Despite the UK’s forthcoming exit from the EU, there will still be new European legislation that UK companies will have to comply with between the legislation introduction and the UK’s exit, says Philip Hannay, MD of Cloch Solicitors.
Philip works closely with entrepreneurs who may be affected by this new ruling so asked Cloch’s Stirling University intern Kathryn-May Forrest to have a look at the implications. Kathryn-May reports:
We live in a society which is increasingly reliant on technology for communication, work and leisure. This ubiquitous connectivity is something which many now take for granted.
Wearable technology is at the heart of this progress. From the early iterations of Google’s ‘Glass’ smart glasses, to the more humble fitness tracker, wearable technology is all around us, now more than ever.
This onslaught of new wearable technology has driven an increase in the volume of ‘mHealth’ data available; data which is collected through fitness trackers and apps on mobile phones.
Such data often includes the physical activity, height, weight, sleeping patterns and diet of an individual, and presents a myriad of opportunity to business and healthcare, from targeted advertising and time or location-limited offers, to improved medical research and remote diagnoses. However, to be at all usable, the mHealth data must be collected and processed lawfully.
Under the current EU Directive, and the Data Protection Act 1998, mHealth data is, by its very nature, likely to be considered sensitive personal data as it includes information about a subject’s physical health.
As such, the subject (the wearer of a fitness tracker or smartwatch) requires to give prior consent before data can be collected and processed. Consent is not defined in the 1998 Act; however, the European Data Protection Directive defines consent as “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
The Information Commissioner states that consent must be express, and given in knowledge of the specific details of the processing: the data or type to data to be processed, the purpose of the processing, and any potential disclosure to a third party or other relevant information.
The new EU General Data Protection Regulation – due to come into force from 25 May 2018 – tightens the restrictions on the collection and processing of mHealth data in the EU.
mHealth data falls into the Article 9 definition of ‘Sensitive Personal Data’ and as such, collection requires a much higher threshold of consent than it did previously. Under the GDPR, a user must consent to the collection and processing of sensitive data through a clear affirmative action and which is informed, revocable, unambiguous, specific and explicit.
The GDPR not only raises the threshold for consent to collection and processing of data. Article 23 concerns Data Protection by Design and Default, and gives the manufacturers and providers of wearable technology food for thought.
Before now, the adoption of Data Protection by design had been entirely voluntary, though was considered best practice. Now, the GDPR makes it necessary for a data controller to “having regard to the state of the art and the cost of implementation…implement appropriate technical and organisational measures” to meet this requirement, including but not limited to robust internal policy and practices such as pseudonymising personal data, improved security features and increased transparency, allowing the subject to see the data collected.
Once in force, the GDPR will provide a much more coherent EU-Wide framework for data protection, and the additional protections offered to mHealth data collected through wearables is likely to promote confidence in the security and safety of the burgeoning technology.
The requirement for Data Protection by Design, along with the higher threshold for consent are likely to combine to produce more robust policy and procedure in this area, and give the end consumer greater peace of mind in the collection and processing of what is highly sensitive data.
By Kathryn-May Forrest, University of Stirling, Cloch Solicitors 2017
Further articles on GDPR