ICO to examine data protection and privacy implications of connected medical devices

ICO interest in medical devices precedes further EU regulation under new Data Protection Directive

The Information Commissioner's Office (ICO) is to examine the use of medical devices in the healthcare sector, a move that follows the publication of a survey of the market and how they affect the collection and use of personal information.

It follows claims last month by the ICO that data generated from wearable medical devices should be considered private and therefore should come under the scope of the Data Protection Act.

"We are examining the use of medical devices in the NHS and healthcare sector, including how the technological profile of devices has evolved, the use of mobile devices and medical apps," the ICO said.

"We are interested in how these devices are integrated into the wider healthcare technological landscape, and to help us we are seeking the views of the professionals who administer and support medical devices, and of data protection and compliance specialists, and other interested stakeholders."

However, Matthew Godfrey-Faussett, data protection law and digital health expert at law firm Pinsent Masons, told the firm's own Outlaw.com website that the survey is likely just to be the start of an increasing focus on digital health initiatives by the ICO.

"With the new EU Data Protection Regulation inching closer and further changes in the regulation of medical devices at EU level also on the horizon, the ICO will need to be on the front foot in developing and revising its guidance in real time," Godfrey-Faussett said.

He continued: "This survey is a signal that the ICO is going to be doing a lot more in this area. Those developing and launching digital health apps and related solutions need to be proactive in monitoring the ICO's position as it develops, in order to minimise the cost and delay associated with compliance redesign work," he said.

The popularity of connected wearable medical devices, which can monitor signals such as heart rate or count the amount of physical activity the wearer does during the day, has also boomed in recent years. However, there is growing concern over what information is transmitted to third-parties, where it might end up and how it may be used.

In addition to increased attention at the EU level, the issue has also caught the attention of the US government. In 2015, the US Office of Inspector General (OIG) for the US Department of Health and Human Services aims to examine whether "oversight of hospitals' security controls over networked medical devices is sufficient to effectively protect associated electronic protected health information (ePHI) and ensure beneficiary safety".

Links between "computerised medical devices", including kidney dialysis machines, connected radiology systems and medication dispensing systems, not to mention electronic patient medical records had created "a growing threat to the security and privacy of personal health information".