Where would the consumer’s historic health data sit in this situation?
Deleted by the vendor, one assumes.
Yes, it raises interesting fundamental questions. Under Armour seem to suggest this is fitness data. So what is fitness data vs health data? It again highlights weak consumer/individual protection regulation (especially in the US). It would be interesting to consider if this data would fall under the NZ’s HIPC.
Thanks for the interesting article Mark, I spotted your post on the MOH Yammer!
Wondering if we have yet explored and defined the boundaries in what the system considers ‘health data’ that would fall under HIPC.
I suspect that if you reviewed all the opinions issues by the Privacy Commissioner (since 1994) then you could form a fairly robust opinion. I have looked at a few. So a yes and no answer. Yes, there is most probably an answer. No in that it is not easily accessible. In NZ’s distributed health leadership I am not sure who’s role it would be to distill this?
If you havn’t already, I suggest you pose the question to the Ministry’s Privacy Officer and get his take. 
@simon.ross be interesting to hear your take. Generally I think it comes down to the intent regarding the collection (key part of the HIPC). Arguably fitness data is collected to improve your health - this intent makes it Health data.
Where it gets grey is secondary uses. The temperature inside your house is generally collected to know whether the house is warm enough to need to turn the heater on. We know that cold houses have an impact on health - but I would suggest the intent in this case (unless it is used to identify a health intervention) means it isn’t health data.
Think there is an aspect of attribution to an identifiable individual. But it is very grey. Agree that guidance is critical!
Really - they are not going to delete the data. It has value, and is a sellable product in its own right. Many data collection devises like this use the EULA as the consent. Similar to the way hospitals and health insurers in the US are using consent to treat as consent to own data (within the very narrow limitations of HIPPAA - meaning the limitations pertain to a narrow domain, and secondary data marts of healthcare data are common). A great example of this has been the Flatiron Health story. This is a company that aggregated dense data across a large portion of hospitals in the US, then used that data, with the direct involvement of the FDA, to develop marketable data products, which were then on-sold. Subsequently, FlatIron has been bought by Roche - where all the data has been moved en mass to Switzerland, and is used for specific product development by a for-profit pharmaceutical. I can find no information on the nature of the consent FlatIron sought in the first place, much less, what consent was involved in the secondary sale of that data - but it was worth US$1.9 BILLION to Roche.
I think the moment NZ seeks to monetize its data, without very specific contractual and governance controls in place, you have to assume that data is openly available on the market for purchase, re-packaging, and re-distribution. Given the relatively loose ecosystem surrounding data control in NZ at this time, I would be surprised if NZ data is not already marketed in the secondary healthcare data marts.