New report from ICO offers useful pointers for firms in consumer healthtech industry

In December, the UK's Information Commissioner's Office (ICO) published its first Tech Horizons Report.

The Report was created in line with the ICO's ICO25 strategy, which aims to help inform society about "emerging technologies to reduce burdens on businesses, support innovation and prevent harms."

It focuses on the data implications of technology developments in the next two-to-five years, including consumer healthcare as well as Internet of Things devices, immersive technologies and decentralised finance.

The ICO's objective is to help innovators develop safe and trustworthy new products and services and to protect consumers and personal data.

The focus on consumer healthtech apps

Consumer healthcare, or "consumer healthtech", includes wearable devices and software applications that help people monitor their health and wellbeing.

These are lifestyle applications focusing on improving a consumer's wellbeing and are distinct from other medical devices or digital therapeutics used to provide evidence-based treatment by the medical sector.

Examples include fitness trackers, smart garments and mobile applications such as AI-powered CBT therapy, fertility monitoring or sleep tracking.

Data protection and privacy implications

The ICO flags that consumer healthcare technologies involve the tracking and analysis of a user's personal information. This includes sensitive biological and, in some cases, biometric data, as well as a person's identifying information.

The ICO illustrates this by giving the example of an iPhone and Apple Watch, which are currently reported to capture more than 150 types of health data. The integration of powerful new sensors, such as infrared spectrophotometers (which can, for example, monitor blood oxygen levels and haemoglobin levels), may soon allow further measurements.

The Report highlights the following privacy issues which may be a concern in the eyes of the ICO:

1. Certain consumer healthtech devices will generate health data which, under UK GDPR, is classed as special category data, which will require additional safeguards. Organisations will need to understand when the information they collect meets the definitions of health data set out in the UK GDPR as this would oblige them to implement additional safeguards. 

The legislation requires special category data to be treated with greater care as its processing is more likely to interfere with an individual's rights or expose them to discrimination. While processing of any personal data requires a legal basis under Article 6 UK GDPR, where that data is special category data, a controller also needs to satisfy a separate condition under Article 9 GDPR.
 
The ICO states that context matters when determining whether personal information is also health data. The Report gives the example of a recorded assessment made by a doctor that a patient needs to undertake more physical exercise is very likely to be considered health data. However, a similar conclusion made by a fitness wearable with an accompanying notification advising the user to walk more each day may not necessarily always be considered health data. Another factor determining special category status is the purpose for which the data is being collected. 

2. Users require meaningful transparency and control of processing of their personal information. The ICO highlights ongoing concerns about transparency levels and the fact that some consumer healthcare apps retain device identifiers and user contact information which allows organisations to track users across services. 

Several studies referred to by the ICO highlight a lack of compliance by organisations with their own privacy notices around third party data sharing, with a considerable number of apps providing no privacy notice at all.
 
The Report also highlights the use of software development kits (SDKs) that are used to allow users to log on to apps through other (often social media) accounts users may already have. Users may find it difficult to identify what they are granting permissions for and whether they cover additional purposes such as profiling or advertising. 

3. Some consumer healthcare devices present accuracy and bias concerns. Under Article 5(1)(d) of the UK GDPR, organisations are required to take all reasonable steps to ensure that the personal information they hold is not incorrect or misleading "as to any matter of fact." 

The Report refers to studies that highlight the lack of accuracy of some of the information obtained by wearables (for example, in relation to the number of steps taken). In some instances, it appears that this becomes worse with people with darker skin, which the studies argue is due to the lack of diversity in product test data.

ICO recommendations and key takeaways

The ICO concludes by providing a set of recommendations that all developers of healthcare devices should take into account.

These recommendations include:

• Providing clear, intelligible privacy notices to users that explain how and why data is processed and the inferences that are being drawn;
• Assessing whether organisations process health data and whether a data protection impact assessment is required; and
• Ensuring that any algorithmic and AI processing used in conjunction with healthcare technology is accurate, fair and checked for risks of systemic bias.

Advances in consumer healthcare technology are occurring rapidly and have the potential to make a considerable impact on consumer wellbeing.

However, developers of healthcare technology/devices face the challenge of complex data protection regulations and a regulatory focus so they will do well to consider the ICO's recommendations.