In March 2015, the European Commission (EC) presented their last draft of mHealth Development Code of Conduct that relies on self-assessment and self-declaration of mobile health apps' compliance with the European data protection laws and eliminates external audits and due diligence by 3rd parties. If adopted this year, all eHealth application developers based out of / marketing their apps within the EU will be obliged to publish a statement of compliance including Privacy Impact Assessment (PIA) to facilitate enforcements and verifications. Assisted by compliance statements and PIA provided by app developers, app security enforcement will still remain a responsibility of national Data Protection Acts (DPAs).
The Privacy Impact Assessment is intended to help mobile health app developers determine if they've respected the key requirements of the above-mentioned Code of Conduct and if they've followed best privacy practices before releasing the app.
The PIA is not legal advice and doesn't provide perfect assurance that your eHealth / telemedicine app operates in full compliance with data protection laws. Rather, it's a recommended assessment framework that can be completed by PMs / tech leads of your app development project.
So, how can mobile health app developers assess their app privacy impact to submit along with compliance statements?
Answering questions below will help you conduct PIA in the most effective way.
PIA questions to be answered by your app development team:
1. What kind of personal data will be processed by your mobile health app?
2. For which purposes will you app process personal data (e.g., functionality? backups? Big Data analysis?)
3. How did you receive consent of your app users to process their data for every use case foreseen? If your app usage involves minors, did you implement processes to involve parents or guardians?
4. Did you assign a responsible person on your app dev team to answer privacy related questions relating to your application? Did you inform your users clearly about how they can contact them?
5. Did you involve a healthcare professional (e.g. doctor or hospital manager) for consultations regarding the app's functionality and features when specking out your project? Did you ensure the data to be processed by your app is relevant for the app's goals and is not misinterpreted by users?
6. Was the data pseudonymised or anonymised wherever possible?
7. Did you employ any appropriate authorization mechanisms into the app's UX design to prevent illegal access? Did you use effective encryption to mitigate the risk of data violation?
8. Did you conduct any independent system security audits?
9. Did you inform users about when an updated release of your app will be available?
11. Was the app developed using known software development security guidelines / best practices?
12. Was your app tested using mock data before making it available to real end users?
13. Are you able to identify and address data breach incidents that affect remotely stored data?
14. In case your app needs to transfer collected and processed data to a 3rd party, did you obtain appropriate contractual guarantees with respect to their obligations (e.g. purpose limitation, security measures, 3rd party liability, data transfer outside the EU, etc.)?
Hope it'll help your team do a proper PIA and publish a condensed note prior to app release to your end users. And don't forget to check how your app dev team should monitor end user experience after the production stage!