The German Data Protection Conference has “Position paper on cloud-based digital health applications” usual strict comments, including on the Responsibility of the manufacturers of digital health services:
The GDPR obliges controllers and processors, Art. 4 nos. 7 and 8 GDPR. Manufacturers assume the role of a controller if, in addition to producing the digital health application, they also decide on the purposes and means of data processing. Notwithstanding this, they may be considered processors if they process personal data on behalf of a controller in accordance with Articles 28 and 29 GDPR. If, on the other hand, the involvement is limited to the production of the health application, so that the manufacturers do not process any personal data of the users, the manufacturers are neither controllers nor processors.
In addition to manufacturers, there are other parties involved in the processing of personal data in digital health applications, such as doctors and other medical service providers as well as cloud service providers. The role of these parties from a data protection perspective must be examined on a case-by-case basis.
It also follows from the privacy by design principle – actually rather the proportionality requirement – that a No cloud connection if it is not necessary and desired:
The use of the health application (e.g. an app for reading and storing glucose values) must also be possible without using the cloud functions and without linking to a user account in accordance with the principle of “data protection through technology design and data protection-friendly default settings” pursuant to Art. 25 para. 1 GDPR, unless the cloud function is absolutely necessary for the use of the application. Achievement of a therapeutic benefit required and the function is expressly requested by the data subject.
The data subject must be given a corresponding choice (e.g. in the registration process) and informed of any existing benefits and risks associated with the cloud application. In the event of a decision against cloud-based processing, the data may at most be stored locally on the end device.
At the Use of health data The question of the legal basis then arises – in this case, consent can be considered if the data is not anonymized and if manufacturers are not legally obliged to process data, for example under the Medical Devices Regulation for quality assurance and risk management.
Incompatible with the purpose are then processes such as Range analysis and software error tracking:
The frequently implemented range analysis mechanisms and software error tracking mechanisms, which are typically integrated into software development environments and delivered together with apps and web applications, check the installation behavior and general functionality aspects of the software (telemetry). This data processing is generally not compatible with the purpose of the application.
In connection with the Data security DSK lists some security measures that should be considered. Furthermore:
The Technical Guideline (TR) “Security requirements for digital health applications” developed by the German Federal Office for Information Security (BSI) (BSI TR-03161) for all mobile applications that process and store sensitive data. In principle, the BSI demands that security requirements for confidentiality, integrity and availability be considered from the very beginning of software development. This technical guideline is intended to serve as a guide to support application developers in creating secure solutions. It is divided into three parts:
- BSI TR-03161 Requirements for applications in the healthcare sector – Part 1: Mobile applications
- BSI TR-03161 Requirements for applications in the healthcare sector – Part 2: Web applications
- BSI TR-03161 Requirements for healthcare applications – Part 3: Background systems