Are health app firms being transparent surrounding the use of personal data?
Hayley Davis and Agatha Claridge, solicitors in the Commercial Technology team at Kemp Little, write about the concerns surrounding health apps and the use of personal data.
A recent study published by the British Medical Journal has warned that many health apps may be selling and sharing personal data without the user’s knowledge.
Advances in digital health products are changing the way consumers monitor health and access medical services. Health apps can now be used to self-diagnose, access services, check and monitor symptoms and research medication. Mobile health apps are quick and convenient for individuals to use and the global market is predicted to be worth over £80 million by 2022. The sharing of vast quantities of data is key to the health app business model, but are companies transparent enough about what they do with the personal data?
The research study revealed that 79% of the health apps tested share personal data, such as browsing behaviour, email address and location, with third parties. Indeed, 55 new third parties were identified as directly receiving the data, including app developers, group companies and other unconnected third parties; those third parties then shared the data with a staggering further 237 entities, which included several credit reference agencies.
Many companies behind the apps justify sharing the data by creating “deidentified” and aggregated data which is then used and shared for their own benefit, such as selling on to pharmaceutical companies, health insurers and other health-related services. More often than not, it is impossible for the consumer to opt out of this data sharing.
What’s the problem?
A lack of transparency when processing personal data is always a cause for concern, but personal data relating to health is defined as a “special category” of personal data under the GDPR and so it is subject to more protections and stricter requirements. Usually, consumers will need to give “explicit consent” for their personal health data to be processed. The requirements for obtaining explicit consent are relatively high and app providers should ask whether they are arming their customers with enough information to understand how their personal health data is going to be used and understand what they are consenting to.
Data breaches are also becoming more frequent, and in a report published last year health-related organisations accounted for a quarter of those incidents. Under Armour, the company that owns diet and fitness tracking app MyFitnessPal, was subject to a significant data breach in early 2018 when personal data relating to 150 million separate accounts was compromised by hackers and sold on the dark web.
Poor data protection practices and weak security design can leave personal data unnecessarily vulnerable and exposed. Last year, PumpUp, a popular fitness app, left a backend server unprotected on Amazon’s cloud, which allowed anyone who had the IP address of the server to see who was signing on and the contents of the private messages being sent between users in real time.
What are the rules?
As well as complying with the rules regarding “special category” personal data, app providers must comply with these other key rules:
- Transparency: data controllers must provide data subjects with a privacy notice containing clear and precise details about what, when and how personal data is processed and with whom it is shared.
- Purpose limitation principle: personal data must only be collected for specified, explicit and legitimate purposes (as set out in the privacy notice) and not for any other purposes.
- Data minimisation principle: any personal data collected or processed must be limited to what is necessary for those purposes. If unnecessary personal data is collected, this leaves organisations open to increased risk in the event of a breach.
- Data subject rights: data subjects have a broad suite of rights under the GDPR, including the right of access to, rectification and erasure of their personal data, and the right to object to the processing of their personal data. Controllers must provide a simple and convenient mechanism through which data subjects can exercise these rights.
What does it all mean?
While the benefits and convenience of mobile health apps far outweigh most consumers’ privacy concerns, this is likely to change as users become more data savvy and aware of data issues. What’s more, the hefty fines facing BA and hotel chain Marriott for data breaches should serve as a warning that the Information Commissioner’s Office may take an extremely tough stance with any business that fails to safeguard consumers’ personal data.
Creative Commons Disclosure
Why choose LearnPac E-Learning courses?
LearnPac Systems is a leading UK provider of accredited online training courses, programmes and qualifications including the following categories:
- Business Administration and Entrepreneurship
- Health, Safety and Welfare at Work
- Health and Social Care
- IT and Cyber Security
- Leadership and Management
- Mental Health Awareness
- Microsoft Office Applications
- Personal and Professional Development
- Statutory and Mandatory Training
- Soft Skills Development
- Train the Trainer
- Workplace Diversity.
LearnPac Systems is a leading UK provider of accredited online training courses, programmes and qualifications. Contact our Support Team on 024 7610 0090 or via Email to discuss your online training requirements.