Mobile health or 'mHealth' applications commonly raise
complex privacy issues as a result of processing large amounts of
sensitive personal data. Following the publication of its Green
Paper on the topic in 2014, the European Commission has recently
published a draft code of conduct on privacy for mobile health
applications ('the code').
The code provides targeted guidance setting out how mHealth
application developers can create products that comply with the
stringent requirements of European data protection legislation,
including those of the Data Protection Directive (Directive
95/46/EC) and the forthcoming General Data Protection Regulation
The code covers topics including:
How to obtain the consent of users
Which data protection principles should be taken into
account during development
Information that should be provided to users (including
the use of privacy notices and privacy policies)
Security measures and what to do in a data breach
Advertisements and marketing (including information about
opt-in and opt-out consent)
The use of personal data for 'secondary purposes'
such as 'big data' analysis
Disclosures to third parties
Transferring data within and out of the EU/EEA
Collecting data from children
The final version of the code will not be automatically binding
on mHealth app developers. However, when in force, those developers
who wish to declare their adherence will be required to submit a
privacy impact assessment. Acceptance of an impact assessment by
the relevant monitoring body will lead to the inclusion of the
application and its developer on a public register.
The final version of the code will be prepared following its
examination by the Article 29 Working Party, which may approve or
suggest re-drafts. However, mHealth application developers may find
it helpful to draw on the draft code in the interim, given the
current lack of advice in this area.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).