Commercialising health data: five takeaways from the ICO's Easylife decision
Published on 11th Nov 2022
What actions should businesses consider when looking to reuse customer health data?
The Information Commissioner's Office's (ICO) £1.35m fine of catalogue retailer, Easylife, for breaching data protection laws is a timely reminder for businesses commercialising health data about the importance of transparency and fairness, and the potential pitfalls of using health data to profile customers.
Easylife sells household items as well as a range of health products such as mobility devices and hearing aids. The ICO found that Easylife, over a one year period, had identified 120 "trigger products" that were used to infer a customer's health conditions; for example, if a customer bought a device to open jars of food or a dinner tray, Easylife would use the purchase data to assume that the customer probably had arthritis. It would then arrange calls to the individual to market corresponding healthcare treatments (such as joint patches).
Following an investigation, the ICO fined Easylife for using personal data to predict an individual's medical condition and then target them with specific health-related products. Easylife was found to have breached requirements under data protection law to process personal data in a lawful, fair and transparent manner.
1. The scope of health data under article 9 of the UK GDPR is very broad
Easylife argued that it was not processing health data and so the enhanced data protection requirements relating to the processing of special categories of personal data, including health data, should not apply (such as the need to obtain the explicit consent of data subjects). The ICO disagreed. It decided that when Easylife used the transactional data to influence its decisions on which products to market to which customers, based on its inferences about a health condition that they were likely to have, this constituted the processing of special category health data. This was the case irrespective of the level of statistical confidence that Easylife had in the profiling it had undertaken.
To support its decision, the ICO cited the recent judgment of the Court of Justice of the European Union in OT v Vyriausioji tarnybines etikos komisija. In the judgment, the CJEU significantly expanded the scope of article 9 of the EU General Data Protection Regulation (EU GDPR) by confirming that the protections that the EU GDPR gives to data subjects' special category data, including health data, extend beyond inherently sensitive data to cover data revealing health data indirectly, following an intellectual operation involving deduction and cross-referencing.
Action to consider. Review the types of data collected about individuals and how they are classified. If it is possible to infer health information from those datasets then the enhanced requirements under article 9 UK GDPR will likely apply regardless of the accuracy or value of the inferences.
2. Transparency with customers about the use of health data is vital
Transparency is a central theme of the UK GDPR and it is vital that businesses handling health data are upfront with customers about how their data is used. The ICO found that individuals were not informed by Easylife that any profiling of special category health data would occur and therefore the individuals could not have reasonably expected it to happen.
Action to consider. Ensure that privacy policies provide customers with accurate and comprehensive information about how their health data is used, and the legal justification for that use. This is particularly important where using health data in a way that customers might not reasonably expect.
3. Health data cannot be processed without an appropriate legal basis in place
Any controller of personal data must have a legal basis to legitimise the use of that data. The ICO assessed that the only suitable circumstance in which Easylife could have engaged in processing health data in the context of its health campaign was consent. However, Easylife did not collect explicit consent for the profiling from individuals. In particular, the ICO did not accept Easylife's argument that it had obtained the requisite consent by notifying customers that it would be using customers' personal data to notify them of products "that might be of interest to you".
Action to consider. How is "consent" being used to justify the use of health data and does it satisfy the enhanced conditions of the UK GDPR?
4. Care is needed when processing health data about vulnerable individuals
The ICO was particularly concerned about the breach because Easylife targeted health conditions that typically affect the elderly. In the ICO's view, elderly customers may have less experience of the nuances of personal data processing and therefore may not be aware of the risks – or action they can take to prevent it. The ICO concluded that the marketing calls could have caused individuals to feel harassed and stressed, as well as potentially suffering financial damage.
Action to consider. Businesses should take particular care when processing health data about vulnerable individuals such as children and the elderly. These groups are likely to suffer more serious and wide-ranging distress or damage in the event of non-compliance.
5. Businesses remain accountable for how they use health data
The principle of accountability underpins the UK GDPR – it says that as well as complying with the law, there must be a demonstration of compliance. The ICO identified Easylife's failure to conduct a data protection impact assessment (DPIA) as an aggravating factor when it assessed the amount of the fine. The ICO found that a DPIA might have assisted in preventing the contraventions altogether.
Action to consider. It is not enough for businesses processing health data to simply comply with the law. Organisational measures should be in place to ensure that DPIAs are carried out for uses of health data that are likely to result in high risk to customers' interests.
We help companies of all shapes and sizes to handle health data in a compliant way. If you want to find out more about this topic, how we can help you and about our practical experience in this area, please get in touch with one of our experts.
This article was produced with the assistance of Hannah Edwards, Trainee Solicitor.