Privacy is a defining topic of our times, not least since the scandal around Cambridge Analytica.
Regulators are set up around the globe to enforce privacy standards and ensure data sovereignty. For healthcare companies that are slack, consequences are especially critical:
❗️ Millions of fines for data breaches and lax safeguards
❗️ De-listing of services from public reimbursement, if standards are breached
❗️ bad press and reputation damage, cancelling deals with both B2C and B2B clients.
In light of this, it’s a striking example that it’s been illegal to transfer any data into the US 🇺🇸 in five of the last ten years – and you get a feeling of the sensitivity of this matter.
But first things first – why is privacy at all a topic when integrating wearables and tracker data?
Sensor data – why is it special?
Integration of sensor data into health services is a special case, as it involves at least three (and with Thryve even four) parties:
1️⃣ the end user sharing data
2️⃣ the data source generating/holding the data
3️⃣ your digital health service using the data
4️⃣ optionally: Thryve covering data sensor streams on a technical level
The relevant connection is between the end user and your health service – as this is the direct connection with your users’ data. Thryve streamlines data integration on a technical level, under a concept called data processor on behalf, i.e. acting like a vicarious agent for your service (while committing to safe standards in processing).
There are also relations to the data source – where your service agrees to overall access (receiving API credentials) and your end user agreed to the data source’s data processing when he started the service, but both don’t immediately touch your privacy concept.
Now that we established how privacy affects your wearables and tracker integration, let’s give it a full review. Below paragraphs give you a first breakdown of the essential need-to-know’s:
✅ informed user consent
✅ data minimization
✅ Data Transfer Rules
✅ compliant data processing location and cloud providers
✅ enforcement of end user rights
✅ anonymization vs. pseudonymization
✅ data protection officer (DPO)
✅ technical & operational measurements
Processing data requires informed consent
Most important for everything around data processing, is a solid legal base to actually do so. Usually in digital health, it’s the explicit consent of the users, whose data is processed. This must be informed – i.e., everything that’s done with his/her data needs to be explained prior to consenting (it’s the data processing statement we all know).
Important: be prepared to prove that your user consented.
What’s data minimization?
Data minimization requires you to process only the data that is actually needed to make your service work. In the context of sensor data integration, data sources usually offer a set of “scopes” that your end users authorize, covering e.g. activity, fertility information or profile data – so it’s essential to trim these scopes for your service to those required. In addition, you’re supposed to only store the actual data that your service needs – even if the authorized scope does allow more (or in case for manufacturers like Polar, doesn’t offer any scopes at all). At Thryve, we’ve covered this with a data storage selector – so only those data types are stored, that are actually needed.
Transfer of data into 3rd countries?
The EU has especially strict requirements when it comes to data protection. It’s basically not allowed to transfer data into another country for processing if they don’t comply with EU standards. 🚫 For example transfers between EU and US have been forbidden for 5 out of 10 years. 🚫
Within health, the take is even more conservative. DTx services under e.g. the German DiGA law are required to keep data fully under European entities’ control (that even excludes European providers with a non-European ownership). 🇪🇺✔️
Considering the unstable relationships between EU and other states (e.g. US), to be on the safe side, it is better to keep data within European companies in the EU.
What’s End User Rights?
Every user has the right to access, alter or delete their data. When it comes to sensor data, the end user can execute these rights against your service – so ensure, that any provider you work with is compatible with these requirements.
In the case of Thryve, we only have access to pseudonymous token – so we don’t know any end user. We thus forward any request for the execution of End User Rights to the digital health service we partner with, so the integrating service can identify and process any request for End User Privacy Rights.
Know what is meant: pseudonymous vs. anonymous data
The equivalent of the European GDPR, is the US-based HIPAA concept (which most other nations globally adopted as a role model).
It offers similar rights, but with a notable difference – which is crucial when operating in Europe: HIPAA considers pseudonymized data as “de-identified”, making individual data rights not apply anymore. Services that are HIPAA compliant can thus legally process, transfer and sell end-user’s de-identified health data in the US. Working with a service that claims anonymous data processing under HIPAA, gets EU-based services into deep trouble.
The other way around works perfectly well – processing only pseudonymous data in the EU under GDPR regulation is considered de-identified and thus perfectly suitable within a HIPAA context.
Your internal sheriff: data protection officer
Health data is considered especially sensitive information – which requires a dedicated data protection officer (DPO), regardless the company size. As a hack, there’s numerous services that provide DPO as a service, to get you covered at low cost.
Technical and organisational measures
What’s usually called TOMs basically maps everything your service has in place to ensure compliant data processing. It covers things like employee guidelines, security measures on-premise and in IT as well as .
When mapping out your TOMs, ensure that any service processing your data is mapped in there as well.
Last but not least – if you’re in doubt, the best thing is to get professional advice and collaborate with trusted partners.
Companies like Chino.io are specialized in the digital health industry and offeringthe instructions and support that you need to be compliant.