On September 12, the Consumer Technology Association released its “industry-developed” voluntary privacy principles for organisations that handle consumer health and wellness data.
Developed through a collaboration of CTA members, the principles cover “the collection, use and sharing of data generated from personal health and wellness devices, apps, websites and other digital tools.”
Whilst the principles are clearly intended for use in the US context, there is more than a nod to laws outside of the US, most obviously the EU’s General Data Protection Regulation (“GDPR”).
The CTA’s Five Principles
Here is a summary of the five guiding principles adopted by the CTA :
Principle 1: Be open and transparent about the personal health information you collect and why.
This aligns very closely with the GDPR’s transparency principle (Article 5.1(a)) and focusses on ensuring consumers are provided with clear information about how their data will be used.
The advice in respect of how this is done reflects good practice. However, the CTA has defined “a method of communication information about how you collect, use, and disclose consumer data” as a “Privacy Policy”. In my view this is incorrect nomenclature. Privacy professionals who know how to design and implement an effective compliance framework will tell you this is not what a privacy policy is (or should be).
Principle 2: Be careful about how you use personal health information.
The wording of this principle belies its importance. Speaking to the fundamental basis of the GDPR, and aligning with the purpose limitation in Article 5.1(b), the principle seeks to ensure consumer data is used only in the way the consumer would expect it to be used.
The recommendations include data minimisation (Article 5.1(c)) of the GDPR), obtaining consent for the use of personal data, keeping data for only as long as it is needed (GDPR Article 5.1(e)) and the completion of privacy impact assessments.
I am pleased to see the consent recommendation reflects, almost word-for-word, the consent standard set out in the GDPR. However, I feel the recommendation that consent should be sought for the use of all personally identifiable information may be unnecessary and impractical. This risks eroding the principle by encouraging organisations to not adopt the consent recommendation at all.
Principle 3: Make it easy for consumers to access and control the sharing of personal health information, and empower them to do so.
This principle is summarised in the CTA’s recommendation to:
“Give consumers the right and the means to access and correct their personal health information”
Reflecting in part the accuracy principle in Article 5.1(d) of the GDPR, the principle encourages building these rights into technology interfaces. This is a bold move into privacy by design and is to be applauded.
Principle 4: Build strong security into your technology.
In a similar way to the integrity and confidentiality principle in the GDPR, this is a focus on “administrative, technical and physical safeguards” for personal health information, and in part draws from terminology both in the GDPR and ISO27001. There is so much that can be said about security, but as a summary this principle expresses it well.
Principle 5: Be accountable for your practices and promises.
The principle of accountability is a golden thread that runs through the GDPR, and it’s interesting to see the principle adopted in these guidelines. The recommendation that the organisation appoint an individual responsible for the security and privacy of health information, reflects the acknowledgment that the use of consumer health data represents a real risk to both the consumer and the organisation, so should be managed accordingly.
It is also interesting to see included a watered-down version of the GDPR requirements relating to the selection and appointment of service providers (data processors in GDPR parlance). However, given the risks posed by service providers (a risk we are constantly reminded of), I would have like to have seen more focus on this area.
What’s missing?
The guidelines are not intended to be comprehensive, binding legal requirements in respect of the use of personal health information in the US. As a consequence, and inevitably, there are things missing. So, I’m suggesting a small number of additional principles that could be considered:
Principle 6? Only use personal health information when it is necessary.
Whilst the guidelines call for the minimisation of personal health information collected, used and disclosed, it would have been more powerful to recommend that personal health information should be used only when it is necessary to do so – that necessity being informed by a privacy impact assessment. This would have better informed organisations that they should think not only about how much personal health information they collect, but also whether they really need it all – considered in the context of the risk to the consumer.
Principle 7? Understand the risks to consumers of using their data and mitigate them.
In respect of privacy impact assessments (PIAs), Principle 3 states their purpose is:
“to demonstrate that you have consciously incorporated privacy protections throughout the development life cycle of a system, program or process.”
It would have been better to make it clear that an assessment should be approached from the perspective of the consumer, to ensure that all the legal requirements, and adopted voluntary principles, have been met. The principle could also explain that a PIA should identify the risks associated with the use of personal health information and ensure those risks are addressed.
Principle 8? Make it easy for consumers to move their data.
In the context of health and wellness applications, the ability for consumers to move their personal health information from one application to another will become more important, and more powerful, both for the consumer and the industry as a whole.
Including a means for personal health information to be kept by the consumer and made available to other applications respects both that the information belongs to the consumer, and there is value in it.
Principle 9? Restrict the transfer of personal health information.
The value of personal health information is significant, and that should be acknowledged through a commitment to consumers their information will not be transferred to third parties for their use save in explicit circumstances. These circumstances could include getting very specific consent in the context of clear advice on where the information is going, for what reasons, and under what conditions.
Principle 10? Delete personal health information of a consumer when they ask you.
Finally, a fundamental right in respect of your personal health information must be the ability to ask whoever has it to delete it. Unfortunately, this has not been addressed adequately in the guidelines through the other principles, so is a significant missing piece.
A final view
These principles represent very worthy, concise and clear recommendations for consumer technology businesses operating in the US market in the use and protection of personal health information. Those businesses adopting them and, most importantly, embracing them fully, will certainly be demonstrating a strong ethical commitment to the privacy of their consumers – and that can only be a good thing. In addition, alignment with privacy principles enshrined in the law of non-US jurisdictions, like the EU, will help ensure adopters have the right foundations for compliance with those laws for their international consumer base.
However, this is a developing space, so it will be important for the CTA to build on these principles and encourage the continuing improvement of its members’ response to consumer privacy.
The CTA’s Guiding Principles can be found at: https://www.cta.tech/cta/media/Membership/PDFs/CTA-Guiding-Principles-for-the-Privacy-of-Personal-Health-and-Wellness-Information.pdf
