Information for Application Developers using FI-STAR eHealth platform

Data Protection Impact Assessment Flowchart

Legal compliance for developers using FI-STAR eHealth platform

Disclaimer:
These checklists below has been prepared as training material for the Seventh framework project “Future Internet Social and Technological Alignment Research” and does not constitute legal advice

Checklist 1

Data protection compliance checklist

What is this checklist for?
This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing the provisions of national legislation across Europe, all analysed provisions of international and European law can be specified or limited by the national laws of the countries where the relevant medical app is developed and tested. It consists of an expanded checklist of legal requirements and their explanation in the context of mobile health apps, and incorporates a questionnaire on the national implementing legislation.

This legal compliance checklist is developed in order to:

  1. help developers using the FI-STAR platform to build and test an in a way compliant with the existing legal requirements of data protection;
  2. educate the developers and other parties involved the existence and content of these requirements;
  3. point out the importance of seeking local legal counsel’s advice on how the relevant European law is implemented by the national law.

This checklist is to be used as an information tool, in close cooperation with local legal counsel. It is not meant as legal advice.

Whom is the checklist for?
The checklist is meant for the teams building, testing and implementing the apps, including medical professionals, technical developers and legal advisors.
Does your app involve personal data?
Data protection law requirements apply only when ‘personal data’ as defined by the Data Protection Directive is processed. If your app does not involve personal data, the data protection rules do not apply. Note that although there is one EU definition of personal data, it may be applied differently across EU member states. If your country is the UK, check this helpful reference guide offered by the UK Information Commissioner’s Office. A rule of thumb based on the Article 29 Working Party approach is that data is ‘personal’ if you or anyone else can reasonably likely single out a person (not necessarily by name) on the basis of that data, using state-of-the-art technology.
Does your app involve processing health data?
It is likely that medical or lifestyle apps process personal data related to health. To determine if your app involves processing personal data related to health in a sense of the Data Protection law, check the FI-STAR decision tree.
The law at the heart of it
EU Data Protection Directive
Opinions of Article 29 Working Party, an EU advisory body in the field of data protection

Checklist 2

Clinical investigation of a new medical app - legal compliance checklist

What is this checklist for?
This checklist is drawn up on the basis of analysis of the relevant provisions of international and European law. Although European law aims at harmonizing the provisions of national legislation across Europe, all analysed provisions of international and European law can be specified or limited by the national laws of the countries where the relevant medical app is developed and tested. This legal compliance checklist is developed in order to:

  1. help developers using the FI-STAR platform to build an app that qualifies as a new medical device, and their legal team to prepare clinical investigation of that device in a way compliant with the existing legal requirements;
  2. educate the developers and other parties involved in the clinical investigation about the existence and content of these requirements;
  3. point out the importance of seeking local legal counsel’s advice on how the relevant international and European law is implemented by the national law.

This checklist is to be used as a guiding and information tool and in close cooperation with local legal counsel. It is not meant as legal advice.

The checklist consists of a detailed to-do-list for the pre-trial, trial, and after-trial stages of investigation and incorporates a questionnaire on the national implementing legislation.

Whom is the checklist for?
The checklist is meant for the teams conducting the clinical investigation of a medical app, including medical professionals responsible for the investigation, technical developers and legal advisors.
Is your medical app a medical device?
To determine if your medical app is a medical device and hence if the checklist is of use, check this simple and clear European Commission guidance document on Qualification and Classification of stand alone software with a decision tree  and this infographic.
The law at the heart of it
Council Directive 93/42/EEC on medical devices (‘MDD’)
1964 Helsinki Declaration adopted by the 18th World Medical Assembly, amended by the World Medical Assembly (the ‘Helsinki Declaration’)
Important place for national law in your country
National legislation further specifies or makes exemptions from the provisions of the MDD and the Helsinki Declaration. Therefore, it is important that the legal team invplved with the investigation verify how each provision of the MDD and the Helsinki Declaration is implemented in the national law of their country.

Does your product, process or service process "personal data", in the sense of 1995 EU Data Protection Directive? Decision tree