WP29 release letter on scope of health data
Published 21 February 2016
WP29 were asked by the EC to provide clarification on the definition of health data in respect of lifestyle and well-being Apps. In an Annex to the letter of WP29 which responded to the EC, WP29 detailed the criteria to be used to determine health data. In summary, the view of the WP29 is that most of the existing apps relating to well-being are likely to capture data falling within the definition of health data and therefore "Sensitive Personal Data" for the purposes of the DPA. Therefore organisations using these apps need to consider compliance with the additional protections afforded to Sensitive Personal Data.
The Annex to the letter makes it clear that you need to consider the wider context in which data is collected and the purposes for which it used. There needs to be a relationship between the raw data set collected through the app and the ability to determine a health aspect of a person, either from the raw data itself or when that raw data is combined with other data.
Particular considerations are:
- the intended use of the data;
- if it is combined with other data, would it be possible to create a profile about the health of an individual, such as risks related to illness, weight gain or loss and the consequential health issues that may arise.
Finally, WP29 suggests that the data protection exception relating to further processing of health data for historical, statistical and scientific purposes should be limited to research that serves high public interests, cannot otherwise be carried out or where other safeguards apply, and where individuals may opt out.
To view the letter, please click here.
What action could be taken to manage risks that may arise from this development?
Many insurers are trialing the use of such Apps to determine what if any conclusions it can make for the purposes of underwriting accuracy.
Financial services companies should note the WP29 working party opinion that such personal data is likely to be sensitive personal data and ensure compliance with the DPA accordingly.