Give Your Mobile App

Transcription

1 Give Your Mobile App a Clean Bill of Health A Guide to Data Privacy to Ensure Your App is Legally Compliant Determine your legal responsibilities for data privacy during mobile app development Key insights and examples for the data privacy regulations of the European Economic Area that you need to be aware of A comprehensive how-to guide for anyone involved in mobile healthcare and app development

2 Author Emily Hay Jan Dhont Lorenz International Lawyers Editor Craig Sharp Disclaimer The information and opinions in this report were prepared by eyeforpharma (FC Business Intelligence) and its partners. FC Business Intelligence has no obligation to tell you when opinions or information in this report change. eyeforpharma makes every effort to use reliable, comprehensive information, but we make no representation that it is accurate or complete. In no event shall eyeforpharma (FC Business Intelligence) and its partners be liable for any damages, losses, expenses, loss of data, loss of opportunity or profit caused by the use of the material or contents of this report. No part of this document may be distributed, resold, copied, or adapted without eyeforpharma s prior written permission. FC Business Intelligence Ltd eyeforpharma: Give Your Mobile App a Clean Bill of Health For more pharma business intelligence visit

3 Contents Introduction Applicability of the Data Protection Directive Context The law In practice Example Applicability of the EU e-privacy Directive Context The law In practice Example Determining responsibility: controller/processor concepts Context The law In practice Example Data minimisation, proportionality principles Context The law In practice Example Notice and Consent Context The law In practice Example Sensitive information and subcontracting Context The law In practice Example Conclusion Glossary For more pharma business intelligence visit eyeforpharma: Give Your Mobile App a Clean Bill of Health 3

4 Introduction With growing interest in privacy from both app users and various authorities, now is the moment to ensure that your mobile app is in line with data protection best practice. As the marketplace floods with all kinds of medical apps for mobile devices, these apps are also creating new relationships, bringing patients directly in contact with app developers who may not be accustomed to handling sensitive health information. It may seem that change is happening too fast for the law to keep up. In reality, however, many relevant laws are already in place and users and regulators alike are waking up to how they apply. Apart from the thorny issue of when a smart device becomes a medical device, there are data protection and privacy obligations to take into account. 1 Recent guidance papers, issued by regulators in Europe and the US, raise many privacy concerns, highlighting the fact that regulators are alert to privacy and data protection issues - and want them prioritised when developing and operating apps. 2 This is of particular importance for medical apps which make use of sensitive health information. One significant aspect of the proliferation of medical apps is that it brings app developers into direct contact with patients. Previously medical diagnosis, advice and treatment were the exclusive domain of healthcare professionals. There are many apps now stepping into this field, including apps to track illnesses such as asthma or diabetes, or to manage medications. These apps may be monitoring health symptoms and indicators, recording health incidents, receiving laboratory results, providing reminders to take medication or renew prescriptions, and communicating information to a doctor. This new role played by app developers brings new privacy obligations. This paper focuses on some of the key data privacy challenges for those involved in developing medical apps. It is aimed primarily at app developers, but it should be borne in mind that device manufacturers, app stores and others will often have overlapping concerns. While privacy laws in Europe and the US are very different, regulators show strikingly similar concerns when it comes to apps. Some of those concerns include: defining the responsibilities of different parties in the app market; ensuring that apps do not abuse individual privacy by accessing and using more information than is really necessary; making sure appropriate measures are in place reflecting the sensitivity of information; ensuring that individuals are meaningfully informed of how their information is used; and getting valid user consent at the right moment. This paper focuses on the requirements under European Economic Area (EEA) 3 law, although some of the same issues have also been highlighted by US regulators. 1 This article deals exclusively with the privacy and data protection aspects of mobile app development, and does not address the question of when a smart device becomes a medical device. 2 Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices WP 202 (27 February 2013) ( Working Party Opinion ); Kamala D. Harris, Attorney General, California Department of Justice, Privacy on the Go: Recommendations for the Mobile Ecosystem (January 2013) ( Privacy on the Go ); FTC Staff Report, Mobile Privacy Disclosures: Building Trust Through Transparency (February 2013) ( FTC Staff Report ); Atle Årnes and Catharina Nes, What does your app know about you? (15 September 2011), Datatilsynet; Beschluss der obersten Aufsichtsbehörden für den Datenschutz im nicht-öffentlichen Bereich, Düsseldorfer Kreis, (4/5 May 2011). 3 Currently comprised of all European Union member states except Croatia, as well as Iceland, Liechtenstein and Norway. 4 eyeforpharma: Give Your Mobile App a Clean Bill of Health For more pharma business intelligence visit

5 Applicability of the Data Protection Directive Context In Europe there are binding privacy laws in place and data protection authorities in each country ready to enforce them. In February 2013 a group representing these data protection authorities, the Article 29 Data Protection Working Party, adopted an opinion on apps on smart devices. 4 While the opinion itself is not binding law, it is a strong indication of how EEA regulators see privacy obligations in the app market and therefore could be used as the basis of future enforcement action.the Data Protection Directive 5 is the main privacy law in place at the European level, which has been implemented into the national law of all countries in the European Economic Area (EEA). 6 This European law is important to take into account because its operation cannot be excluded by declaration or contract. The Article 29 Data Protection Working Party is an independent advisory group representing the data protection authorities of the European Union. The Working Party regularly issues opinions on data protection and privacy issues, which explain how the regulators view the application of the law in that situation. These opinions have covered, for example, cloud computing, facial recognition, behavioural advertising, and online social networking. The opinions themselves are not binding law, but as they are issued by a group of regulators, they are a strong indication of how the authorities in each European country may enforce the law. In February 2013 the Working Party adopted an opinion on apps on smart devices (referred to throughout this paper as the Working Party Opinion ). The Working Party Opinion gives an important perspective of how the law applies in the context of new app technology and provides advice on how to comply with the law when developing apps. The law The Data Protection Directive applies to all wholly or partly automatic processing of personal data. 7 Processing of personal data is: any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. 8 Under the Data Protection Directive, personal data is defined broadly as: any information relating to an identified or identifiable natural person ( data subject ); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 9 The Data Protection Directive applies in the following situations: Where an entity has an establishment on the territory of an EEA state and processing is carried out in the context of the activities of that establishment; 10 and Where an entity is not established on the territory of an EEA state but makes use of equipment situated on such territory (unless the equipment is only used for transit purposes). 11 To qualify as an establishment it is not necessary for there to be a legal entity such as a branch or subsidiary in the EEA state. The decisive factor is whether the controller engages in the effective and real exercise of activity through stable arrangements in that territory Working Party Opinion. 5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data ( Data Protection Directive ). 6 Currently comprised of all European Union member states except Croatia, as well as Iceland, Liechtenstein and Norway. 7 Article 3, Data Protection Directive. 8 Article 2(b), Data Protection Directive. 9 Article 2(a), Data Protection Directive. 10 Article 4(1)(a), Data Protection Directive. 11 Article 4(1)(c), Data Protection Directive. 12 Recital 19, Preamble to the Data Protection Directive. For more pharma business intelligence visit eyeforpharma: Give Your Mobile App a Clean Bill of Health 5

6 In practice Businesses with an establishment in the EEA will be subject to the Data Protection Directive for any processing associated with that establishment s activities. What businesses outside the EEA may not realise, however, is that even if they do not have an establishment in the EEA, they may still be obliged to comply with the Data Protection Directive. This is due to the second arm of applicability outlined above, where an entity uses equipment situated on the territory of an EEA state. The equipment that triggers this provision includes computers and smart devices of users who are in the EEA. EU regulators have confirmed that insofar as an app generates traffic of personal data back to the entity outside the EEA, the entity is considered to be using equipment in the EEA and the Data Protection Directive will apply, regardless of the entity s location. 13 As outlined above, in the EEA a broad interpretation of personal data is taken, meaning that any information linking to an identifiable individual triggers the application of the legal regime. This includes data such as IP addresses, location information, contacts, unique device identifiers, credit card details, and pictures. Because apps often collect IP addresses and unique phone identifiers, even if they do not actively collect other personal data, the Data Protection Directive will apply to data processing by many or even most apps with users in the EEA. Example: The US headquarters of a pharmaceutical company (with no EEA establishments) develops an app which allows diabetic users to enter their name, date of birth, blood sugar levels, food intake, weight, and medicine intake and uses that information to provide diet recommendations and prescription reminders. The data is linked to their phone s identifier, and is communicated back to the company s server in the US where it is stored. The app has users in countries across the EEA. The Data Protection Directive applies because the app uses equipment (smart devices) located in the EEA, and sends personal data (all the information collected by the app, because it is linked to the phone s identifier, the name and the date of birth of the user) to the entity which developed the app. 13 Working Party Opinion, p eyeforpharma: Give Your Mobile App a Clean Bill of Health For more pharma business intelligence visit

7 Applicability of the EU e-privacy Directive Context The EU e-privacy Directive 14 mainly applies to electronic communications service providers, however some of its provisions have implications for a wider range of parties. Article 5(3) was recently inserted to regulate the use of cookies, by requiring websites to obtain the informed consent of users regarding cookies placed on a user s computer. In the Working Party Opinion, however, the Article 29 Working Party confirms that it also applies in the context of smart device apps. 15 Like the Data Protection Directive, it is not possible to contract out of the e-privacy Directive, so it is important to understand the obligations it entails. The law Article 5(3) of the e-privacy Directive provides that: Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user. In practice Article 5(3) means that if an entity places information on, or reads information from, smart device of a user in the EEA, the entity is required to provide clear and comprehensive information to the user about it and obtain their consent. Because an app both stores information on, and reads information from, a user s smart device, Article 5(3) applies. It is important to keep in mind that the e-privacy Directive does not apply only where personal data is processed, but more broadly in relation to any kind of information. Once its application is triggered, the kind of clear and comprehensive information you are obliged to provide includes your organisation s identity and contact details, and the purposes the data will be processed for. Users must also be given the option to refuse the processing. Note that if the app processes personal data (and most of them do), it will also have to comply with the more stringent requirements of the Data Protection Directive and this obligation becomes less relevant. Example: A pharmaceutical company develops an app providing reference information for medical practitioners about particular medical conditions and diseases. The app is not interactive; it does not allow users to enter any personal data of themselves or patients, and the pharmaceutical company does not collect the IP addresses or phone identifiers of users. While the Data Protection Directive would not apply to the pharmaceutical company for this app, the e-privacy Directive would. Before allowing users to download the app, the company must inform them of its identity, the purposes for storing information on their smart device, and give them an option to reject installation of the app (for example, via a cancel button next to the install button). The information should be made available to users before installation, for example on the app page in the app store. However, it should also be accessible from within the app after installation. The key is that users should not have to go searching the web in order to inform themselves the information should be readily available. Best practice would be to also include the information on your website. 14 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector ( e-privacy Directive ). 15 Working Party Opinion, pp For more pharma business intelligence visit eyeforpharma: Give Your Mobile App a Clean Bill of Health 7

8 Determining responsibility: controller/processor concepts Context Part of the challenge when it comes to mobile apps is determining who is responsible for what, especially when legal obligations are at stake. EEA law divides entities into data controllers and data processors, depending on their role in processing personal data. The law Under the Data Protection Directive, the data controller is:... the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data A data processor is any natural or legal person processing personal data on behalf of the data controller. Processing includes: any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; 17 In practice If a pharmaceutical company develops an app, or outsources the development of an app, it will be considered a data controller under EEA law because it decides what information will be collected and what it will be used for. Data controllers have fairly heavy obligations to ensure amongst other things that information is used fairly and lawfully, that unnecessary or irrelevant information is not collected, that information is kept up-to-date, and that it is deleted or irreversibly de-identified when the purposes for using it expire. If there is a risk that you will be considered a data controller under EEA law, you should verify that you are complying with all your relevant obligations. A data processor, on the other hand, only deals with personal information under the instructions of the data controller. This includes for example cloud storage providers storing personal information generated by an app, internet service providers hosting content on their websites, and call centres to which a particular function of a company has been outsourced. The key is that the data processor only acts on behalf of the controller. As soon as they use personal information for their own purposes, they become a data controller. There is not always a data processor, as the controller might do any processing of the information themselves. It is also possible to have joint controllers of the information in which case all companies are held liable for compliance with the applicable data privacy laws. When a data controller uses a data processor, they are obliged to have a written contract in place with the data processor, to ensure that the processor can only act upon the instructions of the controller, and that appropriate technical and organisational measures are in place to protect the data. 18 As new technology allows people to use personal information in innovative ways, it can be difficult to pinpoint the different roles of controller and processor and the related liabilities. This does not mean, however, that the legal obligations do not exist. A careful assessment is necessary to determine the legal responsibilities you have based on the way you use personal information. Ignoring those responsibilities or taking a careless approach could backfire if an EEA regulator later takes a different view. The Working Party Opinion goes through the different parties that may be involved in the app market and explains how they may be responsible under EEA law. Those with obligations include app developers, OS and device manufacturers, app stores, analytics providers and communications service providers. Each of these may be considered a data controller or processor of certain information and will therefore have responsibilities under EEA law. For example, app developers who choose the purposes for which an app collects information, and the means it uses to do so, will be the data controller of that information. App stores, on the other hand, are data controllers in relation to the information they collect for user registration along with any financial information, data about purchase and usage behaviour, etc. Even analytics providers are data controllers if they use information from different apps to create profiles for personalised recommendations. However, if they only provide analytics for an app without using the information for their own purposes, they are a data processor. 16 Article 2(d), Data Protection Directive. 17 Article 2(b), Data Protection Directive. 18 Article 17(3), Data Protection Directive. 8 eyeforpharma: Give Your Mobile App a Clean Bill of Health For more pharma business intelligence visit

9 Example: A pharmaceutical company would like to develop an app used by doctors to diagnose particular medical conditions. The company does not have the necessary technical or design expertise in-house, so it outsources the development of the app to Company B, instructing them how they would like the app to function. Company B develops the app as instructed by the pharmaceutical company and provides the end product to the pharmaceutical company. The app allows doctors to store encrypted patient personal data using a cloud storage solution, hosted by Company C, which does not have access to the patient data. In this scenario, the pharmaceutical company is the data controller, because it decides what personal data is collected and how it will be used. Company B does not deal with any personal data in the context of the app and therefore has no data protection obligations - it is simply performing a service for the pharmaceutical company. Company C is a data processor on behalf of the pharmaceutical company, because under EEA law storage is a kind of processing, even if the company cannot access the data. The pharmaceutical company must therefore have a specific contract in place with Company C which is a data processing agreement, providing that Company C will only act upon the instructions of Company A and that Company C has certain technical and organisational measures in place to protect the data stored in the cloud. Because a cloud storage solution is being used to store sensitive health data, those measures should be particularly robust (e.g. cryptographic authentication mechanisms, encryption in transit and at rest, role-based access restrictions, and confidentiality clauses). It is the pharmaceutical company s obligation to choose a cloud provider that allows it to comply with its data protection obligations Article 29 Data Protection Working Party, Opinion 05/2012 on Cloud Computing, WP 196 (July 1, 2012). For more pharma business intelligence visit eyeforpharma: Give Your Mobile App a Clean Bill of Health 9

10 Data minimisation, proportionality principles Context EEA law contains a number of fundamental principles which apply to protect personal data and individual privacy. Two related principles especially relevant to mobile apps are data minimisation and proportionality. The law Data minimisation and proportionality are expressed in the Data Protection Directive requirement that data must be: Adequate, relevant, and not excessive in relation to the purposes for which they are collected and/or further processed. 20 In practice In relation to apps, the data minimisation and proportionality principles mean that it is prohibited to collect or use data which is not necessary for the app to function. 21 While the initial instinct may be to use an app to gather as much information as possible from users, collecting too much information may be more trouble than it is worth. US best practice guidelines also recommend that developers avoid or minimise the collection of personal information which is not related to the app s basic functionality. 22 This advice especially applies to sensitive information like health information as well as to geolocation data. The proportionality and data minimisation principles apply to processing activities regardless of what users have consented to. This means that it is possible to be in breach of the Data Protection Directive, even if you obtain user consent for your practices. 23 To ensure compliance, it is recommended to start the app development project with an assessment of what data the app will need to function and how it will be used. This way, decisions can be made which build privacy into the functioning of the app ( privacy-by-design ). For example, if the app has a feature making use of geolocation data, avoid continuously collecting that location information unless it is really necessary for the app to function. US guidance frames this issue as surprise minimisation. 24 This is a useful measure when planning the way an app will use personal information if the average app user may be unpleasantly surprised that the app collects and uses particular information, verify that it is really needed for the app to function. Example: A pharmaceutical company develops an app to remind customers to renew their prescriptions for a particular product. The app syncs with the user s calendar on their smart device to insert reminders. While syncing, it is technically possible for the app to access and retrieve the rest of the content stored on the user s calendar. In order to respect the principles of data minimisation and proportionality, it should be ensured that the app does not actually retrieve any information from the calendar other than what is strictly necessary to perform the syncing. Retrieval of the other information would be considered excessive under EEA law. 20 Article 6(c), Data Protection Directive. 21 Working Party Opinion, p. 17, Privacy on the Go, p Working Party Opinion, pp. 16, Privacy on the Go, p eyeforpharma: Give Your Mobile App a Clean Bill of Health For more pharma business intelligence visit

11 Notice and Consent Context After having engaged in privacy-by-design to decide on how an app collects and uses information, the next challenge is to ensure that app users are informed about those practices and that valid consent is obtained. Transparency is key to a privacy-friendly approach, because obtaining valid consent is only possible if users have already been informed of the privacy practices. Further, the app may not begin installation on the smart device before that consent is obtained. The law Under the Data Protection Directive, the following information that must be provided to app users before processing their personal data: (i) the name and contact details of your organisation, (ii) the type of personal information the app will collect and process, (iii) the exact purposes for which the information will be used, (iv) whether the information will be disclosed to third parties, including any transfers of data outside the EEA, (v) how app users can get in touch with your company about your privacy practices or to correct or update any information you hold about them. (vi) any other information necessary to guarantee fair processing of the user s personal data in the circumstances 25 If unambiguous consent is being relied upon as the legal basis to collect data, 26 which will usually be the case for a mobile app, it is required for that consent to be a freely given specific and informed indication of the individual s wishes, signifying their agreement to the processing of their personal data. 27 The informed aspect of the consent is satisfied when the information mentioned above is provided to the individual before any processing takes place. 28 If the consent is not free, specific and informed it will not be considered valid consent and the data processing could therefore be deemed to be illegal. In practice Providing the necessary information to app users can prove to be a challenge on a small smart device screen. For this reason EEA regulators have endorsed the use of multi-layered notices, where the essential information is presented directly on the screen but users can follow a link to more comprehensive explanations, for example in a privacy policy. The crucial information to include on the screen will depend on the app it should certainly include your identity as the app developer, but also information about the kind of data you collect or have access to, and the purposes you use it for. Surprise minimization is a good guide again here make sure you inform individuals of any use of their information that may not be obvious. The rest of the required information can be explained in full detail via a link to the privacy policy. Only if app users are fully informed in line with the above can they validly consent to the use of their personal information. The Working Party Opinion refers to the need for consent to be granular, i.e. specifically provided in relation to each purpose of processing. The EEA regulators insist that simply clicking an install button, or having app users accept a lengthy privacy policy, is not specific enough to give valid consent. 29 The purposes of processing need to be actually laid out on the screen so that users know what they are specifically consenting to, and can freely choose to use the app. If EEA law applies to you, you will be obliged to obtain consent under the eprivacy and Data Protection Directives for (i) placing the app on the smart device, 30 (ii) any collection or use of location data, 31 (iii) any collection or use of sensitive information such as health information, 32 and possibly also (iv) any intended international transfer of the information outside the EEA. 33 Where relevant, consent would also need to be obtained if personal information will be used for direct marketing. Not all of these consents can be combined, for example consent to the use of 25 Article 10, Data Protection Directive. 26 Article 7(a), Data Protection Directive. 27 Article 2(h), Data Protection Directive. 28 Working Party Opinion, p Working Party Opinion, p Article 5(3), eprivacy Directive. 31 Article 9, eprivacy Directive. 32 Article 8, Data Protection Directive. 33 Articles 26 and 26, Data Protection Directive. For more pharma business intelligence visit eyeforpharma: Give Your Mobile App a Clean Bill of Health 11

12 location data and sensitive information should be expressed separately. To ensure that separate consent is obtained, some app platforms use just-in-time disclosures to alert app users that this kind of data is being shared, and asking for their specific consent at that moment. 34 Collaboration with app platforms is therefore useful to ensure that separate consent is obtained, but also that it is not doubled up, causing unwelcome interference in the user s app experience. To take the most privacy-friendly approach, app developers should give app users as much control as possible by allowing them to choose which features of the app they wish to activate, and which they do not consent to. This approach is suitable for apps with a variety of independent features or functions. If the app cannot function without using information for certain purposes, however, giving users such a choice would be misleading. Instead, it should always be clear that users can choose not to install the app, for example by pressing a cancel button. While there is no easy answer to getting the notice and consent right, EEA regulators have called upon app developers to apply their creative skills to this challenge. 35 App developers manage to find innovative ways to design many app features in a way that makes sense for a small screen, and the notice and consent could benefit from equal attention. Both US and EEA regulators point to the potential for icons and images to communicate important privacy-related information. They call for collaboration with other parties like app platforms who could standardise such icons, as well as consumer testing to make sure the information is clear and understandable to potential users. 36 Example: A pharmaceutical company develops an app for patients with a heart condition, which tracks medical prescriptions, provides diet recommendations, as well as restaurant recommendations based on the user s location. When installing the app the user is presented with a screen stating simply that by installing this app you consent to our privacy practices outlined in our privacy policy found here: [link]. The link connects to a lengthy privacy policy where all relevant practices are explained. This consent is not valid because it is not informed or specific. The matters outlined in (i) to (vi) above should be highlighted in a summarised format directly on the screen, with the opportunity to link to the privacy policy for further explanation. In order to be specific, the different purposes of processing need to be mentioned, especially as the app has several different functionalities. Because the app anticipates tracking of the user s location, a separate check-box for this consent should be used, either at this time or when the tracking feature is switched on. Preferably, the user should be able to easily disable the restaurant recommendation function and the default should be that tracking is switched off. 34 FTC Staff Paper, pp Working Party Opinion, p Ibid.; FTC Staff Report, pp eyeforpharma: Give Your Mobile App a Clean Bill of Health For more pharma business intelligence visit

13 Sensitive information and subcontracting Context The new situation of app developers directly handling patient information brings with it the obligation to treat that information with appropriate care. Health information is classified as sensitive information in both the EEA and the US, and is subject to special protections. The law Under the Data Protection Directive, it is prohibited to process certain kinds of data unless an exemption applies. These categories of sensitive data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning health or sex life. 37 There are several possible exemptions to allow processing of this data but the most relevant one in the context of mobile apps is where the individual has given their explicit consent to the processing of the data. 38 As well as needing a legal basis to process sensitive data, information security measures must be matched to the sensitivity of the data. The Data Protection Directive provides that:...the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. In practice If your app collects or uses health information, you should be sure that you have obtained explicit consent for those practices from the app user. You will also need to consider what information security measures you have in place to protect the data, as the level of security should reflect the sensitive nature of the data. Is the data stored in encrypted form? Could other apps on the smart device also access the sensitive information? Does the app interact with other apps that may have a lower level of security, e.g. an app? These issues should all be worked through as part of your privacy-by-design approach. If you use any third party vendors or service providers to process personal data for the app, for example a cloud storage solution, you must have a contractual agreement in place with that third party. 39 In that contract you must ensure that you pass on the obligation to have rigorous information security measures in place for sensitive data. These contractual safeguards ensure that you continue to meet your obligation to protect the data, as it is not permitted to dilute data protection obligations with a chain of subcontracting. 40 Example: A pharmaceutical company develops an app which allows patients to enter their health information and receive a risk analysis using a diagnostic tool. A cloud provider is engaged to provide the storage solution for the health information and diagnosis received. The cloud provider has a standard service agreement that it uses with clients and is not willing to negotiate the terms. The information security measures used are not specified. This solution will not be satisfactory under EEA law. Under EEA law, as a data controller you are obliged to choose service providers providing sufficient guarantees in terms of technical security measures and organizational measures governing the processing. It is therefore necessary to have transparency about the measures in place. If the cloud provider is not willing to have an agreement in place that permits compliance with your data protection obligations, it will be necessary to choose an alternative provider that does. The European Network and Information Security Agency (ENISA) has drafted a paper on the benefits and risks of cloud computing for information security, including a questionnaire broken down by theme to enable cloud clients to ask cloud providers about relevant information security measures. 41 This questionnaire could be useful when considering a potential cloud provider in order to verify their specific information assurance arrangements and ensure that those arrangements enable you to meet your data protection obligations. 37 Article 8(1), Data Protection Directive. 38 Article 8(2)(a), Data Protection Directive. 39 Article 17(3), Data Protection Directive. See above section on Determining responsibility. 40 Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of controller and processor WP 169 (16 February 2010), p Available here: pages For more pharma business intelligence visit eyeforpharma: Give Your Mobile App a Clean Bill of Health 13

14 Conclusion App developers, users, and regulators alike are all grappling with the possibilities and implications of app technology. Medical apps have huge potential to influence the way medical diagnosis and treatment are undertaken, and more broadly health-related apps are already having an impact on everyday lives. As use of these apps grows, increasing attention is also being paid to privacy issues where those apps involve the collection and use of personal information. While up to now apps have often been developed with scant regard for individual privacy, moving forward this will not be a viable approach. This paper has highlighted some of the privacy fundamentals to consider when developing a medical app. By adopting a privacy-by-design approach, you can ensure that as privacy standards are clarified and enforced in the app realm, you will be one step ahead. Some things to keep in mind are: European law applies to you if you have on-going activities in an EEA country, or if you are not operating in the EEA but your app sends personal data (of EEA residents) to your organisation. If you develop an app which processes personal data, you will likely be classified as a data controller under the law, which brings certain legal obligations. As a data controller you need to have certain kinds of contracts in place with any companies you use to process personal data, e.g. a cloud service provider. Your app should not collect any more personal data than is necessary for its functionality. You cannot validate excessive collection of personal data by obtaining user consent you will still be breaching the law. You are obliged to provide users with certain information about the kinds of data you are collecting and what you are using it for via the app store before the app is installed. This information should be clear and simple, with a link to more detailed explanations. Health information is sensitive information and should be treated with a higher level of care. You should verify that you obtain valid user consent to all the ways you process health information, and that you have robust information security measures in place to protect it. 14 eyeforpharma: Give Your Mobile App a Clean Bill of Health For more pharma business intelligence visit

15 Glossary Data Controller: The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Data Processor: The natural or legal person processing personal data on behalf of the data controller. Data Protection Directive: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data Personal data: Any information relating to an identified or identifiable natural person ( data subject ); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Processing of data: Any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Working Party Opinion: The opinion issued by the Article 29 Data Protection Working Party referred to throughout this paper, Opinion 02/2013 on apps on smart devices WP 202 (27 February 2013). GOT SOMETHING TO SAY? eyeforpharma is more than just a source of industry information; it s a platform for debate and innovative ideas! If you have an idea you d like to share with our audience, or if you d just like to provide feedback on this document, contact our Editor, Craig Sharp at csharp@eyeforpharma.com. Thanks for reading eyeforpharma! For more pharma business intelligence visit eyeforpharma: Give Your Mobile App a Clean Bill of Health 15

16 16 eyeforpharma: Give Your Mobile App a Clean Bill of Health For more pharma business intelligence visit