Our advisory board member Ursula Uttinger in the vsao Journal


26.06.2023 / An app is quickly downloaded, the terms and conditions are of no interest. That is usually not a problem. It is more difficult with health apps that contain personal data. Ursula Uttinger, a lawyer and data protection expert, explains what to look out for when dealing with these apps.

Ms Uttinger, how important are health apps and data protection for our future healthcare?

I think apps will increase in significance. In this context, it is important that we are aware of the following two points. On one hand, the issues of data protection, such as: Where is my data stored? Who has access to my data? On the other hand: Is this app a medical device? If so, are these apps subject to clear regulatory requirements that must be adhered to?

Where do you expect the biggest challenges in dealing with health apps?

People should understand what they are agreeing to. People tend to agree to the terms and conditions and data protection statements in an app without seriously considering them. And yes, we lawyers are not entirely innocent of this. Very often, T&Cs are written in a language that is not appropriate for the addressees. In order not to have to assume any liability or/and responsibility, everything is described and excluded. This makes everything very long and detailed; no one understands it, and as a result no one reads it anymore, believing that it fits.

Where do you see which responsibility?

I would differentiate between two scenarios. The first: You hear or read about an app and download it. Here, I clearly see the app developer as responsible. I would appreciate it if the developer would clearly state the most important points of use within such an app, right at the beginning. The second scenario: As soon as an app is recommended by a health professional, this person shares the responsibility. He or she should clearly and comprehensibly inform patients about what the data will be used for. Patients need to understand what they are consenting to. One step further: If an app has not been used for a while, I expect the app to proactively communicate what is being done with the data or with whom it is being shared. Because the reality is that people very quickly forget what they have accepted.

I don’t see that as being easy in practice…

Yes. Doctors want to provide their patients with medical care and not have to explain endless details to them. I would appreciate it if app providers would show the most important points at a glance. Clearly and understandable. For example: What is collected and assessed, what is done with it, what other tools are used if any, how long is the data stored where and why? If someone wants to know more, it should be possible to read (all) the details. But as mentioned, don’t create a huge «bulge» at the beginning, where no one understands what it’s all about.

About which three points should the medical profession inform its patients?

Firstly, where is the data hosted? Secondly, how long is it stored there? And thirdly, who has access to the data and how could this access be restricted?

And what would be the ideal answer in the view of the data protection expert?

Ideally, the data should be hosted in Switzerland or Europe, or more precisely, close to Switzerland. Although the data protection law in the EU and the EEA is basically the same everywhere, the question remains how this is implemented. As far as the retention period is concerned: only as long as it is really necessary to achieve the objective. With regard to the retention period, it should be possible to differentiate. Suppose I want to monitor the blood pressure of various patients over x years. Then it is certainly justified on the part of the app provider to store the data for the corresponding number of years – at best anonymised or pseudonymised. If, however, I examine flu episodes and track patients for a few days, I don’t think this data needs to be stored in personalised form for several years.

In my eyes, access authorisation is also important. The concerned people should be able to decide for themselves who can access the data. Primarily, these should be the concerned individuals themselves and the health professionals treating them, and not third parties. In addition, the app provider itself should not have access in such a constellation.

How decisive is it for you whether an app is certified as a medical device?

I think the distinction is becoming more and more difficult: what is a classic medical product, what is an auxiliary product? We have less and less anonymous personal data. The concerned people should become aware of this fact. For me, certification as a medical device is secondary; it is more important that data is only used in a way that is transparently stated.

Interview: Cordelia Trümpy

Link to the interview in the VSAO-Journal (in German).

About the person

Ursula Uttinger studied law at the University of Zurich, completed various further training courses, particularly in relation to corporate management. She has been involved in data protection since 1996, was responsible for data protection in various companies, but also for legal & compliance, especially in the insurance and health care environment, managed an SME and has been teaching since 2020, today mainly at the Lucerne University of Applied Sciences and Arts. She also advises various companies on data protection issues.