The European Data Protection Supervisor (EDPS), responsible for protecting personal data and privacy and promoting good practice in the EU institutions and bodies, has published an opinion on Mobile Health.
Opinion 1/2015 Mobile Health (mHealth) discusses the opportunities and potential benefits of the convergence of IT and the health sector, especially the use of mobile apps. The apps can deliver health-related services through smart devices often processing personal information about health and other lifestyle and well-being information.
The EDPS was concerned the adverse effect mHealth may have on individuals' rights to privacy and personal data protection, and wanted to highlight relevant aspects that might be overlooked. It builds on existing data protection rules and draws upon the 2013 opinion adopted by the Article 29 Working Party on mobile apps installed on smart devices. It also considers the implications of the potential changes in the proposed General Data Protection Regulation ("GDPR").
The opinion's view is that the following measures, reproduced verbatim, would bring about substantial benefits for data protection:
- The EU legislator should, in future policy making measures in the field of mHealth, foster accountability and allocation of responsibility of those involved in the design, supply and functioning of apps (including designers and device manufacturers)
- App designers and publishers should design devices and apps to increase transparency and the level of information provided to individuals in relation to processing of their data and avoid
collecting more data than is needed to perform the expected function. They should do so by embedding privacy and data protection settings in the design and by making them applicable by
default, in case individuals are not invited to set their data protection options manually, for instance when installing apps on their smart devices
- Industry should use Big data in mHealth for purposes that are beneficial to the individuals and avoid using them for practices that could cause them harm, such as discriminatory profiling
- The legislator should enhance data security and encourage the application of privacy by design and by default through privacy engineering and the development of building blocks and tools.
In the document's conclusion, the EDPS hopes that compliance with data protection principles and rules will contributing to the full development of the mHealth sector.