GDPR and fitness apps.

Photo by Filip Mroz on Unsplash

Do you own a fitness tracker? Or even just activate the steps counter on your phone?

Most of us have used some sort of health or fitness app, whether to go running or record more intimate details. Most of us have also ticked all the terms and conditions automatically. To comply with GDPR, the information should be clear, and the data collection limited to what is needed by the app. Is geolocation and access to your contacts always necessary? How do you feel about your age and gender combined with your fitness level being shared with undisclosed third parties? While medical data for clinical trials usually have to be anonymised, this is not necessarily the case for your data which is then shared with your insurer or your mortgage broker…without you even knowing it. This is when the targeted ads for new running shoes pale into insignificance. Higher health insurance premiums or rejected mortgage applications have a real impact on our life.

As a doctor, you will be the controller of the fitness data of the data subject, who is your patient. In the context of fitness trackers, you need to be sure that you comply with Article 5, being especially mindful that the data you collect is limited to the specific healthcare purpose. As apps can often collect a lot more data than you would imagine, as a doctor and controller, you need to be sure that you don’t end up collecting everything indiscriminately. This same data can make it unexpectedly easy to identify patients even if you remove the distinct identifiers such as name, age and gender.

Personal data is any data that can identify you as an individual and more specifically, health data is anything that refers to your specific health status. Furthermore, this is classed as sensitive data as the consequences of this data becoming more widely known can have more serious implications as previously mentioned.

If you are integrating the information from an app as part of an EHR program you have contracted, this is one of the questions to ask the EHR seller. How do you ensure that only relevant information is brought across? This is something they may not even have thought about.

If you are incorporating the information in a report format generated by the app that the patient has sent you by email for example, then just make sure you have a copy of preferably written consent. It should cover the data being incorporated into their EHR and therefore, everyone else who also has access to the EHR.

Although fitness trackers can be a good way of getting people or your patients to a better state of health, you may want to have a chat about “free” trackers. Some health insurance companies are offering almost free fitness trackers. However, they then access your data and premiums may be affected by how the health company evaluates your fitness and therefore, your risk for future illness. They might not turn out to be so cheap after all.  There are many less expensive if less prestigious fitness trackers on the market. In reality, most people only need an activity monitor and heart rate monitor. The ECG monitoring option has been controversial and may not be relevant to your patient. It is a fast changing industry and clinical need rather than opportunity should be the dictator as to whether you incorporate a fitness tracker or other wearable into your practise. It is important to think if the information provided is useful or will potentially lead to more testing as with the incidentalomas (incidental imaging finding) which appeared when full body CTs became available. Just because you can, doesn’t mean you should!

Published by Dr Alice Byram

Emergency and family medicine physician offering individualised health solutions. Special interest #digital health.

%d bloggers like this: