November 2016
Wellness Data Is Health Data?
Nike has made changes to its Running App after the Autoriteit Persoonsgegevens (AP) determined the app was collecting sensitive health data without appropriate consent, and put no limitation on retention of the sensitive data. The sensitive health data collected included:
• walking distances, speeds and times
• calories burned
• stride length
• gender
• height
• weight
• location
Nike has modified its app to more clearly notify users of data collection, as well as updated its privacy policy to more clearly state what data is collected and how it is used. Additionally, Nike will encrypt app data older than 13 months so it will only be accessible to the app user. Data will then be deleted after four years.
https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-nike-be%C3%ABindigt-overtredingen-hardloop-app
jbho: food for thought. Even though you might not be using health related data as a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, the regulators might consider wellness data as PHI anyway.
UPDATE: 20Apr2017 – The AP announced Bluetrace has ceased WiFi tracking, obviating the need for fines, and closing the matter.
https://autoriteitpersoonsgegevens.nl/nl/nieuws/bluetrace-be%C3%ABindigt-overtredingen-wifi-tracking-na-optreden-ap
August 2016
Cease And Desist Order Against In-Store WiFi Tracker
The Autoriteit Persoonsgegevens (AP) has issued a cease and desist order against WiFi Tracker BlueTrace. The order gives BlueTrace six months to:
• ensure data is not collected from individuals in neighboring properties
• immediately delete or anonymize data collected from passersby
• post notice that the collection is taking place, including how long data will be kept and who to contact for additional information
If the above are not completed within the required six months, the AP can issue fines of €5,000 (~ $5,500) per week (capped at €100,000 (~ $110,000).
BlueTrace has agreed to limit collection to store hours, and has set a maximum retention period of 24 hours. Both are welcomed by the AP. BlueTrace has drafted a privacy policy, and created stickers and information leaflets about the WiFi tracking. However, the AP currently considers this work ‘incomplete.’
https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-legt-wifi-tracker-bluetrace-last-onder-dwangsom-op
jbho: as device tracking becomes more ubiquitous, it will be interesting to see how DPAs respond.