DSK: Posi­ti­on paper on cloud-based digi­tal health applications

The Ger­man Data Pro­tec­tion Con­fe­rence has “Posi­ti­on paper on cloud-based digi­tal health appli­ca­ti­ons” usu­al strict comm­ents, inclu­ding on the Respon­si­bi­li­ty of the manu­fac­tu­r­ers of digi­tal health ser­vices:

The GDPR obli­ges con­trol­lers and pro­ces­sors, Art. 4 nos. 7 and 8 GDPR. Manu­fac­tu­r­ers assu­me the role of a con­trol­ler if, in addi­ti­on to pro­du­cing the digi­tal health appli­ca­ti­on, they also deci­de on the pur­po­ses and means of data pro­ce­s­sing. Not­wi­th­stan­ding this, they may be con­side­red pro­ces­sors if they pro­cess per­so­nal data on behalf of a con­trol­ler in accordance with Artic­les 28 and 29 GDPR. If, on the other hand, the invol­vement is limi­t­ed to the pro­duc­tion of the health appli­ca­ti­on, so that the manu­fac­tu­r­ers do not pro­cess any per­so­nal data of the users, the manu­fac­tu­r­ers are neither con­trol­lers nor processors.

In addi­ti­on to manu­fac­tu­r­ers, the­re are other par­ties invol­ved in the pro­ce­s­sing of per­so­nal data in digi­tal health appli­ca­ti­ons, such as doc­tors and other medi­cal ser­vice pro­vi­ders as well as cloud ser­vice pro­vi­ders. The role of the­se par­ties from a data pro­tec­tion per­spec­ti­ve must be exami­ned on a case-by-case basis.

It also fol­lows from the pri­va­cy by design prin­ci­ple – actual­ly rather the pro­por­tio­na­li­ty requi­re­ment – that a No cloud con­nec­tion if it is not neces­sa­ry and desired:

The use of the health appli­ca­ti­on (e.g. an app for rea­ding and sto­ring glu­co­se values) must also be pos­si­ble wit­hout using the cloud func­tions and wit­hout lin­king to a user account in accordance with the prin­ci­ple of “data pro­tec­tion through tech­no­lo­gy design and data pro­tec­tion-fri­end­ly default set­tings” pur­su­ant to Art. 25 para. 1 GDPR, unless the cloud func­tion is abso­lut­e­ly neces­sa­ry for the use of the appli­ca­ti­on. Achie­ve­ment of a the­ra­peu­tic bene­fit requi­red and the func­tion is express­ly reque­sted by the data sub­ject.

The data sub­ject must be given a cor­re­spon­ding choice (e.g. in the regi­stra­ti­on pro­cess) and infor­med of any exi­sting bene­fits and risks asso­cia­ted with the cloud appli­ca­ti­on. In the event of a decis­i­on against cloud-based pro­ce­s­sing, the data may at most be stored local­ly on the end device.

At the Use of health data The que­sti­on of the legal basis then ari­ses – in this case, con­sent can be con­side­red if the data is not anony­mi­zed and if manu­fac­tu­r­ers are not legal­ly obli­ged to pro­cess data, for exam­p­le under the Medi­cal Devices Regu­la­ti­on for qua­li­ty assu­rance and risk management.

Incom­pa­ti­ble with the pur­po­se are then pro­ce­s­ses such as Ran­ge ana­ly­sis and soft­ware error track­ing:

The fre­quent­ly imple­men­ted ran­ge ana­ly­sis mecha­nisms and soft­ware error track­ing mecha­nisms, which are typi­cal­ly inte­gra­ted into soft­ware deve­lo­p­ment envi­ron­ments and deli­ver­ed tog­e­ther with apps and web appli­ca­ti­ons, check the instal­la­ti­on beha­vi­or and gene­ral func­tion­a­li­ty aspects of the soft­ware (tele­me­try). This data pro­ce­s­sing is gene­ral­ly not com­pa­ti­ble with the pur­po­se of the application.

In con­nec­tion with the Data secu­ri­ty DSK lists some secu­ri­ty mea­su­res that should be con­side­red. Furthermore:

The Tech­ni­cal Gui­de­line (TR) “Secu­ri­ty requi­re­ments for digi­tal health appli­ca­ti­ons” deve­lo­ped by the Ger­man Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) (BSI TR-03161) for all mobi­le appli­ca­ti­ons that pro­cess and store sen­si­ti­ve data. In prin­ci­ple, the BSI demands that secu­ri­ty requi­re­ments for con­fi­den­tia­li­ty, inte­gri­ty and avai­la­bi­li­ty be con­side­red from the very begin­ning of soft­ware deve­lo­p­ment. This tech­ni­cal gui­de­line is inten­ded to ser­ve as a gui­de to sup­port appli­ca­ti­on deve­lo­pers in crea­ting secu­re solu­ti­ons. It is divi­ded into three parts:

  • BSI TR-03161 Requi­re­ments for appli­ca­ti­ons in the heal­th­ca­re sec­tor – Part 1: Mobi­le applications
  • BSI TR-03161 Requi­re­ments for appli­ca­ti­ons in the heal­th­ca­re sec­tor – Part 2: Web applications
  • BSI TR-03161 Requi­re­ments for heal­th­ca­re appli­ca­ti­ons – Part 3: Back­ground systems