these audiences will require special consideration.

Challenge for wearables and app

A challenge that may arise in the context of mobile apps, wearables and fitness trackers is the manner in which information regarding their privacy is provided to users, and how this disclosure can remain GDPR-compliant. Providing sufficient information to users regarding their privacy may prove a little more difficult with wearables and small-screen devices. With this in mind, digital health technology companies may need to consider alternative means of providing information, for example through the use of easily accessible online privacy notices and appropriate linking and layering of full privacy policies.

AI & Transparency

Digital health technology companies, and in particular those who deploy “black-box” or complex AI interfaces, need to consider a number of issues in relation to transparency. Before launch, they must ensure that they are able to show users clear and detailed information about how their technologies will collect and process health data. They need to balance this against their own desire to protect their own trade secrets and details about any customised AI algorithms they deploy.

3. Minimising data vs. maximising AI: striking the right balance

The GDPR principle of ‘data minimisation’ means that a processor is only allowed to process ‘adequate, relevant and limited’ personal data.

Digital health technology companies need to pay particular consideration to this rule and how they can reconcile it with their own AI technologies, which often collect data automatically and require large volumes of data to work most effectively.  

In many ways, AI technology is in its infancy. Nevertheless, adopting a restrictive approach from the outset that limits how the technology can collect and process data may not be ideal for developers. AI technology struggles to learn from minimal amounts of data, which would make it less useful to a user. Developers may also, in turn, have less incentive to create and improve it if they don’t have the volume of data they feel they reasonably need.

The real challenge will be how to reconcile the requirements of GDPR with the realities of AI technology.

4. Automated decision-making: Diagnostic decisions and beyond

Under Article 22 of the GDPR, if a decision will have a significant effect on an individual, human intervention is required at some point in the decision-making process. This will likely come into play for digital health companies if, for example, AI-technology is making diagnostic decisions, or a company is basing decisions in relation to health insurance on data from a health-tracking app.

The automated decision-making principle applies more strictly if processing health data. A company can only rely on explicit consent, contractual necessity, or specific authorisation under EU or Member State if the data subject has given explicit consent for specific purposes, or the processing is necessary for reasons of substantial public interest. Both of these exceptions still require measures in place to protect the data subject’s rights.

Since the implementation of GDPR we have seen a general move away from a consent-based approach to permit the processing of personal data. Despite this, explicit consent by the data subject is still likely be the primary option for companies wishing to process health-related personal data using automated decision-making technology. This is because it may be difficult to satisfy the alternative options of contractual necessity or substantial public interest.

Any consent an individual provides always has to meet the GDPR requirements. The health technology should facilitate the exercise of data subjects' rights, eg it is accurate in its decision-making, it is non-discriminatory, individuals have the right to challenge the decision, and so on. We believe that the solution for most AI digital health providers may be to ensure that the AI that underpins the technology is not the only way to make significant decisions about an individual. However, providers will also need to consider the meaningfulness of the non-AI involvement. For example, have they provided employees with robust training to allow them to question the AI decision?

Final thoughts (from the humans)

The obligations imposed by the GDPR may appear daunting to proponents of digital health technology. The potential financial and reputational fall-out from a technology that gathers unnecessary amounts of personal data, and which is technically insecure, could be significant for an organisation.

Despite this, it is possible to develop practical digital health technologies that meet these requirements. The best examples we see often occur through active engagement with, and joint consideration of, both the technology itself and the legal principles that underpin it. If companies do this at the outset between the technical, commercial, and legal stakeholders, digital health technology companies should be well positioned to manage the complex laws and regulations governing this area. While also providing cutting-edge and revolutionary technologies that have the potential to enhance the lives of their customers.  

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Events from this Firm
29 Oct 2019, Workshop, Dublin, Ireland

Our second in-depth training session of 2019 for Company Directors will take place on Tuesday 29 October in our offices on Barrow Street.

5 Nov 2019, Speaking Engagement, Dublin, Ireland

We will host our annual Financial Services Insight Series at 5:30pm on Tuesday 5 November in The Royal College of Physicians, Kildare Street, Dublin 2.

14 Nov 2019, Seminar, Dublin, Ireland

We are delighted to host our seminar looking at recent developments in the private rental sector on 14 November 2019 at 7.30am in our offices on Barrow Street, Dublin 4.

Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions