Apps and wearables

Last week you learned that medical data is part of health data and that this is a special categories of data according to Article 9 GDPR. Besides this legal protection of health data, we saw that doctors and healthcare professional are also bound by their oath and their contract to make sure your medical data cannot be shared with just anyone.

Where medical data is limited to data in the doctor – patient relationship, health data can also exist outside of the medical context. In that situation it is still considered sensitive data and this kind of data cannot be processed, unless one of the exceptions mentioned in paragraph 2 and 3 of Article 9 GDPR are met, such as if Anna gives her explicit consent. So if Anna wants to keep track of her health during her pregnancy and uses an app to do so, the app is processing her personal health data. Processing of personal health data could also take place via, for example a wearable such as a Fitbit, social media or online trackers. And since the processing of sensitive data is generally prohibited, it is important to determine what health data exactly entails.

What is health data?

You already saw in Week 1 that the definition the GDPR gives to data concerning health can be found in Article 4. It is defined as personal data related to the physical or mental health of persons, including the provision of healthcare, which reveal information about a persons’ health. If you read this definition carefully, you will probably realise that this is a very broad definition. As soon as personal data reveals information about a persons’ health, it is considered as health data.

The preamble to the GDPR gives some practical examples of what is covered by the definition of health data. It includes for example information on a disease, a disability and even a disease risk. So, for example, information about a person’s obesity, high or low blood pressure, genetic predisposition, but also information on tobacco consumption are part of health data. All these examples are linked to a disease risk of a person. If, for example, Anna smokes, this could increase her risks of getting lung cancer. Having high blood pressure, could endanger her pregnancy. And her genetic predisposition could reveal risks on future diseases she is not even aware of yet.

Furthermore, the preamble adds that it does not matter what the source of the information on a disease, a disability and a disease risk is. This is of importance, since it means that the source of the information is not limited to medical devices. As a consequence, information processed by a commercial app or wearable could also be part of this category of sensitive data.

This does not mean that this type of data cannot be processed, although paragraph 1 of Article 9 GDPR does prohibit it. One of the main exceptions used by commercial health apps, is the first exception of paragraph 2. If the data subject gives explicit consent for the processing of health data, paragraph 1 does not apply. So, if Anna wants to use a health app and she consents to the app processing her personal data, she lifts the prohibition of paragraph 1. Which means that in the end, it is up to you to decide whether you want your personal health data to be processed in a commercial setting.

Do you think it’s a good thing that data subjects such as yourself are given this option? How do you feel about the prospect of having your data processed in a commercial setting? Could it be harmful? Might there be benefits? You can discuss this with other learners on the discussion board.