Defining and using health data

What is health data?

If you wear a watch that tracks your level of activity and how fast you can run a 5K and you share that data with me, am I processing your health data? At what point does this type of information about a person become personal data concerning health? Health data from a data protection perspective has historically been broadly defined – so, personal data concerning health “should include all data pertaining to the health status of a data subject which reveals information relating to the past, current or future physical or mental health status of the data subject” (recital 35, GDPR).

Personal data concerning health also includes:

• information about a person’s registration for healthcare services
• any number or symbol that uniquely identifies an individual for health purposes
• information from tests or medical examinations, as well as
• information on a disease, disability or disease risk, medical history and clinical treatment.

Given the increasing use of technology in medical settings and for wellness purposes, it's possible that all the data associated with these devices is health data under the GDPR.

This wide interpretation is consistent with the position of the Article 29 Working Party (as it then was) (WP29) which responded to a request from the European Commission in 2015 to clarify the scope of the definition of data concerning health in relation to lifestyle and wellbeing apps. In its response, the WP confirmed its previous view that a “wide range of personal data…may fall into the category of health data” and it “represents one of the most complex areas of sensitive data”. So information about smoking and drinking habits, data on allergies and membership of a patient support group is all data concerning health.

The WP29 also stated that for data to qualify as health data “it is not always necessary to establish ‘ill health’’’. Since the concept of health data includes “disease risk”, it can also include the potential future status of an individual that is predicted due to their lifestyle, current medical status or hereditary factors.

In effect, health data includes any data from which conclusions can be reasonably drawn about health status. Given this breadth, it's unsurprising that the definition of special category data was expanded in the GDPR to include two related concepts to health data – genetic data and biometric data (when used to uniquely identify an individual).

Special category data

Special category data under the GDPR (which includes the UK GDPR here unless otherwise stated) is a sub-category of personal data and is a continuation of the concept of sensitive personal data under the Data Protection Directive. The rules around the use of this type of data have always been strict – essentially it is prohibited unless an exception applies.

Sensitive personal data was deemed, under the Data Protection Directive, to deserve greater protection due to the presumption that misuse of this data is likely to have more severe consequences for an individual’s fundamental rights. In particular, the WP29 stated that “misuse of health data, including drawing incorrect or unreliable conclusions, may be irreversible and have long-term consequences for the individual…”. This distinction has been preserved under the GDPR.

Of course, use of this data for the benefit of the individual can also have significant advantages for them. Arguably, the more a medical practitioner knows about an individual, the better equipped they are to treat the individual in a personalised effective way. However, there are ethical concerns that the use of health data to predict disease risk or to profile individuals could lead to troubling scenarios where individuals lose opportunities or are treated unfairly because of the decisions made (rightly or wrongly) following an assessment of their health data.

Lawful bases

As health data is special category data under the GDPR, controllers of this data need to have both a lawful basis under Article 6 (Lawfulness of processing) and rely on an exception under Article 9 (Processing of special categories of personal data).

Articles 6 and 9 do not match up neatly. While a controller can rely on a situation where collection of heath data is necessary for performance of a contract under Article 6, there is no equivalent provision under Article 9. Likewise, Article 6 permits processing where the controller is under a legal obligation to do so but Article 9 does not include the same provision.

In many instances, a controller will prefer to rely on the legitimate interest lawful basis under Article 6, but that is not without its complexities. The legitimate interest basis requires the controller to carry out a balancing test to balance the interests of the controller (or a third party) and the individual in relation to the use of the personal data. However, it will not always be obvious that the "legitimate" interest of the controller overrides any prejudice to the individual’s privacy rights.

Identifying an Article 9 exception for use of health data can therefore be complicated. For a start, the GDPR permits Member States to introduce further conditions including limitations for processing health data. Inevitably, Member States' conditions have diverged.  This means that implementing a single approach to lawful bases for use of health data that works for your business across the EU can be difficult. And of course, since Brexit, the UK has even greater scope to introduce further rules on health data as the UK government's proposals for reforming the UK GDPR demonstrate.

Many businesses holding or leveraging health data consider consent to be the answer. If a controller knows that they will have to rely on explicit consent under Article 9, they will rely on consent under Article 6. But reliance on consent is beset with difficulties. For instance, consent must be revocable. In the context of health data being used to support regulatory applications and/or to build dynamic digital products, reliance on consent is frequently practically unworkable.  Furthermore, for clinical trials, an informed consent is required from individuals that is separate from any GDPR consent which adds complexity to the set-up and management of those trials.  For these reasons, life sciences business might prefer to avoid reliance on explicit consent, even where the GDPR allows it.

Two of the exceptions under Article 9 are more obviously geared towards the processing of health data – Article 9(2)(h) and (i). Provision (h) relates to purposes connected with medicine, medical diagnosis, provision of healthcare or treatment, but there must be a professional bound by professional secrecy handling such data. Presumably this can be a professional who is not a healthcare professional, although this is not specifically stated. Recital 53 states that where health data is processed for “health-related purposes” this should be “only where necessary to achieve those purposes for the benefit of natural persons and society as a whole”. In other words, reliance on provision (h) should always involve a benefit. Provision (i) relates to processing necessary for reasons of public interest in the area of public health – processing associated with the ongoing global pandemic would fall within this provision.

What about a non-healthcare controller collecting health data on individuals who are not its employees or workers? It's possible that the only available option is explicit consent unless there is an argument that the processing is for scientific research purposes (Article 9(2)(j)), which is an area the UK government (as set out in its recent proposals to reform data protection law) is aiming to define in greater granularity.  It is also possible that the substantial public interest basis is available (Article 9(2)(g)) but given this varies across different Member States, any pan-EU approach will be complex.

Additionally, there are no bases currently (other than consent) that easily apply in a commercial setting where a business is offering an app or device for use by an individual for monitoring their own health or wellbeing.

Given the necessity of health data for evidencing the safety and efficacy of drugs and devices, as well as the predicted substantial growth in digital health and related healthtech industries, greater certainty over the parameters of health data and the scope of the lawful bases would be welcome. For some time, the European Data Protection Board has indicated it will produce guidelines on the processing of health data for scientific research – they would certainly be useful to help businesses understand the parameters that data protection regulators are setting out in order to inform their own compliance.