Data and security

Why it is important to know about data security

Many apps collect information from users to improve their product continually. Some apps may even earn money on selling this data to other companies, that can use it for marketing or other purposes. If you, as a therapist recommend an app to a patient, you must be sure that the app lives up to the data security requirements that are made in the healthcare sector. In this way, you are more likely to avoid personal sensitive data ending up in the wrong hands.

Most apps describe in their privacy policy, which kind of data they collect and how they use it. You will often find the privacy policy in the App Store, Google Play store, in the app or on the app developer’s homepage. If an app that collects data do not describe which data they collect and the purpose of it, it is better not to use the app.

PROTECTION OF PERSONAL SENSITIVE INFORMATION
In Europe, the GDPR protects everyone. It must be complied to make sure that personal sensitive information is only used for legitimate purposes. Every private or public institution need to comply with the GDPR. Health professionals do have the responsibility to make sure only to recommend apps that comply with the GDPR. 

 

What is personal sensitive information?

The Danish law defines personal sensitive information as information about race or ethnic background, political, religious or philosophical belief, union membership and information about health or sexuality. It can also include information about criminal offences, social issues or other private information. 

Personal sensitive information needs to be protected if the information can identify an individual. Personal information is any information that relates to an identified or identifiable living individual. This could include name, e-mail, address, phone number, date of birth, family, education, work, and any other information that can identify an individual.

An example:

John wants to use an app to register his mood, sleep, symptoms and calorie intake to get an overview of his disease progress. The app needs John to enter his name, height, weight and e-mail to use the app. In this case, name, height, weight and e-mail is personal information as this data can identify John. Because the information John registers is health information and is connected to his personal information, this app needs to live up to high data security.
  

What do I need to remember when sharing data?

In some apps, it is possible to share data on social media, e.g. Facebook. It might also be that an app reserves the right to share data with third parties. It is essential to know that if you allow an app to share data with any third party, those who receive the data might not treat the data with care. Therefore you need to make sure that the service or third party you share your data with also live up to a high data security standard. This way, you can very quickly end up reading a lot of privacy policies.

Facebook, for an example, does not live up to the data security requirements when treating personal data. It is not a problem to use apps in therapy or treatment that shares data with third parties if the user can choose to share the data or not. But if you are not able to decide whether to share data or not, you should not be using the app.


Where is your data stored?

In many cases data is only stored local on the phone. If this is the case, be aware that if you delete the app, the data will be erased as well. If servers are storing the data, you need to make sure the server is located in the EU. If the data storage is outside the EU, it needs to fulfill the EU legal requirements for data storage. Also, be aware that data stored on your phone can end up in the cloud if you use iCloud, Dropbox or similar apps. It can be difficult to figure out whether developers outside the EU lives up to EU legal requirements, and therefore it can be a rule of thumb not to use their apps.


How do I delete or get a hold of my data?

It can be reassuring to know that the user at any time can delete sensitive personal data. If the app keeps data local on the phone, it is often enough to delete the app. If, on the other hand, data is stored on servers, you need to make sure that you can contact the developers to delete the data. Also it is crucial that it is described clearly how the user can get hold of his/her data. The privacy policy should state how to access your data. If both patient and healthcare workers have access to the personal data you need a data processing agreement. When dealing with shared data between patient and healthcare workers,  special legal requirements applies. You can read more about this further down the page.


What is encryption of data?

Encryption means to translate data to code that can only be interpreted or unlocked with the right encryption key.  When personal sensitive data is encrypted, it can then be stored or transmitted without anyone irrelevant are able to access it.

When using an app in treatment, and the data is shared between devices or digital services. It is then essential that data is encrypted to ensure that data is safe.

How do I know if personal sensitive data is encrypted?

In most cases you will need to contact the developer to get answers on questions about data encryption. Sometimes you will be able to find the answers in the app or the privacy policy.


What is the CE Marking?

The CE mark is an EU standard that ensures that all European safety regulations are met. Medical equipment and some apps need the CE marking. The purpose is that equipment with the CE marking can be marketed in the EU.

It is only a limited number of apps and equipment that needs the CE marking. Only if the equipment is being marketed as medical equipment for diagnostic or therapeutic purposes a CE marking is necessary. Diagnostic or therapeutic purposes could include:

  • Diagnosis, relapse prevention, monitoring or treatment of illnesses.
  • Diagnosis, relapse prevention, monitoring or relief of injuries or disabilities.
  • Examination, replacement or alteration of the anatomy or a physiological process.
  • contraception

It is always the manufacturer’s responsibility to define the purpose of the equipment. It is the manufacturer who decides the purpose of the equipment and not the user’s way of using it.

You can read more about the CE marking here.


What is a data processing agreement, and who is responsible?

If a healthcare worker wishes to use an app in the treatment which makes data available for the healthcare worker. The healthcare worker then must take the responsibility of the data manager. It is the data manager that has an obligation to fulfil the law and regulations on data management.

In some cases, a data manager needs to make a data processing agreement with the ones who process the data.

You can use the data safety test in the App checker to see if a data processing agreement is needed. The need for a data processing agreement depends on whether or not the app uses personal sensitive data. Where the data is stored might also influence the need for a data processing agreement and if the data is connected to any third party device or software.

Who is the Data processor?

The data processor often is the app developer or the collaborators and suppliers. It is the app developer that ensures the safety of storing the data (unless data is stored locally). The developer also makes sure the data is properly encrypted.

It is the data processor that must ensure the practical components of keeping data secure: e.g. firewalls and other obstacles on the servers where data is stored.

What is a data processing agreement?

A data processing agreement is a written agreement, which establishes the division of responsibilities between the data manager and the data processor regarding secure storage and processing of data. In many cases, a data processing agreement is necessary when personal sensitive information is involved.

Ansvarsfraskrivelse
The Data processing agreement is a contract that ensures that the data processor has taken the necessary security measures regarding storage and data processing. The data processing agreement also ensures that upon request, the data manager can see that the data processor has taken the needed security measures.
 

You can read more about the role of the data manager and data processor as well as data processing agreements here.

If you would like to implement a specific app in treatment, in which a data processing agreement is required, we recommend contacting us at MindApps.dk for help.


The Danish healthcare Act

Equal access to treatment

The Danish Healthcare Act ensures equal access to health care; this includes a link between the service and the cost of it. With this definition, apps are placed in a grey zone because you do not have to charge extra to benefit in treatment. Therefore, the clinic must cover the costs of an app. However, you are allowed to offer an app that costs money, if you at the same time, provide a similar free app. A payment app can also be provided as long as it is not part of the treatment, and is no direct recommendation. The same rules apply to access to equipment. If treatment is offered, the patient must have free access to the necessary equipment (smartphone or tablet).

Lending equipment or other treatment

A clinic may provide IT equipment or offer another treatment that does not require the same equipment. However, the quality of the treatment must be the same regardless of the equipment used. If a patient does not own the necessary equipment, the patient may not have the necessary technological understanding either. In this regard, an analogue solution is most likely to be better. It is, therefore, a question of assessing the individual patient and whether an app is suitable in the course of treatment.

Logging of data

According to the Danish safety regulations, public authorities must keep a log of the people who have or have had access to the data. If the information can be linked directly to a person, the logging must include the following: the time, user, indication of the person, applied search criteria and use of the data. The log must be stored for six months and then deleted. Authorities with special obligations can keep the log for up to 5 years. All uses of personal data in treatment must be logged.

The Danish health Act takes effect in the case of a data community where the therapist has direct access to patient data. If the data is on the patient’s device, and the therapist does not have direct access to it, there is no requirement for logging. It can be compared to data that a patient fills out on a piece of paper and brings to the therapy.

We recommend that you, as a therapist, contact MindApps.dk if you use an app with a data community.

 

Was the article helpful to you?

Up
Down

Thanks for your feedback

Tell why you liked or disliked this page.

Thank you

We appreciate your input.

Subscribe to our newsletter

Psykiatrien i Region Syddanmark Region Syddanmark