WP29 release letter on scope of health data - DAC Beachcroft
DAC Beachcroft
Show/Hide Tags

WP29 release letter on scope of health data's Tags

Tags related to this article

Download PDF Print page

WP29 release letter on scope of health data

Published 21 February 2016

WP29 were asked by the EC to provide clarification on the definition of health data in respect of lifestyle and well-being Apps. In an Annex to the letter of WP29 which responded to the EC, WP29 detailed the criteria to be used to determine health data. In summary, the view of the WP29 is that most of the existing apps relating to well-being are likely to capture data falling within the definition of health data and therefore "Sensitive Personal Data" for the purposes of the DPA. Therefore organisations using these apps need to consider compliance with the additional protections afforded to Sensitive Personal Data.

The Annex to the letter makes it clear that you need to consider the wider context in which data is collected and the purposes for which it used. There needs to be a relationship between the raw data set collected through the app and the ability to determine a health aspect of a person, either from the raw data itself or when that raw data is combined with other data.

Particular considerations are:

  • the intended use of the data;
  • if it is combined with other data, would it be possible to create a profile about the health of an individual, such as risks related to illness, weight gain or loss and the consequential health issues that may arise.

Finally, WP29 suggests that the data protection exception relating to further processing of health data for historical, statistical and scientific purposes should be limited to research that serves high public interests, cannot otherwise be carried out or where other safeguards apply, and where individuals may opt out.

To view the letter, please click here.

What action could be taken to manage risks that may arise from this development?

Many insurers are trialing the use of such Apps to determine what if any conclusions it can make for the purposes of underwriting accuracy.

Financial services companies should note the WP29 working party opinion that such personal data is likely to be sensitive personal data and ensure compliance with the DPA accordingly.

Authors

Hans Allnutt

Hans Allnutt

London - Walbrook

+44 (0) 20 7894 6925

Next Article

< Back to articles

Related articles

Cyber Newsletter - November 2022

By Patrick Hill, Hans Allnutt, Jade Kowalski, Charlotte Halford, Christopher Air

How Secure is Secure? What do recent ICO penalty notices tell us about GDPR security requirements?

By Hans Allnutt

NIS breaches, the national cybersecurity strategy and law enforcement engagement

By Tom Evans

Cyber and Employment Law

By Nicola Geary

Supply Chain Breaches

By Charlotte Halford, Patrick Hill

Understanding Privacy-Enhancing Technologies (PETs)

By Rebecca Morgan, Johanna Lipponen

The EU Data Package

By Charlotte Halford, Christopher Air, Holly Eastwood

UK Legislative Developments and the Impact on Cyber

By Pavan Trivedi

Developments in Canadian Privacy Law

Recent Australian Cyber and Privacy Developments (July-September 2022)

American Data Privacy Protection Act (“ADPPA”): Is the U.S. Finally Getting Federal Data Privacy Protection?

Cyber Newsletter - September 2022

By Patrick Hill, Hans Allnutt

The Data Protection and Digital Information Bill: An Overview

By Jade Kowalski, Charlotte Halford, Christopher Air, Sophie Devlin, Rebecca Morgan

Data And Cyber Bulletin - August 2022

By Patrick Hill, Hans Allnutt

2022 ENISA Report Finds Ransomware Attacks Continue to Dominate the Global Cybersecurity Landscape

By Patrick Hill, Sonali Malhotra

A new Task Force report on Confronting Reality in Cyber Space has been published by the Council for Foreign Relations

By Hans Allnutt, Pavan Trivedi

Former NHS employee prosecuted and fined after illegally accessing patient records without a valid legal reason

By Sophie Devlin, Shanaka Wijetunge

Online Safety Bill at a standstill pending appointment of a new Prime Minister

By Astrid Hardy

When European data regulators disagree: EDPB steps in to resolve a dispute between French and Polish Data Protection Authorities

By Christopher Air, Alexander Dimitrov

Data And Cyber Bulletin - July 2022

By Hans Allnutt, Patrick Hill

This website uses cookies so that we can improve your experience. By continuing to use the site you are agreeing to our use of cookies. For more details please view our Cookies Policy.
DAC Beachcroft