Marta Dunphy-Moriel, partner, and Judit Garrido-Fontova, associates at Kemp Little, a London law firm, look at the types of technical risk that can affect digital health businesses.
The evolution of digital health industry
During the last decade digital health businesses have increased significantly. Many organisations are designing and launching different devices and applications for consumers that help them with the control of their healthcare and wellbeing. The concern rises when users’ personal data is collected and processed, especially sensitive data. Health data, genetic or even biometric data are considered special category data under the EU General Data Protection Regulation (“GDPR”) and UK data protection legislation. Processing special category data requires additional safeguards, which smaller companies may struggle to achieve. Therefore, privacy and data protection compliance become a real challenge for many organisations.
Sharing personal data
One of the main aspects to consider is how can organisations share individuals’ personal data. There are certain restrictions which need to be considered. According to the GDPR, if an organisation, acting as controller of the personal data, aims at sharing special category data, the organisation must rely on a valid legal basis for sharing and an additional special condition such as, for instance, explicit consent from the individual or reasons of public interest in the area of public health. In this respect, organisations may fall under the risk of not processing personal data lawfully.
Transparency
Normally, it is the data controller who directly provides a privacy notice to individuals. However, in the field of digital health, it often happens that companies have to rely on a third party to deliver that information to data subjects. This poses a risk as there may be a lack of control over the final content of the privacy notice in question. To mitigate this risk, it is important that organisations: (i) identify who will have direct contact with the end-customer, and (ii) ensure that contractual arrangements are included to guarantee that the information provided to individuals is complete, adequate and correct.
In addition, and as mentioned above, the explicit consent from subjects to process their data is required in some cases. In this respect, some controllers rely on third party processors for such collection, however the risk may appear if the processor, who is acting on behalf the controller, does not ensure that the details of the controller are gathered in such consent wording leading individuals to confusion as to who is actually the controller of their data.
Risk of personal data processing by employees
It is important to add that behind the digital health businesses, there are employees accessing and managing health data. Although they shall be subject to confidentiality obligation and to internal policies and procedures and their IT devices may be protected with technical security measures, privacy challenges may increase when they bring their own device or work from home. These are three main challenges:
- Clash between personal-professional nature of the device and employee’s expectation of privacy.
- Challenges in controlling security in devices that are not owned by the organisation.
- Potential personal data and security breaches.
While organisations may put their best efforts to physically secure the devices against loss, theft or use by not authorised persons, potential and residual risks are always there. Digital Health businesses should ensure their employees: (i) do not download or transfer any sensitive customer data (for example, health related information of individuals) to their own devices, including via e-mail attachments, unless specifically authorised by the customers, and (ii) do not use a device to capture images, video, or audio, where there is no need for doing so or it has not been authorised by their customers.
Conclusion
Having said that, we cannot argue that data protection compliance is one of the pillars of compliance that companies must face. Failure to comply with privacy requirements can result in high administrative fines as well as reputational damage to the organisations and especially in relation to entities that process data of a highly sensitive nature as happens in the digital health industry.