Legislation and Data Protection – Risk Analysis (2).

1. Practice statement.


This practical case focuses on the analysis of an innovative health application called “VitalGuard”, developed by the company BioLife Tech S.L., a company specialized in offering medical assistance insurance. “VitalGuard” is available for mobile devices operating on Android and iOS and is specifically designed to monitor the health of elderly people, providing quick assistance in emergency situations. Its most notable features include:

  1. An emergency button that communicates via Bluetooth with the phone’s application to activate an SOS signal when the user requires it.
  2. The registration of vital data such as heart rate, blood oxygen levels, physical activity, body temperature, and movement patterns. “VitalGuard” provides detailed weekly reports to the user’s family members through the application.

The goal of “VitalGuard” is to be an advanced solution to conventional tele-assistance systems, offering a more complete monitoring and an effective communication channel for the family members in charge of the user’s care.

The collection of monitoring data is done through a discreet bracelet that can be worn on the wrist or ankle, which connects to the application via Bluetooth.

To orientate on legal and privacy aspects, reference can be made to Opinion 2/2013 on applications of smart devices, 00461/13/ES WP 202, of February 27, 2013, prepared by the Article 29 Working Group on data protection.

Based on this scenario, the following questions are posed:

  1. List the types of data that the “VitalGuard” application will manage and classify them according to their level of sensitivity and the risk they could pose to the rights and freedoms of the individuals they refer to.
  2. Determine what security measures you would implement to ensure the protection of personal data collected by the application and what aspects of current legislation you would consider to establish such measures.
  3. Reflect on the appropriate legal basis that would justify the collection of personal data by the different actors involved in the data processing process.

2. Proposed solution 1.


The first thing I would like to point out before proceeding to solve the exercise is that at no point in the statement is it mentioned that the application requests the user’s consent for the access and privileges of different functionalities of the system where it will be installed. That is why I will try to focus the exercise from the perspective that the user has given their express consent to the collection of the data requested by the application for its correct operation, bearing similarities with applications from the same sector such as “Medisafe” or “Instant Heart Rate.” It should be emphasized that the application user must expressly give their consent to safeguard legality, as specified in “Section 1.ª Obtaining the affected person’s consent” of “Chapter II Consent for data processing” of the “Title II Principles of data protection” of the Personal Data Protection Act, Organic Law 15/1999, of December 13, contained in Royal Decree 1720/2007, of December 21.

With the aim of being able to evaluate the criticality of the potential loss of treatment of the data collected by the application, the evaluation of the Confidentiality, Integrity, and Availability (CIA) of these will be carried out. To properly assess this, the following scale of criticality has been developed:



The final value corresponding to Criticality will be obtained by adding the values assigned to the criticality of confidentiality, integrity, and availability. To properly measure this resulting value, we will use the following table.



We will also allocate a column to define the type of data processed as “Ordinary Data” or “Specially Protected Data”. This will be determined according to the Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights (LOPDGDD) where personal data is defined.



3. Proposed solution 2.


Depending on the threat we face, various security measures can be implemented to reduce the risk of such a threat materializing.

The main security measure in this type of application is to establish an encryption system both in data storage and transmission, thus preventing the information from being accessible in case of a possible security breach leading to data exfiltration, whether through attacks on the storage device itself or by intercepting data in transmission to a server where they will be stored and/or processed. In the same way, a periodic and incremental backup system would be established to guarantee the availability of data against possible ransomware attacks.

In accordance with Royal Decree 1720/2007, of December 21, which approves the regulations for the development of the Organic Law 15/1999, of December 13, on the protection of personal data, in its “Chapter III Security measures applicable to automated files and treatments,” the following security measures are established:

  1. Access control.
  2. Telecommunications. Encryption of data in transmission using secure protocols (SSL/TLS).
  3. Identification and authentication.
  4. Backup and recovery copies. Periodic and stored on secure, encrypted, and off-network devices.
  5. Audit. Continuous review and evaluation of the security of data and its procedures.
  6. Management of supports and documents.
  7. Access registry. To guarantee the principle of traceability of information.
  8. Incident registry.
  9. Custody of supports.
  10. Information storage. Encryption of data in storage.

As a complement to the measures already mentioned, I believe it is appropriate to establish the following:

  1. Ethical hacking audit of black box, gray box, and white box of the application to keep it secure from potential malicious actors.
  2. Policy for updating security patches in applications and systems of the organization.
  3. Installation of antivirus systems (AV) and perimeter security systems (firewalls), for detection and response (EDR), and for security event logging and management (SIEM) on those equipment/servers where sensitive user data is stored and processed.

4. Proposed solution 3.


The applicable legal basis for enabling the collection of personal data by the various subjects involved in the treatment in this case primarily comes from the General Data Protection Regulation (GDPR) of the European Union.

According to the GDPR, the legal basis for the processing of personal data can be:

  1. Consent of the data subject: It is necessary to obtain the explicit and informed consent of the person whose data are being processed, in this case, the elderly person and their relatives. The application must provide clear and accessible information about the use and purpose of the collected data and obtain the user’s consent before starting the treatment.
  2. Performance of a contract: The collection of personal data may be necessary for the performance of a contract to which the data subject is a party, for example, a health insurance contract.
  3. Compliance with a legal obligation: If data collection is necessary to comply with a legal obligation to which the data controller is subject, this legal basis could apply.
  4. Protection of vital interests: If data processing is necessary to protect the vital interests of the data subject or another person, this legal basis may apply, especially in emergency situations where the health or life of the elderly person is at risk.
  5. Public interest or exercise of official authority: If the processing is necessary for the performance of a mission carried out in the public interest or in the exercise of official authority vested in.
  6. Legitimate interests pursued by the data controller or by a third party to whom the data is disclosed: If the data processing is necessary for the legitimate interests pursued by the data controller or by a third party, provided that these interests are not overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data. In the case of the “SOS Control” application, this legal basis could be applied if Sagent S.A. can demonstrate that it has a legitimate interest in collecting and processing personal data of the elderly and their relatives to improve its health care service, provided that this interest does not negatively affect the rights and freedoms of the data subjects.

The following are the various articles of the GDPR applicable to the treatment in question.

Article 5. Principles relating to processing

  1. Personal data shall be:
    • a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
    • b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; in accordance with Article 89(1), further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (“purpose limitation”);
    • c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
    • d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are erased or rectified without delay (“accuracy”);
    • e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
    • f. processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
  2. The data controller shall be responsible for compliance with the provisions of paragraph 1 and able to demonstrate it (“proactive responsibility”).

Article 6. Lawfulness of processing

  • The processing shall be lawful only if at least one of the following applies:
    • a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    • b. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    • c. processing is necessary for compliance with a legal obligation to which the controller is subject;
    • d. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
    • e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly when the data subject is a child.
  • The provisions of the first paragraph letter f shall not apply to processing carried out by public authorities in the performance of their tasks.

Article 7. Conditions for consent

  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.
  2. If the data subject’s consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in such a manner that it is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. No part of such a declaration that constitutes a breach of this Regulation shall be binding.
  3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw consent as to give it.
  4. When assessing whether consent is freely given, utmost account shall be taken of whether, amongst other things, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that are not necessary for the performance of that contract.

Article 9. Processing of special categories of personal data

  1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person’s sex life or sexual orientation shall be prohibited.
  2. Paragraph 1 shall not apply if one of the following applies:
    • a. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
    • b. processing is necessary for the carrying out of obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law insofar as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
    • c. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
    • d. processing is carried out, in the course of its legitimate activities with appropriate safeguards, by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
    • e. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
    • f. Processing is necessary for the establishment, exercise or defense of legal claims, or whenever courts are acting in the exercise of their judicial function.
    • g. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;
    • h. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
    • i. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
    • j. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
  3. Personal data referred to in paragraph 1 may be processed for the purposes mentioned in paragraph 2(h) when its processing is carried out by a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies, or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
  4. Member States may maintain or introduce additional conditions, including limitations, with regard to the processing of genetic data, biometric data, or data concerning health.

To undertake the appropriate certification processes, it is essential to conduct thorough prior audit planning, as demonstrated in our article “Principles, Program, and Planning of Auditing and IT Governance.

If you need an audit plan, you can contact us through our contact form.

Spain

No puedes copiar el contenido