Wellness Data Is Health Data?
Nike has made changes to its Running App after the Autoriteit Persoonsgegevens (AP) determined the app was collecting sensitive health data without appropriate consent, and put no limitation on retention of the sensitive data. The sensitive health data collected included:
• walking distances, speeds and times
• calories burned
• stride length
jbho: food for thought. Even though you might not be using health related data as a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, the regulators might consider wellness data as PHI anyway.
UPDATE: 20Apr2017 – The AP announced Bluetrace has ceased WiFi tracking, obviating the need for fines, and closing the matter.
Cease And Desist Order Against In-Store WiFi Tracker
The Autoriteit Persoonsgegevens (AP) has issued a cease and desist order against WiFi Tracker BlueTrace. The order gives BlueTrace six months to:
• ensure data is not collected from individuals in neighboring properties
• immediately delete or anonymize data collected from passersby
• post notice that the collection is taking place, including how long data will be kept and who to contact for additional information
If the above are not completed within the required six months, the AP can issue fines of €5,000 (~ $5,500) per week (capped at €100,000 (~ $110,000).
jbho: as device tracking becomes more ubiquitous, it will be interesting to see how DPAs respond.