Automatic Data Gathering Requirements and Privacy Implications

Mark Meer

Trusted Information Resource
Curious: say we wanted our network-connected medical device software to collect data for us. Assume, for the sake of discussion, we wanted our software to just relay to us when the software is used, from where (geographic location), and for how long. What would we have to do? Presumably:
  1. Inform users that data is being collected.
  2. Ensure that data is anonymized, so it's not personally-identifiable data that is being collected.
First, with respect to presumption (1) above, can anyone link to regulations where this is explicitly stated as a requirement? If so, what are the criteria for disclosure, and acknowledgement? For example, is it sufficient that the user is presented with a one-time notification "this software collects anonymized use data", and an "agree" button? Or is there more specific criteria/requirements that must be met?

With respect to presumption (2) above, it's unclear what is a sufficient level of anonymization. For example, the GDPR defines personal data as:
GDPR Art. 4
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
*emphasis added

So, in the example given, is collecting times and places qualify as "personal data"? In certain circumstances, one could conceivably use this data to identify an individual indirectly (e.g. by cross-referencing with hospital admission records), but such a specific circumstance (and that someone would exploit) seems incredibly remote.

Also, presumably an IP address would be considered an "online identifier"? If so, if this information is collected strictly for the sake of determining the regional location, and is then discarded, does this still qualify as the collection/processing of personal data, even though it is never stored?

Anyway, look forward to comments/discussion!
Top Bottom