Home News & Events News overview Take care of personal (health) data!

Alwin van den Broek

Clinical Study Manager

February 26, 2016

Take care of personal (health) data!

On the International Day of Privacy (28th of January), the Dutch Data Protection Authority (DPA) announced their surveillance calendar for 2016. In line with the focus of last years the DPA will concentrate on the following areas: Protection of personal data, Big Data and Profiling, Personal Data within (digital) public governments, personal data in relation to employment and personal health data. This last focus area is definitely worth a closer look.

More and more (health) data is not only collected by health care providers and patients, but in today’s world, several apps collect (and process) personal data. However, it seems not always clear that some personal data qualifies as health data. A good example is the recently published report by the DPA about a running application for your smartphone. Here is what interest us the most.

The application requires you to create an account, registering your full name, date of birth, gender, country and e-mail address. In order for the app to calculate distance and speed while running, the app uses location information from your smartphone. If you ask your app to calculate the calories burned, you also had to enter your height and weight. By using this app, the developer is able to generate a health profile and compare this with the profile of other users. So, it is not only the type of data that makes it personal health data, it is also how it can be processed.

The data in this example is considered sensitive personal data. Processing such data is subject to strict regulations and it is prohibited to process this data without prior explicit and specific consent of the user.

With this in mind we would like to refer to the obligation to report data leaks in the Netherlands per January 1st 2016. (Personal) data, such as data for smartphone applications, is more often placed in the cloud to make it easy accessible and shareable by users. However, this also includes an increased risk of data leaks. Personal (health) data is to be handled with care and appropriate protection of it is one of the priorities of the DPA. Non-compliance with this new reporting obligation can give rise to administrative fines with a maximum of € 820.000.

Recommendation: If a third party is involved in the processing of data for which you are the controller, it is important to take a close look at your agreements with regards to ensuring data protection and this new reporting obligation for data breaches.

By Alwin van den Broek

Factory CRO for Medical Devices Acknowledgements
Sofie van der Meulen
Axon Lawyers

About the author

Alwin van den Broek Clinical Study Manager

Alwin has a special interest in the regulatory frame work and data privacy regulations.

November 17, 2017

Start Sooner, Run Fast, Finish Faster – The New York Marathon 2017

At Factory CRO we believe that physical fitness stimulates people to get the best out of themselves. Besides the positive energy, it increases company engagement and team spirit. In light of this philosophy, 12 Factory CRO runners successfully completed the...

Starter
Factory
Pre Market
May 8, 2019

Factory-CRO Group Bolsters Leadership Team, Solidifying Position as Leading Medical Device and Novel Technology CRO

May 08, 2019 17:00 AM Central European Time Bilthoven, Netherlands — Factory-CRO Group, a leading global contract research organization (CRO), is pleased to announce Sapna Hornyak as its new president and CEO and the appointment of Nick Thornton to chairman...

Starter
Factory
Pre Market
March 1, 2019

No-deal Brexit Scenario: What Will Happen With The Medical Device Industry?

With 30 March 2019 approaching, the possibility of a no-deal Brexit is still very likely. What happens if a no-deal Brexit occurs? At Factory-CRO we have been thinking a lot about that scenario. Below are six key areas to consider...

Starter
Regulatory
Pre Market