knowledge 9 January 2015 |

Apple HealthKit - The Rise of the Mobile Health App and its Data Protection Implications

To the consumer the most obvious manifestation of the new framework is the Health app, which provides a user with access to aggregated health related data from an iPhone’s own internal sensors and any apps that have implemented the framework. To developers the HealthKit framework promises a simple and easy way to allow their apps to connect with other apps, and therefore sources of health data, to provide a richer experience for users. The apps that will use HealthKit range from the common running and sleep tracking fitness apps, to apps being developed for use in a clinical setting in relation to specific disease management.

The HealthKit Framework and Sensitive Personal Data

In developing HealthKit, Apple has been conscious that the data which forms the core value of the framework is likely to be sensitive personal data (under Irish law the relevant part of the definition of sensitive personal data is data in relation to “the physical or mental health or condition of a data subject”). This is reflected in the restrictions that Apple places on apps that use the HealthKit framework both in the iOS Developer Terms of Use and in the App Store Review Guidelines. The key restrictions are that:

• apps may not use end-user data gathered from HealthKit for advertising or other use-based data mining purposes other than improving health, medical, and fitness management, or for the purpose of medical research;
• apps may not share end-user data acquired via HealthKit with third parties without end-user consent, and such data may only be shared with third parties to enable them to provide health and/or fitness services; With the launch of iOS 8 Apple included a new developer framework called HealthKit. The premise of HealthKit is simple: an operating system wide structure which health and fitness apps can use to share data. As part of a suite of new APIs and frameworks, Apple is seeking, through HealthKit, to place itself at the heart of the ecosystem of the increasingly popular health and fitness app market. Apple HealthKit - The Rise of the Mobile Health App and its Data Protection Implications
• apps using the HealthKit framework must indicate integration with the Health app in their marketing text and must clearly identify the HealthKit functionality in the app’s user interface; and
• apps using the HealthKit framework must provide a privacy policy that clearly discloses to end-users how the app will be using their health and/or fitness information.

These restrictions are augmented by the design of the HealthKit framework itself, which requires specific user consent before it will share data between an app and HealthKit. However, from a developer’s perspective, in order for that consent to be sufficient to allow the processing of a user’s sensitive personal data the developer will need to be able to demonstrate that it is: ⁽ⁱ⁾ fully informed, ⁽ⁱⁱ⁾ freely given, and ⁽ⁱⁱⁱ⁾ explicit. Whilst the latter two principles may be satisfied by the consent gathered through the HealthKit framework, the requirement for fully informed consent will be satisfied through the use of an appropriate privacy policy that is created by the developer.

Sensitive Personal Data and Privacy Policies

A privacy policy for an app that accesses health and/or fitness data should include the following information:

• details about the company that owns the app and will act as data controller (eg name, address and contact details);
• the types of data that will be gathered by the app (eg pulse, sleep patterns, blood pressure etc) and how it is collected;
• how the app will use the personal data that it collects and details of any third parties that it may share it with, keeping in mind the restrictions put in place by Apple that are described above; and
• whether personal data will be stored or transferred outside of the EEA.
• Details of end-users’ right to be given access to their personal data, and to have any inaccuracies corrected, under the relevant implementation of the EU Data Protection Directive 95/46/EC.

Once a privacy policy has been drafted it then needs to be incorporated into the app in a way that ensures that it is brought to end-users’ attention prior to personal data being processed, and that explicit consent to data being processed in accordance with the privacy policy is obtained (e.g. through a tick box or other control). In the initial batch of apps that have incorporated the HealthKit framework, many have included a control during the initial app setup phase that brings up the HealthKit sharing page to gather end-user consent to sharing. Unfortunately, this control appears before the user has been given access to the privacy policy, and there is no specific mention of the privacy policy when the consent is gathered. As such, the consents that are gathered to share and access health data using the HealthKit sharing page may not be “fully informed” within the meaning of the EU Data Protection Directive 95/46/EC.

As the above demonstrates, in all mobile apps that gather personal data, but particularly those that gather sensitive personal data, it is important to consider data protection at an early stage in the design process of the app. This will ensure that a compliant privacy policy is available when the app is ready to go live, and that the UI of the app incorporates the privacy policy and the capturing of consent effectively. Whilst this approach may involve dedicating scarce resources to what might not be considered a core aspect of app development, a compliant and well thought our privacy policy should be considered a key part of the minimum viable product for any app that uses the HealthKit platform.