Legal framework needed to protect patients’ mobile phone data in health-care emergencies

In cases of urgent medical care, real-time location is shared with health-care professionals through smartphones or smartwatches, and in cases of remote health monitoring via digital applications that transmit data to them to better bridge the barrier of access to treatment.

In cases of urgent medical care, real-time location is shared with health-care professionals through smartphones or smartwatches, and in cases of remote health monitoring via digital applications that transmit data to them to better bridge the barrier of access to treatment.

Published Jul 19, 2023

Share

In remote areas or during an emergency, health-care professionals can decide much quicker what type of treatment a patient needs if they have immediate access to mobile phone data about the person’s health.

While such data can make a world of difference to those requiring care, it is the collection, usage and sharing of this information that raises concerns.

According to a study by Dirk Brand and Nezerith Cengiz from Stellenbosch University and Annelize Nienaber McKay from the University of Pretoria and Abertay University in Scotland, adequate legal protection is needed to ensure this is done in a responsible and ethical manner that respects an individual’s rights and privacy.

The study was published recently in the South African Journal of Science.

“In cases of urgent medical care, real-time location is shared with health-care professionals through smartphones or smartwatches, and in cases of remote health monitoring via digital applications that transmit data to them to better bridge the barrier of access to treatment.

“As personal information collected through health and fitness apps can be used by health-care professionals to provide services to individuals, so can digitally collected health data and even medical insurance data be used in medical research.

“However, the collection, storage and sharing of personal information on mobile phones elicits various legal questions relating to the protection of privacy, consent, unlawful data processing, liability and the accountability of stakeholders such as health insurance providers, hospital groups and national departments of health,” the researchers said.

They added that health data was more sensitive than other forms of personal data, which makes this an enticing prospect for cyber criminals. Because apps are interlinked, e.g. a fitness app that provides the possibility of sharing data on various social media apps, the risk of a data breach or the unauthorised use of the personal data increases.

“No wonder, this type of data receives special attention in data protection legislation such as the EU’s General Data Protection Regulation (GDPR) and our own Protection of Personal Information Act (Popia). Health information qualifies as ‘special personal information’ in terms of section 26(1)(a) of Popia, and therefore it qualifies for special protection.

“If the personal data on a fitness or health app are sent to medical insurers or health-care professionals, the recipients are allowed to process that health data in terms of the exception under section 32(1) of Popia.

“Although our National Health Act does not focus on data protection as such, it stipulates that all patient information is confidential, and health-care professionals may share or disclose that information only when they’ve obtained consent from the patient.”

But these measures do not adequately address the various ethical and legal issues related to mobility and location data in health care, the researchers said.

They called for a comprehensive legal framework that includes data protection regulations, ethical guidelines and oversight mechanisms.

“App developers should design their apps in such a way that people with low literacy levels will be able to understand the terms and conditions of app use and the implications of sharing personal health information with third parties.”

The researchers added that given the similarity between Popia and the GDPR, the “Guidelines on the Protection of Personal Data Processed by Mobile Applications Provided by EU Institutions” may serve as guidance in our jurisdiction because they stipulate that apps should collect only data that are strictly necessary for its functioning, and that users must be provided with clear and accurate information to make an informed decision, with the option to withdraw their consent at any time.

They also recommend the development of legislation for the use of AI in health-care services to further strengthen the protection of privacy and personal data in health-care services in South Africa.

Cape Times