Insights
Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
mHealth Draft Privacy Code of Conduct Released
The Draft Code of Conduct on privacy for mHealth apps has been finalised and provides useful guidance for mHealth app developers.
Earlier this month, the European Commission published its final “Draft Code of Conduct on privacy for mobile health applications” (the Code). The Code, once finalised, is intended as a best practice guide on how European data protection legislation should be applied when developing apps which process health-related personal data (mHealth apps). Whilst much of the Code reflects the requirements in the EU Data Protection Directive and the new General Data Protection Regulation (GDPR), in places it goes further and provides specific guidance on measures / requirements that can be taken by mHealth app developers.
Issues specifically covered by the Code include:
- How to obtain a user’s consent and that users must be able to withdraw their consent.
- Information that must be provided to users.
- Data retention and security measures that should be in place.
- Principles in relation to in-app advertising (including specifying situations where the user must “opt-in” if they are to receive advertisements).
- Use of personal data for secondary purposes (eg, big data analysis).
- Disclosing data to third parties for processing operations and the requirement to enter into a binding legal agreement (covering matters such as security obligations required from the third party and the purpose for which the data may be processed) with any such third party.
- The restrictions on, and methods for, transferring data outside of the EEA.
- Actions that need to be taken in the event of a data breach.
- Requiring parental consent from child users.
As the Code is intended as best practice, adherence to its terms is voluntary. However, as a “carrot” to encourage adherence, where an mHealth app developer’s “privacy impact assessment” is approved, the developer’s name and the name of their app will be published on a centralised public register. In addition, approved app developers will be entitled to apply “trust marks” to the related mHealth app.
WAB Comment
By their nature, many mHealth apps require users to provide extremely intimate personal information. Accordingly, instilling trust that users’ data will be kept in the strictest of confidence, and will be processed fairly, is fundamental to the success of mHealth apps. Adherence to the Code (once finalised) will hopefully go a long way in providing this trust.
Whilst still in draft form, it would be prudent for mHealth app developers to pay close attention to the requirements in the Code, and to start considering what changes will be needed if they wish to be included on the approved register.
App developers looking to future proof their data protection policies should note that adherence to an “approved” code of conduct is actively incorporated into certain compliance and enforcement mechanisms in the GDPR. In addition, the GDPR provides that adherence to a relevant approved code of conduct may form the basis for lawfully transferring personal data outside the EU provided that certain stipulated conditions are met. While the Code (even once finalised) is not “approved” under the GDPR, it may form the base for an approved code of conduct in future.
White & Black would be delighted to help with any questions you may have on the Code.
BREXIT NOTE: Please click here to see our blog post in relation to how the GDPR will apply to the UK post-Brexit.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.