Many apps collect information from users to improve their product continually. Some apps may even earn money on selling this data to other companies, that can use it for marketing or other purposes. If you, as a therapist recommend an app to a patient, you must be sure that the app lives up to the data security requirements that are made in the healthcare sector. In this way, you are more likely to avoid personal sensitive data ending up in the wrong hands.
The Danish law defines personal sensitive information as information about race or ethnic background, political, religious or philosophical belief, union membership and information about health or sexuality. It can also include information about criminal offences, social issues or other private information.
Personal sensitive information needs to be protected if the information can identify an individual. Personal information is any information that relates to an identified or identifiable living individual. This could include name, e-mail, address, phone number, date of birth, family, education, work, and any other information that can identify an individual.
In some apps, it is possible to share data on social media, e.g. Facebook. It might also be that an app reserves the right to share data with third parties. It is essential to know that if you allow an app to share data with any third party, those who receive the data might not treat the data with care. Therefore you need to make sure that the service or third party you share your data with also live up to a high data security standard. This way, you can very quickly end up reading a lot of privacy policies.
Facebook, for an example, does not live up to the data security requirements when treating personal data. It is not a problem to use apps in therapy or treatment that shares data with third parties if the user can choose to share the data or not. But if you are not able to decide whether to share data or not, you should not be using the app.
In many cases data is only stored local on the phone. If this is the case, be aware that if you delete the app, the data will be erased as well. If servers are storing the data, you need to make sure the server is located in the EU. If the data storage is outside the EU, it needs to fulfill the EU legal requirements for data storage. Also, be aware that data stored on your phone can end up in the cloud if you use iCloud, Dropbox or similar apps. It can be difficult to figure out whether developers outside the EU lives up to EU legal requirements, and therefore it can be a rule of thumb not to use their apps.
Encryption means to translate data to code that can only be interpreted or unlocked with the right encryption key. When personal sensitive data is encrypted, it can then be stored or transmitted without anyone irrelevant are able to access it.
When using an app in treatment, and the data is shared between devices or digital services. It is then essential that data is encrypted to ensure that data is safe.
How do I know if personal sensitive data is encrypted?
The CE mark is an EU standard that ensures that all European safety regulations are met. Medical equipment and some apps need the CE marking. The purpose is that equipment with the CE marking can be marketed in the EU.
It is only a limited number of apps and equipment that needs the CE marking. Only if the equipment is being marketed as medical equipment for diagnostic or therapeutic purposes a CE marking is necessary. Diagnostic or therapeutic purposes could include:
It is always the manufacturer’s responsibility to define the purpose of the equipment. It is the manufacturer who decides the purpose of the equipment and not the user’s way of using it.
You can read more about the CE marking here.
If a healthcare worker wishes to use an app in the treatment which makes data available for the healthcare worker. The healthcare worker then must take the responsibility of the data manager. It is the data manager that has an obligation to fulfil the law and regulations on data management.
In some cases, a data manager needs to make a data processing agreement with the ones who process the data.
You can use the data safety test in the App checker to see if a data processing agreement is needed. The need for a data processing agreement depends on whether or not the app uses personal sensitive data. Where the data is stored might also influence the need for a data processing agreement and if the data is connected to any third party device or software.
The data processor often is the app developer or the collaborators and suppliers. It is the app developer that ensures the safety of storing the data (unless data is stored locally). The developer also makes sure the data is properly encrypted.
It is the data processor that must ensure the practical components of keeping data secure: e.g. firewalls and other obstacles on the servers where data is stored.
A data processing agreement is a written agreement, which establishes the division of responsibilities between the data manager and the data processor regarding secure storage and processing of data. In many cases, a data processing agreement is necessary when personal sensitive information is involved.
You can read more about the role of the data manager and data processor as well as data processing agreements here.
If you would like to implement a specific app in treatment, in which a data processing agreement is required, we recommend contacting us at MindApps.dk for help.
Equal access to treatment
The Danish Healthcare Act ensures equal access to health care; this includes a link between the service and the cost of it. With this definition, apps are placed in a grey zone because you do not have to charge extra to benefit in treatment. Therefore, the clinic must cover the costs of an app. However, you are allowed to offer an app that costs money, if you at the same time, provide a similar free app. A payment app can also be provided as long as it is not part of the treatment, and is no direct recommendation. The same rules apply to access to equipment. If treatment is offered, the patient must have free access to the necessary equipment (smartphone or tablet).
Lending equipment or other treatment
A clinic may provide IT equipment or offer another treatment that does not require the same equipment. However, the quality of the treatment must be the same regardless of the equipment used. If a patient does not own the necessary equipment, the patient may not have the necessary technological understanding either. In this regard, an analogue solution is most likely to be better. It is, therefore, a question of assessing the individual patient and whether an app is suitable in the course of treatment.
Logging of data
According to the Danish safety regulations, public authorities must keep a log of the people who have or have had access to the data. If the information can be linked directly to a person, the logging must include the following: the time, user, indication of the person, applied search criteria and use of the data. The log must be stored for six months and then deleted. Authorities with special obligations can keep the log for up to 5 years. All uses of personal data in treatment must be logged.
The Danish health Act takes effect in the case of a data community where the therapist has direct access to patient data. If the data is on the patient’s device, and the therapist does not have direct access to it, there is no requirement for logging. It can be compared to data that a patient fills out on a piece of paper and brings to the therapy.
We recommend that you, as a therapist, contact MindApps.dk if you use an app with a data community.
We appreciate your input.