Privacy (GDPR)

Privacy for Health Applications fighting with COVID-19

Privacy for Health Applications fighting with COVID-19

The current situation with COVID-19 triggers social changes that will stay after it's gone. One of them is a boom of Medtech / health-tracking apps. A recent launch of an app for self-reporting coronavirus symptoms in the UK saw 750k downloads during the first 24 hours, and it's only beginning. 

The overall trend for tracking and reporting health issues will increase, which should not be the flag to forget about the privacy of app users. All such apps collect personal data that is of highly sensitive nature. As it discloses the state of wellbeing of an individual, the information could potentially be abused by third parties. The UK / EU legislation calls health data "special categories of data" and requires strict safeguards for their processing.

The failure to address privacy issues is already recognised by the government bodies: a Belgian data authority stated earlier that several health-related apps fighting with coronavirus fail to comply with applicable data protection requirements. By no means undermining the importance of the efforts against COVID, the authority urged companies to remember and comply with the relevant GDPR requirements.

In emergency situations, such as the COVID pandemic, the privacy of users must be balanced with the public health interest. Where necessary to address public health risks, the app providers can disclose their users' data to the competent bodies. At the same time, the organisations must remain accountable for their data actions.

We prepared 5 tips to remember when deploying the Medtech / health tracking app.

  1. Accountability. Have a clear map of data collected from the users. Document the actions you do with the collected data. All emergency or urgent disclosures to the state bodies must be documented. The documentation will help you justify why and on what grounds you disclosed the data in the future.
  2. Data Minimisation. Only collect/record personal data if its strictly necessary for achieving certain task. Where possible, the user must remain anonymous to other users. The practice of excessive data collection must be avoided in general, and it's not the right time to use the data for marketing.
  3. Transparency. Inform the users of how you use and disclose user data. This is usually done in the form of a Privacy Statement / Privacy Policy with the case-specific information points. When sensitive data is processed, transparency is the key that helps build trust with the users.
  4. Information Security. Protect the data from unauthorised access. With the growing popularity of health tracking apps, the number of malicious parties willing to obtain access to it increases as well. Make sure you are protected from the data breach.
  5. Respect doctor-patient relationships. If you are providing a tool for the doctors to interact with their patients, remember that the information is protected by doctor-patient confidentiality. We recommend facilitating the doctor's control of patient data and taking into mind professional accountability obligations.

We believe that the current challenges associated with COVID-19 can and must be addressed by joint efforts. It is definitely not the time to make trade-offs between protection of the end-user and public interest, but rather make it a positive-sum situation. 

If you need help with privacy issues, our network of legal professionals is here to help.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.


Vlad Nekrutenko, CIPP/E

Privacy Lawyer at Legal Nodes

Need a lawyer in this area?




3 years in data protection

Vlad is a data privacy enthusiast and expert in the GDPR compliance. He possesses IAPP...

Legal Nodes Blog

For Startups
Ultimate guide to connecting Virtual Data Protection Officer

Connecting Virtual DPO can greatly reduce start-up’s data protection costs. This article explains who the Data Protection Officer is, why you should consider outsourcing DPO services, and how to pick one that matches the needs of your business....

Legal Nodes Team
Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills