According to the EU Commission Health Data are "all data pertaining to the health status of a data subject"
This includes heart rate (ECG), weight tracking, blood pressure, healthcare payments, step counts, hearthbeat tracking, diseases.
According to the EU Commission "the fact that a someone has broken her leg, that a person is wearing glasses or contact lenses, data about a person's intellectual and emotional capacity (such as IQ), information about smoking and drinking habits, data on allergies disclosed to private entities (such as airlines) or to public bodies (such as schools); data on health conditions to be used in an emergency (for example information that a child taking part in a summer camp or similar event suffers from asthma).
The category also includes health related data used in an administrative context, such as data disclosed to public bodies on whether one’s household includes individuals with specific diseases and/or disabilities for the purpose of tax deductions or other allowances. .
Health data also include: 'information derived from the testing or examination of a body part or bodily substance, including biological samples' and: any information about 'disease risk' and about 'the actual physiological or biomedical state of the data subject independent of its source'.. "
and much much more .. read the EU article for a full definition of health data
According to the Art. 8 of the Data Protection Directive (95/46/EC) health data as a special category of data to which a higher level of data protection applies
To start with privacy law compliance, first of all it is fundamental to understand the service delivery chain and to identify the liability chain that apply to your case.
According to EU data protection law there are 3 different roles:
Data Subjects: service users to whom data belong to.
Data Controllers: the entity responsible
collection and management. If you are delivering your services
directly to consumers (e.g. a fitness/disease tracking apps), then you are the
If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you are not (usually) nominated as Data Controller.
Note that Controllers have to satisfy administrative requirements that are listed later on.
Data Processors: are entities that
help you delivering a service. Chino.io for example is a Data Processor
since it provides a set of services to you.
If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you are usually nominated as Data Processor.
Assigning roles is the first step towards identifying what are the requirements you must satisfy and implement within your system.
These safeguards must be implemented to protect data. They require huge amount of work, knowledge and time. They include:
Encryption of data in transfer
Encryption of data at rest (Storage)
Secure audit log
Reliability (QoS and SLA)
You must choose a IaaS provider that satisfies all EU rules for processing and storage of sensitive data. The provider must ensure:
Reliable hosting infrastructure
Processing and storage located in the EU
Physical infrastructure protection
Certification depending on the nature of your health app
These requirements need to be considered case by case involving lawyers & privacy experts. They include:
Provide you security risk assessments
Help you on documenting your data processing
Help you on Data Portability
Help you on Right to be Forgotten
Implementing technical and infrastructural requirements is complex, expensive, risky in case of errors, and time consuming. Here you can check by yourself with our Calculator.
Chino.io implements all safeguards and offers to developers a set of API that can be easily integrated within apps or servers to store securely sensitive data.
Administrative requirements must be analysed case by case to discover implications related to your specific data processing. Chino.io makes it easier for example to clarify to Data Protection Authorities and to your customers how you process and store collected data. However you may need to involve lawyers and experts for completing the overall analysis.
What is the European Legislation about Data Protection?
The reference website for updates about Data Protection in the EU is: http://ec.europa.eu/justice/data-protection/
The reference website for updates about Cyber Security strategy in the EU is: https://ec.europa.eu/digital-agenda/en/cybersecurity
Proposal for a European General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) It defines a single data protection law in EU and it has been approved at the beginning of 2016.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (the Data Protection Directive) Harmonises national laws which require high-quality data management practices on the part of the “data controllers” and the guarantees of a series of rights for individuals. It provides generic description about categories of data and general data protection principles. It doesn’t mention security safeguards and it has been defined many years ago so it does not mention topics such as as Cloud. It will be improved by the forthcoming GDPR.
Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data of 18 December 2000. It regulates the processing of individuals' personal data when the processing is taking place by Community institutions and bodies.
Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.
Agreement on the first EU-wide legislation on cybersecurity of the European Parliament, the Council and the Commission. (12/2015).
EDPS Opinion 01/2015 on Mobile Health - Reconciling technological innovation with data protection. (5/2015)
EU Commission Green Paper on mHealth (4/2014)
EU Art. 29 Working Party letter on the scope of the definition of health data in connection with lifestyle and wellbeing apps (criteria to determine when personal data qualifies as “health data").
Art. 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC
Art. 29 Working Party Opinion 3/2013 on purpose limitation, Adopted on 2 April 2013, wp 203. (2013)
Art. 29 Working Party Working Document 01/2012 on epSOS, Adopted on 25 January 2012, wp 189. (2012)
Art. 29 Working Party Opinion 15/2011 on the definition of consent, Adopted on 13 July 2011, wp 187. (2011)
The Art. 29 Working Party - Future of Privacy: joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, wp 168. (2009)
Working Art. 29 Working Party Document on the processing of personal data relating to health in Electronic Health Records (EHR), Adopted on 15 February 2007, wp 131. (2007)
The question "if and how single Member State privacy laws differ from EU Directives and among each other" is very difficult to answer.
In cases when we have EU Regulations (e.g. GDPR) the question is not relevant, since regulations are directly enforceable within Member States, since they are laws and not directives.
Otherwise, Member States must implement the principles stated by EU Directives into national laws. In some States this process consisted in simple translation of directives text, while in other cases (e.g. Italy) the national laws contain some specific interpretations.
For this reason it is important to analyse always national of the state where you are delivering your service. There could be differences for example in notifying Data Protection Authority. Other principles like data storage location cannot change.
At Chino.io we constantly monitor the changes and evolutions especially what it relates to our business. For example we ensure that our security measures, internal practices and procedures for managing health data ensures compliance within each Member State.
It is important to point out that at EU level privacy laws do not define in detail all security requirements. Usually laws and directives state general principles such as that health and sensitive data must be encrypted, or that best security standards must be implemented. Those security standards are usually defined by specific bodies such as ENISA.
Another aspect to keep in mind is the national level certifications or specific requirements that a public body (e.g. hospital) can impose to you.
While national level certifications are present only in France ( and represent a huge obstacle for startups and innovation), specific requirements at hospital level must be considered case by case. For example frequently hospitals ask to deploy services within their own server farm, or to implement old-fashio security strategies like VPN.
At Chino.io we aim at helping companies in solving these challenges. Whenever you will have a question do not hesitate to contact us at email@example.com
Some useful resources:
Overview of the national laws on electronic health records in the EU Member States (2014)
Legal framework of Interoperable eHealth in Europe (2009) analyses legal and regulatory frameworks for electronic health delivery and services in each Member State.
EU Commission Justice Studies on Data Protection including single country reports.
EU Commission Comparative Study of different approaches to new privacy challenges in particular in the light of technological developments (2010)
ENISA: Security and Resilience in eHealth Infrastructures and Services investigates the approaches and measures to protect critical healthcare systems.
Handbook on European data protection law by the European Union Agency for Fundamental Rights (FRA) and the Council of Europe together with the Registry of the European Court of Human Rights.