The Article 29 Working Party (WP) has set out criteria for determining if information is health data, in the context of lifestyle and wellbeing apps. Processing of health data is prohibited by Article 8 of the Data Protection Directive (95/46/EC), unless exemptions apply.

The WP discusses the wide scope of health data, concluding that personal data are health data when: the data are inherently medical data; the data are raw sensor data that can be used alone, or, in combination with other data, to draw a conclusion about someone's health status or health risk; or conclusions are drawn about health status or health risk (regardless of accuracy, legitimacy or adequacy).

The data's character and its intended use over time are noted as relevant.

The WP emphasises the critical importance of consent in relation to lifestyle and wellbeing apps. It advises that clear and prior processing information must be provided to app users before download and installation, including as to whether medical secrecy rules apply, whether data will be combined with other data (and examples of the consequences), and as to any further processing.

The WP notes that the domestic exemption could apply where data is not transmitted from an individual's device. However, where data is collected through an app or device which concerns a medical purpose, or where health data can be reasonably inferred from the data tracked by the app, a derogation from Article 8(1) of the Data Protection Directive must apply to permit this (such as explicit consent).

For further information, see Standard document, Mobile application privacy policy and Legal updates, Working Party delivers opinion on mobile apps, ICO issues DPA guidance for mobile app developers and Mobile health: European Commission publishes responses to mobile health consultation.

Source: Article 29 Working Party letter and Annex, 5 February 2015.