Will health app developers have to protect consumers' privacy?

The European Data Protection Supervisor believes that EU law should compel app developers to be transparent about how they are using data

There are conflicting views on whether healthcare apps are ultimately good or bad for medicine.

There are those, like the NHS's Sir Bruce Keogh, who argue that wearable technology, which of course goes hand-in-hand with healthcare apps, could revolutionise healthcare. And then there are those, such as Des Spence, a GP from Glasgow, who believe that humanity is wasting its time on wearable tech and medical apps.

But no matter what people think about the use case, there are other questions that remain unanswered, and many of those are related to the legislation behind such apps.

European Data Protection Supervisor (EDPS) Giovanni Buttarelli believes that EU law makers should "foster accountability and allocation of responsibility of those involved in the design, supply and functioning of apps" when it comes to setting out future policy on mobile health (m-health).

In a paper, Buttarelli acknowledges that these apps could improve healthcare and the lives of individuals but he goes on to argue that businesses within the m-health market must "respect the [EU] data protection rules and be accountable for their data".

He believes that health apps should make it clear to users how their personal data will be processed, and that data should only be collected for the "expected function" being performed by that app.

Matthew Godfrey-Faussett, a partner at law firm Pinsent Masons, said that this would be a complicated process because of different legislation in different regions.

"The problem with these apps is that they are not used in specific geographies, they are used globally, so by changing one piece of national legislation in the UK doesn't fix the problem, because you have similar [issues] in the rest of the EU and elsewhere," he told Computing.

He added that an easier way, at least in Europe, would be to change EU legislation so that all EU member states are covered - and indeed, this is something that is about to happen with the new data protection legislation which is scheduled to come out in the next 18 months or so.

"Tightening up or bringing in some app-specific laws to deal with managing the data is the first thing that would need to be implemented. [The new data protection regulations] will be an important step forward to bring legislation in line with modern technology," Godfrey-Faussett said.

Medical device regulations should also be considered, he added.

"[These regulations] focus on things which the law classifies as a medical device, and therefore they need to go through a more detailed approval of use.... So apps that may have an impact on someone's life, if say it monitored a chronic condition and medical decisions were being made on the back of it, would need to be tested to ensure accuracy," Godfrey-Faussett explained.

He said that the medical devices legislation is also going through an upgrade but will still represent a challenge for app developers to comply with. For example, if they are working in the UK and launching in the UK, and therefore complying with UK legislation, they will come under different legal scrutiny in the US - which may be a bigger market for them.

In his paper, Buttarelli calls for an increase in transparency from app developers and stores, emphasising the necessity for user opt-outs.

"Users should be better informed on processing of their data and allowed, timely and effectively, to give and/or revoke consent or opt out from processing where relevant," he writes.

So is there nothing in current legislation that could be applied to these healthcare apps, such as legislation regarding other applications used on desktops and laptops?

"Not really," said Godfrey-Faussett, "because you're dealing with a different thing; with laptops you're using the internet and the data is being held by a third party potentially and being used for a range of purposes, but you as a user tend to be generating that data - so you're either letting a cookie get that data or you're inputting the data yourself.

"With a medical app the data is being generated automatically, and it's the most sensitive data because it is health data and as a user you have no idea what data is being generated," he said.

This could include GPS data pinpointing the user's whereabouts if they are out running. Godfrey-Faussett said that there are numerous ways that this extra data could be used - such as by employers to determine how healthy employees are or whether an individual was actually off sick. He said there have already been examples of health insurance providers offering consumers cheaper cover if they supply more data about themselves from things like mobile apps. And of course health insurance companies may be able to go straight to the mobile developers to get hold of that data - potentially affecting an individual's health insurance premium.

This is why Buttarelli has suggested that there needs to be legislation to ensure that mobile app businesses are not selling this data to third parties without consumer consent.

But even if such legislation were to exist, how would anyone know whether an app developer was using data in ways in which it isn't allowed to?

Godfrey-Faussett again: "The refreshed legislation would say ‘if you are putting this app with this capability out there, you are required only to gather and use data in accordance with the [legislation] with the data subject'."

This would mean that before downloading the app from the app store, users would first be provided with information by the developer about how the app will share the consumer's data.

"If they do misuse the data [the consumer] can complain to the regulator and state that they were told it would do x, y and z but that the firm used it for a, b or c.... and the regulator has the powers of audit," said Godfrey-Faussett.

"Over time you will start getting apps that are trusted and ones that are not," he added.