Habeas Data, the guardian of personal health data
In its IP notebook of May 2014, the CNIL took interest in the human body as a new connected object, notably with regard to digital respect of the individual through data and more particularly, in terms of the respect of the body by connected objects. While the Magna Carta provides for Habeas Corpus, the CNIL proposes the idea of a Habeas data to protect health data.
With the proliferation of connected objects related to quantified self, the health data of individuals has increased tenfold. Unlike conventional personal data, health data is of a sensitive nature. Indeed, this data not only affect the individual but also his family due to genetic connections. These data may thus be the source of discrimination based on the health status of the individual.
The CNIL highlights the fact that despite being highly regulated in France and Europe, health data is not clearly defined. While some would prefer a broad definition, leaving room for the courts’ interpretation, others wish to promote a clearer definition for the sake of legal certainty. The draft European regulation on personal data, which is currently under discussion, provides the following definition: “any information relating to the physical or mental health of a person, or the provision of health services to that person.” Another recommended option is gradation of data according to sensitivity so as to treat the data in a less simplistic way than ‘sensitive’ or not.
A paradox can be discerned between the commercial value of the data related to Big Data and the principle of inalienability of the human body. It seems that restrictions of use should be imposed, particularly to prohibit the marketing of health data. Ethical and fundamental principles must be established to curb infringements.
Finally, the CNIL suggests distinguishing apps for medical purposes (providing a diagnosis, treatment or prevention means) from non-medical apps. This would afford more security to the individual from a physical and digital point of view. This highlights the complexity of managing health data which affects not only personal data but also the privacy and dignity of the individual and the dignity that he is legally entitled to.
Owing to their special nature, the European Commission has, on 12 May 2009, recommended the use of Privacy Impact Assessments for quantified self apps. These could provide for more stringent requirements as regards safeguarding the data and information of individuals.
Dreyfus can assists you in auditing your data collection and can help you develop privacy policies consistent with French and European regulations.