Table 3.
Privacy principles developed in layer 2 of the framework
| Privacy principle | Explanation of principle |
|---|---|
| Accessibility of data (P1) | Users have the right to know what information has been collected about them, its purpose, who can access it and where it is being stored and be granted access to their information should they wish to know what data has been collected in regard to them and wish to limit who can access it. |
| Anonymity (P2) | User’s personal identifiable data should be kept anonymous when stored as well as when shared with third parties such as researchers. Users should be identified by a unique identifier known only to the user and their health care practitioner. |
| Confidentiality (P3) | Appropriate measures need to be put in place in order to ensure doctor–patient confidentiality. |
| Data control (P4) | Users should have control over the collection, use and access to their data as well as be made aware of how it is being used. |
| Data quality (P5) | When personal data is collected, it should be reviewed in order to ensure its relevance, accuracy, completeness and that it is up-to-date for the purposes for which it is being used. |
| Data security (P6) | Adequate protection of personal data should be enforced through security safeguards in order to minimise and protect data from loss, unauthorised access, disclosure and modification. It is also necessary to ensure the confidentiality, integrity and availability of any personal data processed. |
| Data use (P7) | Personal data should not be used in any manner or form for purposes other than those initially agreed and consented to. User’s personal data should only be processed in a lawful manner to ensure that laws and regulations are being complied and adhered to. |
| Disclosure risks (P8) | Appropriate measures need to be put in place to ensure that users’ data is not disclosed, and to inform users if their data is disclosed to an unauthorised party. |
| Encryption (P9) | Appropriate encryptions methods should be implemented in order to ensure that data cannot be deciphered should it be unlawfully accessed when stored or intercepted whilst being transmitted between devices. |
| Information misuse/abuse (P10) | The extent to which an individual’s information should be collected, used or disclosed should be limited to what the user initially consented to. |
| Invisibility (P11) | Reminders should be set periodically in order to inform patients of monitoring devices that they use in order to minimise the risk of invisibility. |
| Profiling (P12) | In order to mitigate profiling, there should not be any storage or analysis of patients psychological, physical and behavioural characteristics, such as the storage of patient frequently visited locations. |
| Storage limitation (P13) | Personal identifiable data should not be kept for any longer than necessary for its intended purpose or until the data owner requests its deletion. |
| Sharing of data (P14) | Sharing of data with third parties or researchers should only be allowed if patients have consented to this and should be notified should a third-party request or use their data. The patients should be allowed to see what information on them has been shared. |
| Surveillance (P15) | Appropriate user controls need to be put in place for users to disable access to certain features of the smartphone which can enable the surveillance of a user. However, this must be done in a way that does not reduce the effectiveness of the monitoring of the disease. |
| Volume of data collected (P16) | When collecting user data, it is necessary to ensure that the data collected is relevant to a specific purpose. Owing to the large amount of data produced by wearable devices, it is necessary to tailor data presentation to individual patients in order to encourage consistent use. |
| Continuous monitoring (P17) | Users should be made aware of the continuous monitoring capabilities of their health sensors through a daily reminder. Users should also have the option to disable continuous monitoring and opt for readings during certain intervals or when the devices sense that the user is performing an activity. In the event that the user opts for interval readings, they should be made aware that this will not guarantee the best results for the monitoring and treatment of their condition. |
| Choice & consent (P18) | It is necessary for consent to be obtained, whether it is implicit or explicit before user data is collected and processed. |
| Collection limitation (P19) | Data should only be collected if it is relevant and accurate for a particular purpose and should occur only with the knowledge and consent of the user. |
| Accountability (P20) | The data controller has the responsibility to ensure compliance with all data protection obligations. |
| Notice (P21) | Appropriate information notices regarding data processing as required by law must be given to patients. Also, other relevant notices should be given to the patient. |
| Device visibility (P22) | User’s wearable devices or sensors should only be identified by its owner and not by any other mobile device in its proximity. |