Digital Health Assessment Framework V1.0

Guidance/Context

The purpose of this question is to identify apps which are within the DHAF scope of assessment. This includes any apps which have a clear health or medical purpose, are condition specific, or have a valid place in a clinical setting. This also includes wellness apps if they have a clear focus on a particular need or condition, eg. yoga apps for pregnancy. Apps which have no clear or specific health focus are excluded, eg. generic meditation apps.

Response

Yes / No

Answer Criteria

Yes: If the app has a specific health, fitness, lifestyle purpose or claim. If the app is condition specific. If the app has a clear place in a clinical setting.

No: If app has no obvious health purpose (e.g. voice recorder, screen recorder, keyboard, a timer app, recipe books)If the app has no health purpose and does not relate to any kind of health condition (e.g. general meditation apps). Fitness app where exercises are not designed to prevent a specific condition e.g. a circuit training app with no health claims.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if there are any algorithms used in the app. This question then influences if other questions around AI and Clinical Calculators are asked later on in the assessment.

Response

Yes / No

Answer Criteria

Yes: If the app uses an algorithm to provide an output, using the health data input by the user OR If the app provides an average from input data, or calories burned.

No:  If the app does not calculate anything with the data it collects OR If the algorithm doesn’t come from health data input.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question allows the assessor to describe what the algorithm does and what area it focuses on. There are questions later on in scene setters which will probe diagnoses/treatment further.

Response

Free Text - E.g. perform a calculation for diagnosis etc.

Answer Criteria

N/A

Logic

DISABLEMENT LOGIC - Disabled if AI01 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if is any form of AI used within the app. Somethings this may be difficult to decipher from just using the app so the assessor should read around the app to see if the Developer makes these claims.

Response

Yes/ No

Answer Criteria

YES: If the app uses a chatbot which learns from and reacts to what the user says.

YES: If the app/developer claims to use AI techniques.

YES: If the app uses machine learning to improve the quality of its automated decision making.

NO: If the app doesn’t use a chatbot.

NO: If the app/developer makes no claim about using AI techniques.

NO: If the app doesn’t use machine learning to improve the quality of its automated decision making.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

The Developer may state in app store description or their website what type of AI they use. If it is unclear what AI is used within the app, the assessor should try and find this information through reading the app store description and app website.

Response

Free text

Answer Criteria

Examples: 

Natural Language Processing (NLP) - Includes Natural Language Understanding, Natural Language generation, Machine Translation. E.g. If the app uses a chatbot which learns from and reacts to what the user says.

Machine Learning - If the app uses machine learning to improve the quality of its automated decision making.

Image Recognition - If the app uses AI to identify something in a picture

Logic

DISABLEMENT LOGIC - Disabled if AI03 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

To ensure AI is used both appropriately and effectively, humans should have oversight through monitoring/maintaining/updating the app. Developers may monitor their AI by asking healthcare professionals to review the decision making and output. If the output does not appear be in line with the healthcare professionals knowledge, the Developer should correct this. Assessors should look for these mentions via the app, the app/google play store and associated website.

Response

Yes / No

Answer Criteria

YES: If the developer mentions specifically that their AI is monitored/maintained/updated.

No: If there is no specific mention of them updating/maintaining the AI.

No: If they only mention improvements based upon input (learning from input).

Logic

DISABLEMENT LOGIC - Disabled if AI03 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to contribute to the apps functions and features. It is also used to inform the ESF tiering.

Response

Yes / No

Answer Criteria

Yes: If the app provides any generic info around the general topic area, in text or diagram form.

Yes: If the app can provide information as a diary back to the user if monitoring is taking place.

No: If the app provides no real information or guidance aimed at health or wellbeing.

No: If the only information is provided by other users on a forum, information must come from the developer/app itself.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to contribute to the apps functions and features. It is also used to inform the ESF tiering.

Response

Yes / No

Answer Criteria

Yes: If any of the information provided is personalized to the user. E.g. provides recommended activities/actions based on assessment over a period of time OR tailors therapy/treatment program based on one off assessment which includes taking a lot of information from the user.

No: If the app provides no information which is personalized to the user.

Logic

DISABLEMENT LOGIC - Disabled if I01 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to contribute to the apps functions and features. It is also used to inform the ESF tiering.

Response

Yes / No

Answer Criteria

YES: If the app provides links/signposts to online services or local services.

YES: If the app points to services where the user can take control of their/somebody’s condition e.g. pharmacy.

NO: If the app provides no information which is personalized to the user.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to contribute to the apps functions and features. It is also used to inform the ESF tiering.

Response

Yes / No

Answer Criteria

YES: If the app provides details of external environmental factors which may impact health/wellbeing, such as temperature, pollen count etc.

NO: If the only information provided is the location.

Logic

DISABLEMENT LOGIC - Disabled if I01 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

In most cases the answer to this question will be yes because the scope of the question is so broad. The only instance an assessor should answer no to this question is if the app is aimed at providing information, resources or activities for administrative purposes instead of health related purposes. If I01 is yes, this will also be yes. This question also guides the ESF tiering later.

Response

Yes / No

Answer Criteria

Yes: Any app that provides a resource, either condition specific or generalized.

No: Administration apps which have no effect on patient outcomes for instance a schedule system.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This is looking at apps which provide individual risk to a user, which is personalized based on the user health data collected (e.g. apps which have red zones/percentages of having a condition for specific readings).

Response

Yes / No

Answer Criteria

Yes: If the app provides a calculation, paragraph, table or diagram indicating a users risk, or potential diagnoses.

No: If the app provides no form of risk assessment or diagnoses to a user.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to discover if the app diagnoses/screens/detects a disease or condition (i.e., using sensors, data, or other information from other hardware or software devices, pertaining to a disease or condition). This is a key question for identifying diagnostic medical devices under FDA.

Response

Yes / No

Answer Criteria

Yes: A healthcare professional can see “We think you have..”.

Yes: If the app diagnoses a specified clinical condition using clinical data.

No: If it states ‘you might have a condition please see a professional’, this would be no as it is not specific enough.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This is looking at apps which provide individual risk assessments to the user. Both ‘Contracting or suffering a healthcare condition’ and ‘The impact of their lifestyle choices and health and wellbeing indicated’ can be selected at the same time.

Response

Multiple Choice

Answer Criteria

Contracting or suffering a healthcare condition: The app provides a risk indicator of a condition or diagnosis to an individual.

The impact of their lifestyle choices and health and wellbeing indicators: The app provides a risk indicator based on the person's lifestyle to an individual, eg a person’s risk of type 2 diabetes based on food intake.

No risk assessment provided: The app provides no risk indicator or diagnoses.

Logic

DISABLEMENT LOGIC - Disabled if PD01 is no AND DG02 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This is looking at apps which provide individual risk assessments to a healthcare professional. Both ‘Contracting or suffering a healthcare condition’ and ‘The impact of their lifestyle choices and health and wellbeing indicated’ can be selected at the same time.

Response

Multiple Choice

Answer Criteria

Contracting or suffering a healthcare condition: The app provides a risk indicator of a condition or diagnosis to an individual.

The impact of their lifestyle choices and health and wellbeing indicators: The app provides a risk indicator based on the person's lifestyle to an individual, eg a person’s risk of type 2 diabetes based on food intake.

No risk assessment provided: The app provides no risk indicator or diagnoses.

Logic

DISABLEMENT LOGIC - Disabled if PD01 is no AND DG02 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question is applicable to apps which provide individual risk to a user using some kind of algorithm or AI. It aims to identify if the user can send their result/information to a healthcare professional to get a further assessment, for more information.

Response

Yes / No

Answer Criteria

Yes: If the app provides a calculation, paragraph, table or diagram indicating a users risk, and allows this to be sent to a HCP for further investigation/information (being able to get a second opinion from a real clinician by sending information on). 

No: If the app provides no form of further investigation/information by a HCP.

No: If the app offers solely virtual consultations with HCP with no transfer of health data logged within the app.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This questions aims to identify apps which collect check the user’s symptoms and provide a possible diagnosis/diagnoses based on the inputted information. The purpose or benefit of the app must be its symptom checking functionality. For instance, if an anxiety/depression app contained GAD-7 or PHQ-9, this would not be a symptom checker.

Response

Yes / No

Answer Criteria

Yes: If the app provides a possible diagnosis based upon the collection of a user’s symptoms.

No: If the app provides no form of diagnosis or risk assessment based upon the collection of a user’s symptoms.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This is looking at whether a symptom checker provides an assessment of what is the most likely cause to the user. For example, 9/10 people who have your symptoms suffer from X.

Response

Yes / No

Answer Criteria

Yes: If the app provides an assessment of chance, or likelihood of certain conditions based on collected symptoms.

No: If the app provides no assessment of chance, or likelihood of certain conditions based on collected symptoms.

Logic

DISABLEMENT LOGIC - Disabled if DG05 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if an app allows the user to filter through the list of conditions the symptom checker provided. It is crucial that the user has the option to turn the filter on or not, if the list is automatically generated in a particular order, this is not providing the user the autonomy to filter. Any filtering rules are applicable from likelihood of symptoms matching a condition to most severe condition symptoms may relate to.

Response

Yes / No

Answer Criteria

Yes: If the app provides a filter for the provided risks. The app needs to provide a specific filter option, and sorting by order of likelihood automatically is NOT sufficient.

No: If the app provides no filter for the provided risks.

Logic

DISABLEMENT LOGIC - Disabled if DG05 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if symptom checker apps provide treatment suggestions alongside the listed conditions. If next to a symptom the app recommends a user should seek treatment through signposting to further services, this is not sufficient. The app must be providing the treatment details itself for this question.

Response

Yes / No

Answer Criteria

Yes: If the app provides any treatment suggestions for the listed conditions.

No: If the app provides no treatment options for the listed conditions.

Logic

DISABLEMENT LOGIC - Disabled if DG05 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if the symptom checker app provides suggestions for the user to seek further treatment, based upon the indicated diagnoses. Anything from calling 911 to a recommended visit to your family physician would be sufficient for this question.

Response

Yes / No

Answer Criteria

Yes: If the app provides any signpost to a further service based upon the symptom checker outcome.

No: If the app does not signpost to a further service based upon the symptom checker outcome.

Logic

DISABLEMENT LOGIC - Disabled if DG05 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

The FDA takes into account the use of algorithms and AI in relation to identifying and assessing medical devices. The identification of a clinical calculator would help support the argument as to whether an app should be classified as a medical device or not.

Response

Yes / No

Answer Criteria

Yes: This includes apps for use by clinicians or users to calculate parameters pertaining to care, such as early warning system software (if there are treatment implications associated with the calculation). 

No: If the app is not for use by clinicians or users to calculate parameters pertaining to care, such as early warning system software.

Logic

DISABLEMENT LOGIC - Disabled if AI03 is no AND if AI01 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question allows the assessor to record information about the type of Clinical Calculator which has been located within the app. For example, contained within the app may be something which calculates the amount of water needed to treat a burns victim.

Response

Free Text

Answer Criteria

N/A

Logic

DISABLEMENT LOGIC - Disabled if TS01 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Prevention is another key definition in defining a medical device according to FDA regs. If an app is claiming to be used for prevention or its intended use/benefit relates to prevention of a disease or condition it is likely to be a medical device.

Response

Yes / No

Answer Criteria

Yes: If the app is intended to PREVENT a specific disease or condition OR If the actual app will stop you from getting the disease.

No: If the app is trying to catch something early before it develops, e.g. skin vision.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question allows the assessor to explain how the app prevents disease.

Response

Free Text

Answer Criteria

N/A

Logic

DISABLEMENT LOGIC - Disabled if MD01 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if an app provides treatment to a user’s specific condition. This includes both apps that provide information which can be used to enable treatment as well as apps which provide an output which can be used to treat a condition. For example, apps which calculate that are intended to calculate the dose of insulin a diabetic needs to treat their diabetes based on carbohydrate in a meal.

Response

Yes / No

Answer Criteria

Yes: Apps that provide information that can be used to enable treatment to be performed or claim that the output from the app can be used to treat a condition. E.g. an app to calculate the dose of insulin a diabetic needs to treat their diabetes based on carbohydrate in a meal.

No: If the app is intended to treat non-medical conditions e.g. non-specific stress. OR apps intended to just provide tips or advice or link to support groups OR medication reminders.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question allows the assessor to explain what treatment the app provides.

Response

Free Text

Answer Criteria

N/A

Logic

DISABLEMENT LOGIC - Disabled if TS05 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify apps which are guiding the treatment of a condition. This can occur in a number of ways but it is key that the app is guiding the treatment of a condition following best clinical practice guidelines.

Response

Yes / No

Answer Criteria

Yes: Apps which take a user’s health information, and provide specific treatment pathways for the user to follow to treat their condition OR clinician-facing apps that advise treatments.

No: Apps intended to just provide tips or advice which is non-specific to the user.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question allows the assessor to explain how the app can guide the user’s treatment of a condition.

Response

Free Text

Answer Criteria

N/A

Logic

DISABLEMENT LOGIC - Disabled if TS07 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

The question allows the assessor to confirm whether treatment guidance is for a general user or a healthcare professional.

Response

Multiple Choice

Answer Criteria

User: Refers to the patient / carer using the app.

HCP: Health Care Professional.

Logic

DISABLEMENT LOGIC - Disabled if TS07 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to determine whether the app can provide treatment to an individual without a healthcare professional involvement.

Response

Yes / No

Answer Criteria

Yes: If the app provides treatment to the user without HCP involvement.

No: If the treatment is not provided independently of a HCP, or if the app provides no treatment.

Logic

DISABLEMENT LOGIC - Disabled if TS05 is no AND if TS07 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify apps which supports a decision made by a healthcare professional on a case by case basis. The app must be more than a generic textbook and provide information directed towards healthcare professionals.

Response

Yes / No

Answer Criteria

Yes: The app contributes to a professional’s decision about treatment, so this is for doctors to look at OR Supports decision making on a case by case basis (eg Mersey Burns would be yes (tells clinician how much fluid a patient requires based on percentage burns they have suffered).

No: If the app provides generic, non specific care pathways.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Whilst the FDA regulations do not specify if following a path of a procedure/treatment makes an app a medical device, the assessor will be made aware of the risk which comes with this functionality as well as understanding that additional functionality which could lead the app to be a medical device under FDA regulations.

Response

Yes / No

Answer Criteria

YES:  If the app outlines a treatment / procedure but does not make and communicate any decisions to the user.

NO:  If the app makes any decisions for the user.

Logic

DISABLEMENT LOGIC - Disabled if TS03 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Apps could still potentially be a MD if this is answered as yes, relying on additional functionality too. FDA is unclear about specifics in this area (would depend on other functions too). That said, if this question is answered no, it is very likely the app would be identified as a MD under the FDA.

Response

Yes / No

Answer Criteria

YES: If the app outlines a treatment/ procedure but does not make and communicate any decisions to the user.

NO: If the app makes any decisions for the user.

Logic

DISABLEMENT LOGIC - Disabled if TS03 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/ Context

Automating the treatment pathway is a software function that makes the app become a regulated medical device by performing patient-specific analysis and providing patient-specific diagnosis, or treatment recommendations.

Response

Yes / No

Answer Criteria

YES: The app creates the treatment pathway for the user, and does not rely on a HCP.

NO: If the app outlines a set of treatments / procedures but the final decision about which treatment is left to the HCP.

NO: If it is a “one size fits all” pathway that doesn’t take into account individual factors.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if the apps intended purpose is to reduce the symptoms or severity of a disease, injury or physical/mental impairment. The app cannot just support a condition or impairment, the app must provide some sort of functionality to reduce the symptoms. For example, a Tinnitus noise cancelling app reduces the symptoms of Tinnitus. This is to help identify Medical Devices.

Response

Yes / No

Answer Criteria

Yes: If an app that provides a physical output to alleviate the symptoms of an existing condition. For example a Tinnitus noise canceling app.

No: If an app does not provide a physical output to alleviate the symptoms of an existing condition.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if an app compensates for a specific injury or physical / mental impairment. It is important that the assessor identifies this is the app's intended purpose and that it is not meant for general use.

Response

Yes / No

Answer Criteria

Yes: Apps which the developer claims can compensate for an injury or handicap or claims that the output from the app can be used for this purpose. For example apps to magnify text specifically for people with visual impairment or apps amplify sounds for people with reduced hearing.

No: If the app provides no link to a specific injury or handicap. For example apps to magnify text but there is no mention of visual impairment in the manufacturer’s claims OR apps to amplify sound  but there is no mention of hearing impairment in the manufacturer’s claims.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question helps identify if the app’s intended purpose/benefits focuses around conception/contraception. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA).

Response

Yes / No

Answer Criteria

YES: If an app informs the user of when their fertile window is.

NO: If the app does not identify the user’s fertile window.

Logic

DISABLEMENT LOGIC - Disabled if MD08 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question helps identify if the app’s intended purpose/benefits focuses around conception/contraception. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA).

Response

Yes / No

Answer Criteria

YES: If an app or related website or description claims to make pregnancies more likely or to be able to prevent pregnancy.

NO: If an app or related website or description does not claim to make pregnancies more likely or to be able to prevent pregnancy.

Logic

DISABLEMENT LOGIC - Disabled if CC01 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question helps identify if the app’s intended purpose/benefits focuses around conception/contraception. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA).

Response

Yes / No

Answer Criteria

YES: If an app has an assistive device which can be used to record BBT. Measurements can be input manually after taking a reading.

NO: If an app does not have an assistive device which can be used to record BBT., or it does not record BBT.

Logic

DISABLEMENT LOGIC - Disabled if CC02 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question helps identify if the app’s intended purpose/benefits focuses around conception/contraception. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA).

Response

Yes / No

Answer Criteria

YES: If an app uses rhythm/bbt/cervical mucus methods to aid in the prevention of pregnancy or to help conception.

NO: If an app doesn’t use rhythm/bbt/cervical mucus methods to aid in the prevention of pregnancy or to help conception.

Logic

DISABLEMENT LOGIC - Disabled if CC02 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question helps identify if the app is marketed towards facilitating conception/contraception. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA).

Response

Yes / No

Answer Criteria

Yes: If the app markets itself or claims the user can use the app as a natural method of birth control.

No: If the app does not claim to be a natural method of birth control.

Logic

DISABLEMENT LOGIC - Disabled if CC03 is no AND if CC04 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if apps are to be used to control conception through two or more of the practical methods highlighted in CC01 - CC04. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA).

Response

Yes / No

Assessment Criteria

Yes: If the app appears to be a natural form of contraception AND be intended to be used a way of conceiving based on the above answers (CC01, CC02, CC03, CC04 and CC05).

No: If the app only claims to be a natural form of contraception OR intended to be used as a way of conceiving, but doesn’t claim to be both.

Logic

DISABLEMENT LOGIC - Disabled if CC02 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if the app can set medication alerts/reminders, trackers or if the app indicates how much medication the user should take.

Response

Yes / No

Answer Criteria

Yes: If an app provides medication reminders or trackers used as an assistive tool OR if the app influences how much you should take e.g. insulin calculator etc.

No: If an app does not provide medication reminders or trackers used as an assistive tool OR if there are no alarms to take medications.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to understand the context of the app and to also examine whether or not it can be used without the device.

Response

Yes / No

Answer Criteria

Yes: The app is designed to work with a specific device, and likely doesn’t function fully without it e.g. Garmin Watch with Garmin App.

No: The app connects with third party devices e.g. Fitbit watch.

Logic

DISABLEMENT LOGIC - Disabled if DC01 does not contain Devices.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Due to a logic issue, only one answer should be selected. If the app allows the monitoring of both General Health or Wellness and Specific Condition Data, the assessor should select Specific Condition data. This question will contribute to the outcome of MN04, a question which helps determine what ESF tier the app belongs in.

Response

Multiple Choice

Answer Criteria

Yes - General health or Wellness data: If the app has any capability at all which allows the user to monitor any health information which the app records.

Yes - Specific Condition data: If the app is aimed towards someone with a pre-existing condition e.g. chronic pain, diabetes etc.

No - None: If an app does not collect or allow the monitoring of health information.

Logic

DISABLEMENT LOGIC - Disabled if D01 is no. OR disabled if DT10 does not contain neither Physical and/or Mental Health Data nor General Wellness Data.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if the app allows users to record health information which can be reviewed at a later date. This question contributes to the outcome of MN04, a question which helps determine what ESF tier the app belongs in.

Response

Yes / No

Answer Criteria

Yes: If an app allows the recording and reviewing of data over a period of time to allow the user to monitor their health information.

No: If an app does not collect or allow the monitoring of health information.

Logic

DISABLEMENT LOGIC - Disabled if MN01 contains None.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This questions aims to identify is an app provides further insight around the user’s health data it collects. The app needs to be providing novel insights, automated alerts or reminders from the user’s health data. If the health data is relayed back to the user with no additional information, MN03 will be no. This question contributes to the outcome of MN04, a question which helps determine what ESF tier the app belongs in.

Response

Yes / No

Answer Criteria

Yes: If an app allows the user to record health data, and then the app provides insight back to the user. For example in the form of alerts, reminders or adjustments regarding the user’s health/lifestyle.

No: If an app doesn’t collect health data, or if it collects it and regurgitates it back to the user in the form of a simple graph, without any further insight or information.

Logic

DISABLEMENT LOGIC - Disabled if MN01 contains None.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This questions aims to differentiate between the different types of self-management and therefore different tiers from the Evidence Standards Framework. MN01, MN02 and MN03 all feed into the outcome of this question. Below is a diagram assessors refer to during the assessment process in order to decipher what type of self management tool they reviewing.

Response

Multiple Option

Answer Criteria

A Simple Self Management app: If an app is simple monitoring with wellbeing and general health focus = Tier Bi

A Standard Self Management app: If an app is simple monitoring with a specific condition focus OR complex monitoring with a wellbeing and general health focus = Tier Bii

A Complex Self Management app: If an app is complex monitoring with a specific condition focus = Tier C

Logic

DISABLEMENT LOGIC - Disabled if MN01 contains None.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This questions aims to evidence whether the monitoring the app performs is specifically there to impact on the user’s treatment.

Response

Yes / No

Answer Criteria

Yes: If the app provides a calculated output which is based on the health information collected, which may directly impact an individual’s decision regarding the treatment management of a condition. For example, a peak flow meter which shows decreasing measurements which acts as an early warning software.

No: If the app is not intended to affect the treatment management and is only carrying out complex monitoring that may display trends or other interesting data points.

Logic

DISABLEMENT LOGIC - Disabled if MN04 does not contain Complex Self Management app.

Scoring Impact

There is no scoring impact associated with this question.

This question aims to evidence whether the app allows the monitoring of the user’s health data by people who are not the user.

Response

Yes / No

Answer Criteria

Yes: If the app provides functionality within it that allows someone to monitor the user’s collected health data. This may be a HCP or may be a family member or friend.

No: No functionality within the App for someone who is not the user to view the data collected within the app. Functionality needs to be within the app.

Scoring

DISABLEMENT LOGIC - Disabled if MN01 contains None.

Logic

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify whether the app automatically collects and sends health data, without any sort of intervention from the user.

Response

Yes / No

Answer Criteria

Yes: If the app collects user health data and transmits it to somebody else, without any sort of user intervention.

No: The app does not automatically collect data OR the app does not automatically transmit data.

Logic

DISABLEMENT LOGIC - Disabled if MN04 does not contain Specific Condition data.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to look at whether the app sends a notification to the user/carer/healthcare professional based on any of the data recorded through the app itself or a connected device. For example, a diabetes app could automatically alert the user by creating a noise that notifies the user their blood glucose levels are either hypo (low) or hyper (high) in regards to the satisfactory levels they should usually be.

Response

Yes / No

Answer Criteria

Yes: If the app sends an alarm, alert or notification based on any of the data collected by the app itself or a connected device.

No: The app does not generate alarms based on the health data input and the user has to set them themselves.

Logic

DISABLEMENT LOGIC - Disabled if MN06 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if the user can define the filtering rules surrounding the health data and choose what boundaries trigger an alarm / alert.

Response

Yes / No

Answer Criteria

Yes: If the app alerts the user or HCP to a predefined abnormality manually set by the user.

No: The app does not generate alarms based on the health data input.

No: The app does generate alarms based on health data input but the user can not set these parameters themselves.

Logic

DISABLEMENT LOGIC - Disabled if MN08 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This is to determine what type of treatment the app supplies. Assessors can select more than one, for example if an app had a diary and an insulin calculator both Self-management and Monitoring should be selected. This question helps the assessor place the app in the correct ESF tier.

Response

Multiple Choice

Answer Criteria

Preventative behavior change: If the app is intended to modify the users behavior to reduce the risk of a condition.

Psychological intervention: If the app is intended to provide a psychological intervention to someone with a diagnosed psychological condition e.g. not non-specific stress.

CBT: If the app is intended to provide Cognitive Behavioral Therapy to a user in full.

Fertility: If the app is intended to be used to help with fertility treatments.

Self-management (administering measures): If the app is intended to be used to help provide information about how much medicine should be taken e.g. diabetic patient advised to take X units of insulin based on information inputted into the app.

Tailored treatment plan: If the app provides the user with a tailored treatment plan to improve their condition based on collected information.

Monitoring (basic): E.g. diary.

Logic

DISABLEMENT LOGIC - Disabled if TS05 is no AND if TS07 is no AND MN01 is None.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Response

This question provides further context around the functionality of the app.

Response

Yes / No

Answer Criteria

Yes: If the app allows the user to access consultation with relevant professionals. This would be a call or online chat directly with a doctor or professional in the relevant field.

No: The app does not allow consultations or other communication with a relevant professional through the app.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question follows on from the previous questions and it is also a data capture question. It aims to determine how exactly online conversations and consultations are held.

Response

Yes / No

Answer Criteria

Yes: If the user can have a video consultation directly with a relevant profession via the app.

No: If a video call consultation with the relevant professional is not available via the app.

Logic

DISABLEMENT LOGIC - Disabled if F14 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question provides further context around the functionality of the app and importantly informs the user where the advice comes from.

Response

Yes / No

Answer Criteria

YES: If the app enables a HCP to provide advice in whatever format through the app. This may be video consultation, instant messaging or other platform communications.

NO: The app does not allow consultations or other communication from a relevant professional through the app.

Logic

DISABLEMENT LOGIC - Disabled if F14 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question is a data capture question. It aims to collect information about exactly how the app allows a professional to supply clinical advice.

Response

Free text

Answer Criteria

N/A

Logic

DISABLEMENT LOGIC - Disabled if EF09 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question allows us to understand further the functionality of the app, it helps us with our adapted ESF tiering.

Response

Yes / No

Answer Criteria

Yes: If the app provides a digital solution for internal admin running of healthcare systems. If the app aids appointment bookings, staff roster, job lists etc.

No: If there is any potential impact on a patients treatment, this includes messaging apps.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question allows us to understand further the functionality of the app, it helps us with our adapted ESF tiering.

Response

Multiple Choice

Answer Criteria

Schedule Management

Appointment Booking

Prescription Management

Building Maintenance

Logic

DISABLEMENT LOGIC - Disabled if AS01 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question allows us to understand further the functionality of the app, it helps us with our adapted ESF tiering.

Response

Yes / No

Answer Criteria

Yes: If the app supports communication between healthcare professionals.

No: If any communication within the app is between users or patients and does not involve a healthcare professional.

Logic

DISABLEMENT LOGIC - Disabled if AS01 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question allows us to understand further the functionality of the app.

Response

Yes / No

Answer Criteria

Yes: If users can book appointments with their own GP through patient access.

Yes: If users can book appointments through the app.

No: If you can only add appointments to a calendar for organizational purposes rather than actually booking in with a healthcare professional.

Logic

DISABLEMENT LOGIC - Disabled if AS01 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question helps identify if an app can help a user order / request prescriptions.

Response

Yes / No

Answer Criteria

Yes: If the app allows users to order or request a prescription from a healthcare professional, healthcare provider or pharmacy.

No: If the app allows the user to record what prescription they would like to request. This would only be acting as a reminder to the user.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This is an information capture question which helps inform the functions and features.

Response

Yes / No

Answer Criteria

Yes: If the app sends push notifications to the device.

No: If there are in-app notifications which are not pushed to the device.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This is an information capture question which helps inform the functions and features.

Response

Yes / No

Answer Criteria

Yes: If the app sends email notifications relating to the user’s use of the app, personalized.

No: If the only emails are marketing/newsletters.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if an app can only be used for its intended purposes if a user has access to one of the connected devices.

Response

Yes / No

Answer Criteria

Yes: If the app ONLY works with a companion device. For instance, the user is unable to input data and therefore cannot use the app at all without the device.

No: If there is a companion device but the app can still be used independently.

Logic

DISABLEMENT LOGIC - Disabled if DC01 does not contain Devices.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to

Response

Yes / No

Answer Criteria

Yes: If the app is used to control an external medical device.

No: The app connects with an external device which is not classified as a medical device.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This is an information capture question which helps inform the functions and features.

Response

Yes / No

Answer Criteria

Yes: If there is any way for users to communicate with other users within the app. This can be through messaging, internal forums, connecting with friends, communicating with a healthcare professional etc.

No: If you can only send a report to a doctor via email for example.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question refers to forums which are within the app rather than ones hosted externally via Facebook, developer website etc.

Response

Yes / No

Answer Criteria

Yes: If the app has an internal forum.

No: If the app provides links to a third party forum or an externally hosted forum. One-to-one communication is not a forum.

Logic

DISABLEMENT LOGIC - Disabled if U19 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question refers to forums which are hosted eternally via Facebook, developer website etc. rather than within the app.

Response

Yes / No

Answer Criteria

Yes: If the app provides links to a third party forum or an externally hosted forum.

No: If the app links to a Facebook page which is not a forum. If the only forum is in-app.

Logic

DISABLEMENT LOGIC - Disabled if U19 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question is an information capture question which informs functions and features. The two way communication needs to exist within the app through chat functions, a forum, video call and must be between two or more people.

Response

Yes / No

Answer Criteria

Yes: If the app allows for any two-way communication between any two people.

No: If the app does not enable two-way communication between two or more people.

Logic

DISABLEMENT LOGIC - Disabled if U19 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question is an information capture question which informs functions and features. The gamification or goal setting features must somehow relate to the user’s health or wellbeing.

Response

Yes / No

Answer Criteria

Yes: If you can choose a goal, get badges or achievements through use of the app.

Yes: If the app provides targets or you can set your own targets.

Yes: If the app encourages engagement with rewards.

No: No goal setting or gamification. If gamification has no real purpose.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question follows on from the previous and aims to identify what type of goals exist in the app.

Response

Multiple Choice

Answer Criteria

Tailored: If the goals are specific to the user. For example, the user can input health parameters and the app generates a goal based on those readings. 

Generic: If the set goals are generic for all users. For instance, goals that are pre-set within the app and are the same for each user. 

User defined: If the user can manually or directly specify or customize their goal. For example, the user can choose a weight loss goal which they can set themselves. 

Logic

DISABLEMENT LOGIC - Disabled if F06 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question allows us to understand further the functionality of the app, it helps us with our adapted ESF tiering.

Response

Yes / No

Answer Criteria

Yes: If ‘User defined' has been selected in the previous question (ORC_F06).

No: If only ‘Tailored’ or ‘Generic’ has been selected in the previous question (ORC_F06).

Logic

DISABLEMENT LOGIC - Disabled if F06 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if the user can edit the style of the app to suit their needs and / or preferences.

Response

Yes / No

Answer Criteria

Yes: If any changes can be made to the presentation theme within the app. This includes editing the background, colors, profile picture, language, measuring units etc.

No: If the presentation of the app cannot be edited or customized by the user in any way.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if the user can set preferences on the device which is carried through to the app to suit their needs and / or preferences.

Response

Yes / No

Answer Criteria

Yes: If the app responds to changes in font size.

Yes: If the app provides support options for users with poor vision/poor hearing.

No: If the app only responds to in-app preferences.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This is an information capture question which used to inform the users whether the app is completely free or if there are some sort of costs involved in the app. If the app has any costs associated with it ranging from in app purchases to licenses required by a healthcare provider, the assessor should answer this question no. If the app requires the user to purchase the associated device in order to use the app, the assessor should answer this question no.

Response

Yes / No

Answer Criteria

Yes: If the app is free to download AND has no in-app purchases or subscriptions AND costs are not incurred or covered by any third party organization/employees. For instance, licenses are NOT needed to be purchased for distribution).

No: If licenses are needed to be purchased for distribution.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify what the business model is behind the app. If the answer is not apparent through publicly available information, the assessor should select Self-funded as a default.

Response

Multiple Choice

Answer Criteria

In-app purchase: If the app is funded through the user purchasing something within the app after downloading.

Subscription: If the app is funded through subscription fees which the user has to pay in order to download the app.

One off payment: If the app is funded through one off payments which the user needs pay in order to download the app.

Licensed by doctor/healthcare provider: If the app is funded through licenses which need to be purchased in order for doctors/healthcare providers to provide access to their patients.

Donations: If the app is funded through donations.

Government or similar grant: If the app is funded through a government or similar grant.

Charity / Non profit: If the app is funded by a charity or non-profit organization.

Self-funded: If the app is self-funded by the people who run the company. OR if there is no evidence of how the app is funded then Self funded should be selected.

Logic

DISABLEMENT LOGIC - Disabled if U29 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This question aims to identify if the app displays advertisements for external products/services. If the app advertises their own subscriptions or in app purchases, this does not count.

Response

Yes / No

Answer Criteria

Yes: If the app has adverts for other products/services within it.

No: If the app contains adverts for its own in-app purchases.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

This questions aims to identify the intended purpose of the app through highlighting the claimed / implied benefits. If the assessor reads a clear benefit described by the developer, this would be a claimed benefit. If the assessor is having to infer a benefit from text written by the developer, this would be an implied benefit. If a claimed or implied benefit does not appear in the list below, the assessor should select Other Claimed/Implied Benefit and make the benefit very clear. In order for evidence to meet the requirements of the framework, the evidence of efficacy should relate to the benefits / intended purposes of the app.

Response

Multiple Choice

Answer Criteria

Cost savings to the healthcare system

Increased access to care

Improved diagnostic or risk assessment

Improved quality of treatment

Improved recovery

Reduced readmission or re-referral

Improved management of a condition

Preventative Behavior Change

Improved mental wellbeing

Improved physical wellbeing

Improved system/process efficiency

Other Claimed Benefit (please describe)

Other Implied Benefit (please describe)

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

A provider of health care services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business.

Response

Yes / No

Answer Criteria

Yes: If an organisation conducting business in the US furnishes, bills or receives payment for the provision of health care to US citizens, then they are likely fall in scope of being a covered entity under HIPAA.

No: The person, business, or agency is NOT a covered health care provider and therefore not a covered entity.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Health care providers (e.g., physicians, hospitals, and clinics) are covered entities if they transmit health information in electronic form in connection with a transaction for which a HIPAA standard has been adopted by HHS. (e.g., billing)

Response

Yes / No

Answer Criteria

Yes: The person, business, or agency is a covered health care provider and therefore a covered entity. 

No: The person, business, or agency is NOT a covered health care provider and therefore not a covered entity.

Logic

DISABLEMENT LOGIC - Disabled if HIPAA1_1 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

A public or private entity, including a billing service, repricing company, or community health information system, that processes non-standard data or transactions received from another entity into standard transactions or data elements, or vice versa.

Response

Yes / No

Answer Criteria

Yes: The business or agency may be a health care clearinghouse and therefore may be a covered entity

No: The business or agency is NOT a health care clearinghouse and therefore not a covered entity.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

A public or private entity, including a billing service, repricing company, or community health information system, that processes non-standard data or transactions received from another entity into standard transactions or data elements, or vice versa.

Response

Yes / No

Answer Criteria

Yes: The business or agency is a  health care clearinghouse and therefore a covered entity.

No: The business or agency is NOT a health care clearinghouse and therefore not a covered entity. 

Logic

DISABLEMENT LOGIC - Disabled if HIPAA2_1 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

An individual or group plan that provides, or pays the cost of, medical care. Health plans include private entities (e.g., health insurers and managed care organizations)

Response

Yes / No

Answer Criteria

Yes: The plan may be a health plan and therefore a covered entity.

No: The plan is NOT a health plan and therefore not a covered entity.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

A “Group Health Plan” (GHP) is health insurance offered by an employer, union or association to its members while they are still working. GHP coverage is based on current employment.

Response

Yes / No

Answer Criteria

Yes: The person, business or agency may be a group health plan and therefore may be a covered entity.

No: The person, business, or agency is NOT a group health plan and therefore not a covered entity.

Logic

DISABLEMENT LOGIC - Disabled if HIPAA3_1 is no.

Scoring Impact

There is no scoring impact associated with this question.

Active if HIPAA3_2 is YES

Guidance/Context
If answered no and the plan has more than 50 participants then this would not be a covered entity.

Response

Yes / No

Answer Criteria

Yes: The person, business or agency may be a group health plan and therefore may be a covered entity.

No: The person, business, or agency is NOT a group health plan and therefore not a covered entity.

Logic

DISABLEMENT LOGIC - Disabled if HIPAA3_2 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

A self-insured group health plan (or a 'self-funded' plan as it is also called) is one in which the employer assumes the financial risk for providing health care benefits to its employees.

Response

Yes / No

Answer Criteria

Yes: The plan is NOT a health plan and therefore not a covered entity.

No: The plan is a health plan and therefore a covered entity. 

Logic

DISABLEMENT LOGIC - Disabled if HIPAA3_2 is no OR if HIPAA3_3 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Health insurance issuer (as defined in section 2791(b)(2) of the PHS Act, 42 U.S.C. 300gg-91(b)(2) means an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance.

Response

Yes / No

Answer Criteria

Yes: The plan is a health plan and therefore a covered entity.

No: The plan is not a health plan and therefore not a covered entity.

Logic

DISABLEMENT LOGIC - Disabled if HIPAA3_2 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Medigap is Medicare Supplement Insurance that helps fill "gaps" in Original Medicare and is sold by private companies. Original Medicare pays for much, but not all, of the cost for covered health care services and supplies. A Medicare Supplement Insurance (Medigap) policy can help pay some of the remaining health care costs, like:

Copayments
Coinsurance
Deductibles

Response

Yes / No

Answer Criteria

Yes: The plan is a health plan and therefore a covered entity.

No: The plan is not a health plan and therefore not a covered entity

Logic

DISABLEMENT LOGIC - Disabled if HIPAA3_5 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

HMO means "Health Maintenance Organization." HMO plans offer a wide range of health care services through a network of providers that contract exclusively with the HMO, or who agree to provide services to members at a pre-negotiated rate. As a member of an HMO, you will need to choose a primary care physician ("PCP") who will provide most of your health care and refer you to HMO specialists as needed. Some HMO plans require that you fulfill a deductible before services are covered. Others only require you to make a copayment when services are rendered. Health care services obtained outside of the HMO are typically not covered, though there may be exceptions in the case of an emergency.

Response

Yes / No 

Answer Criteria

Yes: The plan is a health plan and therefore a covered entity.

No: The plan is not a health plan and therefore not a covered entity.

Logic

DISABLEMENT LOGIC - Disabled if HIPAA3_6 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

An arrangement offered by two or more employers to provide health or welfare benefits to the employers' employees and their beneficiaries, but excluding arrangements established or maintained: Under a collective bargaining agreement (CBA).

Response

Yes / No

Answer Criteria

Yes: The plan is a health plan and therefore a covered entity.

No: The plan is not a health plan and therefore not a covered entity.

Logic

DISABLEMENT LOGIC - Disabled if HIPAA3_7 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Under HIPAA, qualified long-term care services mean necessary diagnostic, preventive, therapeutic, curing, treating, mitigating, rehabilitative services, and personal care which are required by a chronically ill person and are provided according to a plan of care prescribed by a licensed health care practitioner.

Response

Yes / No

Answer Criteria

Yes: The plan may be a health plan and may be a covered entity.

No: The plan is not a health plan and is therefore not a covered entity.

Logic

DISABLEMENT LOGIC - Disabled if HIPAA3_8 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Fixed indemnity health insurance is a type of medical insurance that pays a predetermined amount on a per-period or per-incident basis, regardless of the total charges incurred.

Response

Yes / No

Answer Criteria

Yes: The plan is NOT a health plan and therefore not a covered entity.

No: The plan is a health plan and therefore a covered entity. 

Logic

DISABLEMENT LOGIC - Disabled if HIPAA3_8 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Response

Yes / No

Answer Criteria

Yes: The plan is a health plan and  therefore a covered entity.

No: The plan is not a health plan and therefore not a covered entity

Logic

This is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

An individual or group plan that provides, or pays the cost of, medical care. Health plans include government organizations (e.g., Medicaid, Medicare, and the Veterans Health Administration)

Response

Yes / No

Answer Criteria

Yes: The plan is a health plan and therefore a covered entity.

No: The plan is NOT a health plan and therefore not a covered entity.

Logic

DISABLEMENT LOGIC - Disabled if HIPAA4_1 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Similar to the Pre-Existing Condition Insurance Plan under the Affordable Care Act, for years many states have offered plans that provide coverage if you have been locked out of the individual insurance market because of a pre-existing condition. High-risk pool plans may also offer coverage if you're HIPAA eligible or meet other requirements. High-risk pool plans offer health insurance coverage that is subsidized by a state government. Typically, your premium is up to twice as much as you would pay for individual coverage if you were healthy.

Response

Yes / No

Answer Criteria

Yes: The plan is a health plan and  therefore a covered entity.

No: The plan is not a health plan and therefore not a covered entity.

Logic

DISABLEMENT LOGIC - Disabled if HIPAA4_2 is no.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

 A type of health insurance plan that usually limits coverage to care from doctors who work for or contract with the HMO. It generally won't cover out-of-network care except in an emergency. An HMO may require you to live or work in its service area to be eligible for coverage. HMOs often provide integrated care and focus on prevention and wellness.

Response

Yes / No

Answer Criteria

Yes: The plan is a health plan and therefore a covered entity.

No: The plan is not a health plan and therefore not a covered entity.

Logic

DISABLEMENT LOGIC - Disabled if HIPAA4_3 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Direct healthcare is healthcare directly purchased by and delivered to an organization and its members, with no third party in between. Most often, the purchasing organization is a large, self-funded employer, or another aggregating entity like an association, trust, Taft-Hartley plan, or labor union.

Response

Yes / No

Answer Criteria

Yes: The plan is NOT a health plan and therefore not a covered entity.

No:

Logic

DISABLEMENT LOGIC - Disabled if HIPAA4_4 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Grant - a sum of money given by a government or other organization for a particular purpose, in this instance health care.

Response

Yes / No

Answer Criteria

Yes: The plan is NOT a health plan and therefore not a covered entity.

No:

Logic

DISABLEMENT LOGIC - Disabled if HIPAA4_5 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Where the principal purpose of the program is not the provision or paying the cost of health care, then the plan is not a health plan and therefore the organization is not a covered entity.

Response

Yes / No

Answer Criteria

Yes: The plan is NOT a health plan and therefore not a covered entity.

No:

Logic

DISABLEMENT LOGIC - Disabled if HIPAA4_6 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

The requirements of this part do not apply to any individual coverage in relation to its provision of the benefits described in paragraphs (a) and (b) of this section (or any combination of the benefits).

(a) Benefits excepted in all circumstances. The following benefits are excepted in all circumstances:

(1) Coverage only for accident (including accidental death and dismemberment)

(2) Disability income insurance.

(3) Liability insurance, including general liability insurance and automobile liability insurance.

(4) Coverage issued as a supplement to liability insurance.

(5) Workers' compensation or similar insurance.

(6) Automobile medical payment insurance.

(7) Credit-only insurance (for example, mortgage insurance).

(8) Coverage for on-site medical clinics.

(9) Travel insurance, within the meaning of § 144.103 of this subchapter.

(b) Other excepted benefits. The requirements of this part do not apply to individual health insurance coverage described in paragraphs (b)(1) through (b)(6) of this section if the benefits are provided under a separate policy, certificate, or contract of insurance. These benefits include the following:

(1) Limited scope dental or vision benefits. These benefits are dental or vision benefits that are limited in scope to a narrow range or type of benefits that are generally excluded from benefit packages that combine hospital, medical, and surgical benefits.

(2) Long-term care benefits. These benefits are benefits that are either -

(i) Subject to State long-term care insurance laws;

(ii) For qualified long-term care insurance services, as defined in section 7702B(c)(1) of the Code, or provided under a qualified long-term care insurance contract, as defined in section 7702B(b) of the Code; or

(iii) Based on cognitive impairment or a loss of functional capacity that is expected to be chronic.

(3) Coverage only for a specified disease or illness (for example, cancer policies) if the policies meet the requirements of § 146.145(b)(4)(ii)(B) and (C) of this subchapter regarding noncoordination of benefits.

(4) Hospital indemnity or other fixed indemnity insurance only if -

(i) The benefits are provided only to individuals who attest, in their fixed indemnity insurance application, that they have other health coverage that is minimum essential coverage within the meaning of section 5000A(f) of the Internal Revenue Code, or that they are treated as having minimum essential coverage due to their status as a bona fide resident of any possession of the United States pursuant to Code section 5000A(f)(4)(B).

(ii) There is no coordination between the provision of benefits and an exclusion of benefits under any other health coverage.

(iii) The benefits are paid in a fixed dollar amount per period of hospitalization or illness and/or per service (for example, $100/day or $50/visit) regardless of the amount of expenses incurred and without regard to the amount of benefits provided with respect to the event or service under any other health coverage.

(iv) A notice is displayed prominently in the application materials in at least 14 point type that has the following language: “THIS IS A SUPPLEMENT TO HEALTH INSURANCE AND IS NOT A SUBSTITUTE FOR MAJOR MEDICAL COVERAGE. LACK OF MAJOR MEDICAL COVERAGE (OR OTHER MINIMUM ESSENTIAL COVERAGE) MAY RESULT IN AN ADDITIONAL PAYMENT WITH YOUR TAXES.”

(v) The requirement of paragraph (b)(4)(iv) of this section applies to all hospital or other fixed indemnity insurance policy years beginning on or after January 1, 2015, and the requirement of paragraph (b)(4)(i) of this section applies to hospital or other fixed indemnity insurance policies issued on or after January 1, 2015, and to hospital or other fixed indemnity policies issued before that date, upon their first renewal occurring on or after October 1, 2016.

(5) Medicare supplemental health insurance (as defined under section 1882(g)(1) of the Social Security Act. 42 U.S.C. 1395ss, also known as Medigap or MedSupp insurance). The requirements of this part 148 (including genetic nondiscrimination requirements), do not apply to Medicare supplemental health insurance policies. However, Medicare supplemental health insurance policies are subject to similar genetic nondiscrimination requirements under section 104 of the Genetic Information Nondiscrimination Act of 2008 (Pub. L. 110-233), as incorporated into the NAIC Model Regulation relating to sections 1882(s)(2)(e) and (x) of the Act (The NAIC Model Regulation can be accessed at http://www.naic.org .).

(6) Coverage supplemental to the coverage provided under Chapter 55, Title 10 of the United States Code (also known as CHAMPUS supplemental programs).

(7) Similar supplemental coverage provided to coverage under a group health plan (as described in § 146.145(b)(5)(i)(C) of this subchapter).

Yes: The plan is NOT a health plan and therefore not a covered entity.No: The plan is a health plan and  therefore a covered entity.

Response

Yes / No

Answer Criteria

Yes: The plan is NOT a health plan and therefore not a covered entity.

No: The plan is a health plan and  therefore a covered entity. 

Logic

DISABLEMENT LOGIC - Disabled if HIPAA4_7 is yes.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. They have an obligation to comply with HIPAA in line with each covered entities own HIPAA compliance policies.

Response

Yes / No

Answer Criteria

Yes: The business or agency is a business associate and therefore is required to be HIPAA compliant.

No:

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

If the product has been identified as a covered identity or business associate then they are required to be HIPAA compliant.

Response

Yes / No

Answer Criteria

Yes: If any of the above responses indicate that the organization is a covered entity or business associate.

No: If the above responses indicate that the organization is not a covered entity or a business associate.

Logic

There is no disablement logic written for this question.

Scoring Impact

There is no scoring impact associated with this question.

Guidance/Context

Covered entities would be expected to provide a statement to say they are compliant with HIPAA requirements. If they are a business associate then they would not be required to provide their own statement of HIPAA compliance but many of the rules and regulations would likely be found in their privacy statement e.g. minimum necessary rule, privacy rule etc.

Response

Yes / No

Answer Criteria

Yes: If there is a statement of compliance with HIPAA

No: If there is no statement of compliance

Logic

DISABLEMENT LOGIC - Disabled if the developer has not been identified as a Covered Entity or Business Associate based on responses to HIPAA1_1 - HIPAA5_1.

Scoring Impact

Exceptionally high risk if the organization is required to be HIPAA complaint (HIPAA6_3 is yes) and there is no evidence of HIPAA compliance (HIPAA6_1 is no).

Guidance/Context

This question, for companies that are NOT covered entities, is a demonstration of being “HIPAA Ready”. For those that are covered entities, it is a way of demonstrating their compliance with HIPAA requirements.

Response

Yes / No

Answer Criteria

Yes: If the organisation displays a HITRUST badge or certificate.

No: If there is no evidence of HITRUST certification.

Logic

There is no disablement logic written for this question.

Scoring Impact

High value if the organization is not required to be HIPAA compliant but is HITRUST certified

Medium value if there is evidence the organization is HIPAA compliant (HIPAA6_1) and if the organization is HITRUST certified (HIPAA6_2).

Guidance/Context

This question should only be active if personal and/or sensitive data is collected by the app and is shared with the developer/third parties etc. If this appears to be wrongly active then check back on data scene setters.

Response Type

Yes / No

Answer Criteria

Yes: If any data is collected by or through the app, in any way. Including data such as usage data, cookies etc.
No:

Logic

DISABLED LOGIC -This question should only be active if personal and/or sensitive data is collected by the app and is shared with the developer/third parties etc. If this appears to be wrongly active then check back on data scene setters.

Scoring Impact
Maximum risk applied to the data section in this question and all questions that are disabled as a result of answering D39a as No. Questions would be disabled as a result of them not being applicable due to the app not having an applicable policy.

Guidance/Context

Due to the nature of the data being collected being non-identifiable a summary privacy is suitable. This question should only be active if personal and/or sensitive data is not collected by the app or is not shared with the developer/third parties etc. If this appears to be wrongly active then check back on data scene setters.

Response Type

Yes / No

Answer Criteria

Yes: A privacy summary can be a simple paragraph explaining privacy practices of the developer, as collection of non-personal/sensitive data does not require a full privacy policy.

Logic

DISABLED LOGIC -Disabled if data is automatically shared/collected. Only enabled when the app/developer collects only none sensitive data OR when the personal/sensitive data is only shared through direct manual intervention from the user.

Scoring Impact

Maximum risk applied to this question and all questions that are disabled as a result of answering D39b as No. Questions would be disabled as a result of them not being applicable due to the app not having an applicable policy.

Guidance/Context

This question looks to identify when a privacy policy is presented to a user. Making users aware of how their data is collected and used is mandatory.

Response Type

Yes / No

Answer Criteria

Yes: If the privacy policy is displayed when the app is first opened.

Yes: If the user is prompted to view and/or provided with a link to the policy when the app is first opened or on the login page.

Logic

DISABLED LOGIC -Disabled if D39a AND D39b are answered no.

Scoring Impact

High value applied if Yes. Value cannot be applied for both DP03 and DP04.

Guidance/Context

This question looks to identify when a privacy policy is presented to a user. Making users aware of how their data is collected and used is mandatory.

Response Type

Yes / No

Answer Criteria

Yes: When the user is provided with the privacy policy during the sign up process.

No: If the user is not provided with, or linked to the privacy policy during sign up.

Logic

DISABLED LOGIC - Disabled if D39a AND D39b are no, OR if DT14 is no.

Scoring Impact

High value applied if Yes. Value cannot be applied for both DP03 and DP04.

Guidance/Context

A privacy policy must be accessible to the user. This and following question look to identify where the privacy policy is located. Publishing within the app or being accessible via the app result in high value than it only being identifiable on the relevant app store.

Response Type

Yes / No

Answer Criteria

Yes: If the privacy policy is readily available to read at any time within the app.

No: If the privacy policy link takes you out of the app to a web browser.

Logic

DISABLED LOGIC - Disabled if D39a AND D39b are answered no.

Scoring Impact

Medium value applied if Yes. Value cannot be applied for both DP01 and DP02 if both are answered Yes.

Guidance/Context

A privacy policy must be accessible to the user. To determine if a policy is external, a user can enter the app manager screen. If still on the app the policy is internal, if an internet browser has opened separate from the the app then it is external.

Response Type

Yes / No

Answer Criteria

Yes: If the policy links outside of the app to the browser.

Yes: If there is an external link to the website, where there is access the privacy policy. This comes under the 2 click rule. Meaning that a privacy policy is easily accessible within 2 clicks/taps.

Logic

DISABLED LOGIC - Disabled if D39a AND D39b are answered no.

Scoring Impact

Medium value applied if Yes. Value cannot be applied for both DP01 and DP02 if both are answered Yes.

Guidance/Context

A privacy policy must be accessible to the user. This and following question look to identify where the privacy policy is located. Publishing within the app or being accessible via the app result in high value than it only being identifiable on the relevant app store.

Response Type

Yes / No

Answer Criteria

Yes: If the policy is accessible through the app store, making sure the privacy policy applies to the app. If it doesn’t link directly make sure it is accessible within 2 clicks.

Logic

DISABLED LOGIC - Disabled if D39a AND D39b are answered no.

Scoring Impact

Low value applied if Yes.

Guidance/Context

A privacy policy must be accessible to the user. This and following question look to identify whether a privacy policy has been made available to the user in a location different to those listed above.

Response

Yes/No

Assessment Criteria

Yes: Assessor is able to find a privacy policy elsewhere.

No: The assessor is unable to locate a privacy policy in a alternate place to those listed above.

Logic

DISABLED LOGIC - Disabled if D39a AND D39b are answered no.

Scoring Impact

Low value applied if yes.

Guidance/Context

This is a multiple choice question. Choices should be selected based on what is stated in the privacy policy. This would normally be found in a section titled like “What Information do we collect?”. Choices should only be selected if the privacy policy states them, this question should not be based off what can be seen in the app.

Response Type

Multiple Choice

Answer Criteria

Sensitive - Physical / Mental Health or Condition (past, current or future status), Sexual Life / Orientation, Political, Religious or other beliefs or opinions, Offences Committed / Alleged to have Committed / Criminal Proceedings / Outcomes / Sentence,  Financial data (that might be used for payment fraud), Trade Union membership, Racial / Ethnic Origin, Genetic or Biometric Data (e.g. fingerprints / facial Recognition) for the purpose of uniquely identifying a person

Personal (combined - If a number of these items have been selected, then there is a possibility that data can be personally identifiable) - Cookies, web beacons, flash cookies, server logs etc which track individual’s browsing behaviour, Other Unique Device Identifiers eg. Device MAC Address, Name, Age/DOB, Gender (self declared or observed), Marital Status |Family / Lifestyle / Social Circumstance, Education / Qualifications / Professional Training / Awards, Other online identifiers / Event Logs, Location Data (Travel / GPS / GSM Data / radio frequency identification tags (RFID))

Personal - Address|Postcode (full), Email Address, Mobile Phone Number / Device Number / Home Phone Number, Physical Description, Username, IP Address, General Identifier e.g. NHS No, Income / Financial / Tax Situation, Employment / Career History, Device IMEI No

Non-Personal - General Wellness data

Logic

DISABLED LOGIC - Disabled if D39a AND D39b are answered no.

Scoring Impact

There is no scoring impact for this question.

Guidance/Context

This questions looks to capture if the data that is stated as collected by the developer within the privacy policy matches what has been identified during assessment and usage of the app.

Response Type

Yes / No

Answer Criteria

Yes: If DP06 contains the same selections as DT10.

Logic

DISABLED LOGIC - Disabled if D39a AND D39b are answered no.

Scoring Impact

High risk applied if No AND DT10 and DP06 do not match.

Guidance/Context

This question looks at whether data is stored within the app. An app that requires data to be automatically transferred off the app - even to just be stored remotely - would not meet this requirement.

Response Type

Yes/No

Answer Criteria

Yes: “Stored locally on device” is clearly stated.

Yes: Data is stored only on the device, unless a user chooses to share it, or no data is collected or stored by the developer. 

No: Doesn’t state that personal data is stored only on the device.

No: Personal data is clearly transferred to and stored in any location outside the device with no involvement from the user.

Logic

DISABLED LOGIC - Disabled if D01 OR DS06 are No, or if DS07 OR DS09 are answered Yes.

Scoring Impact

High value if Yes.

Guidance/Context

Consent should be obvious and require a clear, positive, physical action from the user to opt in. Consent requests must be prominent, separate from other terms and conditions, easy to understand, and user friendly.

During sign-up to the app attention should be paid to how, if at all, consent is obtained from the user.

Response Type

Multiple Choice

Answer Criteria

Unmarked opt in check box, separate from other terms and conditions and/or consent requests (separate boxes for privacy policy, terms/conditions and marketing).- if there is an unmarked checkbox where the user can agree or consent to the privacy policy alone.

Clear affirmative acceptance option, separate from acceptance of other terms and conditions and/or consent requests (separate acceptance option for privacy policy, terms/conditions and marketing).- if there is another form of acceptance of the privacy policy, eg. clicking “sign up” after having been presented with the privacy policy.

Explicitly through express confirmation in words, rather than any other positive action (e.g. the user is required to email/write to the developer providing a clear confirmation of consent). This does not apply to a statement in the privacy policy such as “by using this app you consent to us collecting your data.”)- if the user is required to email the developer to provide their written consent.

Another form of positive action to opt in to giving consent (please detail below) - eg. if the acceptance box is for both privacy policy and T&Cs.- if there is an unmarked checkbox to agree to the privacy policy and T&Cs all together.

Other (please detail below), e.g. A statement in the privacy policy such as by using this app you consent to us collecting your data, with no clear confirmation of acceptance of policy. - if there is no clear option to be taken by the user to accept the privacy policy.

Logic

DISABLED LOGIC - Disabled if D39a is No.

Scoring Impact

Very high risk applied if “Other” is selected + multiplier based on nature of the data.

Guidance/Context

A DPO is important to ensure, in an independent manner, that an organisation applies the laws protecting individuals' personal data.

Response Type

Yes/No

Answer Criteria

Yes: If an individual person has been named and declared the person responsible for the company’s privacy practices, with contact details (this can include a generic email, such as dpo@company.co.uk, providing the individual responsible has been named).

No: If an individual person who is responsible for the role of DPO has not been named/detailed.

No: If there is only a generic email address.

Logic

DISABLED LOGIC - Disabled if D39a is no.

Scoring Impact

High value applied if yes.

Guidance/Context

Input the details of DPO from within privacy policy, this should be a named person not just a generic email and “data protection officer”.

Response Type

Free Text

Answer Criteria

N/A

Logic

DISABLED LOGIC - Disabled if DP14 has not been answered yes.

Scoring Impact

None

Guidance/Context

This questions identifies if the developers has clearly stated in the privacy policy how data will be collected from users. For example “ data will be collected when registering to use the app”.

Response Type

Yes/No

Answer Criteria

Yes: If the developer informs users where any data will be collected from. Eg. directly from the user or through third party sources.

No: If the developer has not informed users of all potential sources of information about them. Eg. the user is informed of data collected about them, however, the developers fail to identify that information is obtained from another location, such as Facebook, when the user signs up with this account.

Logic

DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes OR DS06 has been answered Yes.

Scoring Impact

Medium risk applied if No + multiplier based on the nature of the data.

Guidance/Context

This question looks to identify if the purpose of processing has been made clear. For example, a developer may state that email addresses are captured to share marketing information with users.

Response Type

Yes/No

Answer Criteria

Yes: If the policy clearly explains what the user data collected is used for.

Yes: If the policy states all the uses for collected data that are apparent from the app.

No: If there is reason to believe that the developer has not explained any of the purposes for processing user data (Please detail in comments section).

Logic

DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes OR DS06 has been answered yes.

Scoring Impact

Medium risk applied if No + multiplier based on the nature of the data.

Guidance/Context

Selection of answers for this questions should apply to data automatically shared with third parties/HCP/other users/devices - NOT with the developer. The exception to this is marketing should be selected if this a purpose of data sharing with the developer.

Response Type

Multiple Options

Answer Criteria

Legal obligations,

Performance of contract,

Payment transactions,

Research,

Improving of developer services,

Marketing,

Provision of service,

Other (Please specify),

Unclear.

Logic

DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes OR DS06 has been answered Yes.

Scoring Impact

None

Guidance/Context

This question is asking if there is the possibility that data is being shared without this being made clear to the user. Therefore, No is the positive response.

Response Type

Yes/No

Answer Criteria

Yes: If data is shared without user consent, AND users don’t need to agree to the privacy policy. Essentially the opposite of D16.

Yes: If there is an obvious purpose for data use, which isn’t made clear or mentioned in the privacy policy. 

Yes: The policy states that the data will not be shared without first obtaining the user's consent to do so or that the app/developer ‘Won't share for other reasons/ with other parties, except as has been set out in the policy without obtaining your consent’

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

High risk applied if yes + multiplier based on the nature of the data.

Guidance/Context

If direct marketing is being undertaken then developers need separate additional consent from the users. Answers for this questions are typically found in a section with name similar to “What we do with the information we collect” or the developers may have a separate “Marketing” section.

Response Type

Yes/No

Answer Criteria

N/A

Logic

DISABLED LOGIC - Disabled if D39a has not been answered yes or DT13 is answered as non-personal or D01 is answered no.

Scoring Impact

None

Guidance/Context

Consent for marketing should be obtained separately from consent for any processing user data for any other purpose. This must also be prominent, easy to understand and user friendly. E.g. A separate tick box for marketing and consenting with the privacy policy.

Response Type

Yes/No

Answer Criteria

Yes: If consent for marketing is obtained separately for marketing AND the method for gaining this consent is through one of the positive affirmative actions listed in DP08. (Unmarked opt in check box; clear affirmative acceptance option; explicitly through express confirmation in words, another form of positive action to opt in to giving consent (please detail below)).

No: If the user is not asked for consent to use data for marketing separately.

No: If the user has not been required to provide a positive affirmative action, separate from accepting other T’s & C’s / Privacy Policies, to agree to sharing their data for the purposes of marketing.

Logic

DISABLED LOGIC - Disabled if DP10 does not contain Marketing, or if DT13 is answered as non-personal.

Scoring Impact

High risk applied if no + multiplier based on the nature of the data.

Guidance/Context

The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. So as not to interfere with core health care functions, the Rule distinguishes marketing communications from those communications about goods and services that are essential for quality health care.

Response Type

Yes/No

Answer Criteria

Yes: If a separate consent is gained for communicating about goods and services that are essential for quality health care.

No: If a separate consent is not gained for marketing as defined under the HIPAA privacy rule.

Logic

DISABLED LOGIC - Disabled if D01 is no, DS06 is yes, D39a is no OR D71 is no.

Scoring Impact

Medium - high risk applied if no.

Guidance/Context

The list of activities can be found in question ORC_DP10. The developer should state how a user can opt out of each of these processing activities.

Response Type

Yes/No

Answer Criteria

Yes: If the app has an option to opt out/turn off data collection for external research or provides a contact email to get data removed from a study.

Yes: If the policy clearly explains to user how they can contact the developer to opt-out of all  sharing/processing activities.

No: If shared for any other reasons other than legal obligations and no option to opt out (email address in policy explicitly stating how to opt out or sliders within app).

No: If the policy only mentions how the user can opt out of one, but not all, activities.

Logic

DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes.

Scoring Impact

Medium risk applied + multiplier based on the nature of the data. Risk can not be applied to both D28 and DP13.

Guidance/Context

N/A

Response Type

Yes/No

Answer Criteria

Yes: If only shared for legal obligations - Policy must state who they will share the data with and for what legal purposes (e.g. protect rights, copyright).

Yes: If the developer has clearly set out justifiable reasons for not being able to deal with particular requests with regards to stopping certain processing/sharing activities.

No: If users are not informed of how they can either opt out of processing and sharing activities AND there is no justification from the developer as to why users cannot opt out of certain activities.

Logic

DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes or D28 has been answered Yes.

Scoring Impact

Medium risk applied if no + multiplier based on the nature of the data. Risk can not be applied to both D28 and DP13.

Guidance/Context

Developers are required to share who data may be shared with for processing and other activities. Information for this question will typically be located in the privacy policy around information about what third parties data is shared with.

Response Type

Yes/No

Answer Criteria

Yes: If no data is shared without user consent.

Yes: If the policy states that using the app indicates agreement to the policy/given consent for data sharing specified.

No: If data is shared with third parties without user consent.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered yes or D01 has been answered No or if DT13 has been answered non-personal.

Scoring Impact

High risk applied if no + multiplier based on the nature of the data.

Guidance/Context

N/A

Response Type

Yes/No

Answer Criteria

Yes: If the policy states the data is stored in a cloud server e.g. physical location e.g. secure server.

Microsoft Azure is a cloud storage technology.

AWS - amazon web servers.

If policy states the physical address of the data controller.

“May not be stored in your location” isn’t enough.

“In the UK” isn’t enough, has to be an address.

Logic

DISABLED LOGIC - Disabled if D39a And D39b have not been answered yes.

Scoring Impact

Medium value applied if yes.

Guidance/Context

The purpose of this question is to state where data is stored e.g. in a secure server or an AWS server.

Response Type

Free Text

Answer Criteria

N/A

Logic

DISABLED LOGIC - Disabled if DST01 is no.

Scoring Impact

There is no scoring impact for this question.

Guidance/Context

This question is looking to identify if appropriate technologies are being used for secure storage of user data. Technologies that are considered appropriate are detailed in the answer criteria below.

Response Type

Yes/No

Answer Criteria

Yes: If firewall, antivirus, or encryption when in storage/at rest is mentioned. Must state which technology is used, this does not have to be specific.
If AWS, Microsoft Azure or Google cloud server is mentioned.
“256-bit SSL encryption for data transfer and NSA-level 256-bit AES encryption of personal information” - would be “yes” to both encryption in storage and transit.
AES is yes to storage and encryption.
LUKS (Linux Unified Key Setup) is yes.

No: Doesn’t state which technology is used. Only mentions “cloud services” but doesn’t specify provider.

Logic

DISABLED LOGIC - Disabled if D39a And D39b have not been answered yes.

Scoring Impact

High value if yes. High risk if no.

Guidance/Context

The purpose of this question is to ensure that data is transferred securely to ensure there are no breaches of users data.

Response Type

Yes/No

Answer Criteria

Yes: If the policy states encrypted during transit or mentions the encryption type.
Encryption types:
If SSL or TLS = encryption in transit.
HTTPS
Web apps - check the address bar, the padlock means HTTPS.
“256-bit SSL encryption for data transfer and NSA-level 256-bit AES encryption of personal information” - would be “yes” to both encryption in storage and transit.
AES (Yes to both storage and encryption).

No: Doesn’t state the data is encrypted during transit.
Only mentions payment details are encrypted in transit.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered yes.

Scoring Impact

High risk applied if no.

Guidance/Context

Developers need to state that video consultations use secure encryption clearly if appropriate. This should be in addition to the previous question about encryption of other data transfer.

Response Type

Yes/No

Answer Criteria

Yes: If it is made explicitly clear to the end-user, that a secure encrypted connection is used for all video consultations. This may be in the policy or elsewhere on the website/app.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered yes.

Scoring Impact

High risk applied if no.

Guidance/Context

Developers that are compliant with these international data standards are rewarded for compliance with best practice standards of data management.

Response Type

Multiple Option:

ISOC2
ISO 27001 
SDLC 
NIST 
Other (please specify).

Answer Criteria

Yes: If there is a compliance sticker on their website. ISO 27001. (if any other ISOs/BSIs etc. are mentioned, please confirm the appropriateness of the standard for data management.

Yes: Needs to be the COMPANY that is ISO compliant, not the server where data is stored, particularly when the company/developer is the data controller.

No: If there is no evidence of ISO, BSI etc. compliance.

EU-US privacy shield does not count for this question.

If the server (e.g. AWS) is ISO compliant but there is no explicit statement to say the company is.

Logic

DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes.

Scoring Impact

Medium risk applied if no + multiplier based on the nature of the data.

Guidance/Context

Under GDPR, it is a legal obligation for a data controller and/or processor to only retain personal data only for as long as is necessary for the purpose upon which it is being processed.

Response Type

Yes/No

Answer Criteria

Yes: If the developer mentions any time period of data retention, even if it’s an indefinite amount of time.

Yes: If the developer states “We only keep your personal information for as long as it’s necessary for our original legitimate purpose for collecting it and for as long as we have your permission to keep it.”

No: If the only mention of data retention is provided where the developer informs users of the rights under GDPR.

No: Developers are obliged to separately inform users of their own policies and procedures regarding data retention in the event that a user has not exercised any of their rights to their data.

No: If the policy mentions a timeframe after which data may be stored in aggregate.

No: If the policy states “we may retain data for…”

Logic

DISABLED LOGIC - Disabled if D39a has not been answered yes.

Scoring Impact

Low risk applied if no.

Guidance/Context

Controllers and/or processors should ensure there are set procedures in place to safely and securely delete any personal data when it is no longer needed and.

Response Type

Yes/No

Answer Criteria

Yes: If the policy mentions how the data is deleted, if users haven’t exercised any user rights.

Yes: If the policy details that user data is deleted after a certain time period.

Yes: If users can delete or reset all data within the app, AND it deletes it from the server. Not if it clears the app but stays on the server.

Yes: If users are the data controller and the method of deletion is users contacting the developer to remove their data.

Yes: If the developer has detailed the process for anonymizing personally identifiable information after a given timeframe of inactivity.

No: If the only mention for deletion of data is provided where the developer informs users of the rights under GDPR. Developers are obliged to separately inform users of their own policies and procedures regarding the deletion of data if a user has not exercised any of their rights to their data.

No: If the only mention is removal of data for under 13s/minors.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

Low risk score applied if D20 has been answered No, + multiplier based on the nature of the data collected.

Guidance/Context

Developers have an obligation to notify the relevant supervisory authority when certain data breaches happen. Developers should therefore have a clear internal procedure in place to help aid the decision-making about whether or not a breach needs to be reported to the supervisory authority or even the affected individuals.

Response Type

Yes/No

Answer Criteria

Yes: If users are informed that they can complain to the Information Commissioner's Office (ICO), if they believe that their data privacy rights have been breached.

Yes: If users are informed they can lodge a complaint with their local data protection authority, if they believe that their data privacy rights have been breached.

Yes: If users are informed that they can complain to the Local Supervisory Authority of the country that the developer is based, if they believe that their data privacy rights have been breached.

Yes: If the user is told that they should inform the company, or the company will inform the user, (if you suspect a breach) and users have the right to file a complaint with the competent supervisory authority (GDPR Art. 77). Check T&Cs too.

Yes: If the developer has detailed in the privacy policy how they will approach any breaches to data security that they become aware of. For example informing users within a reasonable time frame and informing their relevant jurisdictional supervisory authority.

Yes: If the developer has detailed the process in which they will inform the local/jurisdictional regulatory authority of any confidentiality breaches.

No: If the policy doesn’t state what happens in the event of a breach.

No: If you can complain but only to the developer, not to the ICO in the event of a breach.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

Medium risk applied if D21 has been answered No + multiplier based on the nature of the data collected.

Guidance/Context

Jurisdictionally required principle recognition, would be that the  developer recognizes their responsibility, at a minimum, to  treat the data of an individual from another country in  compliance with the data protection laws of the country in  which that individual resides.

Response

Yes / No

Assessment Criteria

Yes: The assessor finds a statement confirming the app’s compliance with jurisdictionally required laws and regulations.

No: There’s no statement confirming the app’s compliance with jurisdictionally required laws and regulations.

Logic

DISABLED LOGIC - Disabled if D39a and D39b are no.

Scoring Impact

Medium risk applied if no + multiplier based no nature of the data collected.

Guidance/Context

To meet the requirement for this question the developer has to specify ‘the legal basis for data collection is…’

Response Type

Yes/No

Answer Criteria

Yes: If the policy states data is collected under a legal basis, e.g. consent, performance of contract, legal obligation, vital interests, public interest or legitimate interest.

Yes: If the policy states that by using the app you consent to the privacy policy, “If you consent to this app, you consent for us to collect data.”, or a statement similar to this.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

High risk score applied if D60 has been answered No + multiplier based on the nature of the data collected.

Guidance/Context

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html

Response

Yes / No

Answer Criteria

N/A

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

High - Exception risk applied if no + multiplier based on if the organization is required to be HIPAA compliant and based on the nature of the data the app collects.

Guidance/Context

The developer has an obligation to inform users of any changes that are made to the processing of data. The level to which the developer must notify is determined by the legal basis for processing and the extent of the change being made.

Response Type

Yes/No

Answer Criteria

Yes: If the legal basis is consent and the developer states that if the purpose for processing data changes then consent will be re-obtained before continued use of the service. 

Yes: If consent is not one of the legal basis and the developer has stated in the privacy policy that they WILL inform users of changes to the policy. 

No: If the developer states that they MAY inform the users of changes to the privacy policy.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

Medium risk score applied if D61 has been answered No + multiplier based on the nature of the data collected.

Guidance/Context

Questions relating to GDPR will only be asked for apps that collect and process personal and/or sensitive data.

Response Type

Yes/No

Answer Criteria

Yes: If the developer has made it clear that the user has certain rights with regards to their data and explains what those rights are.

Yes: If the developer has set out any of the user rights under GDPR.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

Exceptional risk score applied if DPR01 has been answered No + multiplier based on the nature of the data collected.

Guidance/Context

This is a right users should expect under GDPR.

Response Type

Yes/No

Answer Criteria

Yes If the policy clearly states the user’s right to erasure, or method for how data is deleted, OR the user can clear all data from the app.

Yes: If the policy clearly states the user’s right to be forgotten.

Logic

DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes.

Scoring Impact

Low value score applied if D93 has been answered Yes.

Guidance/Context

This is a right users should expect under GDPR.

Response Type

Yes/No

Answer Criteria

Yes: If the policy clearly states the user’s right to access their data, and a contact method is given.

Logic

DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes.

Scoring Impact

Low value score applied if D25 has been answered Yes.

Guidance/Context

This statement should be clearly displayed as HIPAA requires data controllers to allow the user the right to inspect their personal data.

Response

Yes / No

Assessment Criteria

Yes: If the assessor can find the user right clearly displayed in the privacy policy or in another accessible location to the user.

No: If the assessor is unable to find this user right.

Logic

DISABLED LOGIC - Disabled if D39a have not been answered Yes.

Scoring Impact

Low value applied if yes. Low risk applied if no.

Guidance/Context

This statement should be clearly displayed as HIPAA requires data controllers to allow the user the right to be informed of how their PHI is used and / or shared.

Response

Yes / No

Assessment Criteria

Yes: If the assessor can find the user right clearly displayed in the privacy policy or in another accessible location to the user.

No: If the assessor is unable to find this user right.

Logic

DISABLED LOGIC - Disabled if D39a have not been answered Yes.

Scoring Impact

Low value applied if yes. Low risk applied if no.

Guidance/Context

This is a right users should expect under GDPR.

Response Type

Yes/No

Answer Criteria

Yes: The policy clearly states the user’s right to rectify, correct, amend or update their information.

Logic

DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes.

Scoring Impact

Low value score applied if D56 has been answered Yes.

Guidance/Context

This is a right users should expect under GDPR.

Response Type

Yes/No

Answer Criteria

Yes: If the policy clearly states the user’s right to restrict use, or to stop using data.

Logic

DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes.

Scoring Impact

Low value score applied if D81 has been answered Yes.

Guidance/Context

This is a right users should expect under GDPR.

Response Type

Yes/No

Answer Criteria

Yes: If the policy clearly states the user’s right to restrict use, or to stop using data.

Logic

DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes.

Scoring Impact

Low value score applied if D81 has been answered Yes.

Guidance/Context

This is a right users should expect under GDPR.

Response Type

Yes/No

Answer Criteria

Yes: If the policy clearly states the user’s right to portability, or right to transfer their data, or the right to receive their data in a machine-readable format.

Logic

DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes.

Scoring Impact

Low value score applied if D59 has been answered Yes.

Guidance/Context

This is a right users should expect under GDPR.

Response Type

Yes/No

Answer Criteria

Yes: If the policy clearly states the user’s right to withdraw consent.

Logic

DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes.

Scoring Impact

Low value score applied if D58 has been answered Yes.

Guidance/Context

HIPAA requirement. In the policy, the developer should be clear that the user has this right, but also be clear of the repercussions of refusing to share data (eg. being unable to access/provide the service).

Response

Yes / No

Assessment Criteria

Yes: If the user rights have been made clear in the privacy policy and the repercussions of refusing to share data has also been made clear.

No: If only the user rights have been made clear or if the repercussions have not been made clear.

No: If the privacy policy has not mentioned user rights or repercussions of not consenting to sharing data.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

Medium- High risk applied if no + multiplier based on the nature of the data collected.

Guidance/Context

In the policy, the developer should be clear that the user has this right, but also be clear of the repercussions of refusing to share data (eg. being unable to access/provide the service).

Response

Yes / No

Assessment Criteria

Yes: If repercussions of refusing to share data has also been made clear.

No: If the privacy policy has not mentioned the repercussions of not consenting to sharing data.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

Medium- High risk applied if no + multiplier based on the nature of the data collected.

Guidance/Context

Automated processing is what can occur when applying for things such as insurance, finance, mortgage etc. It gives an output which is based on details entered. The result would be a machine driven decision or figure of cost etc. Users have the right to request any such decision be reviewed by a human.

Response Type

Yes/No

Answer Criteria

Yes: There may be a simpler statement, such as “You have the right to request that we do not process your personal data for the purpose of automated decision making”.

Yes: If the developer has made clear that the user has this right under GDPR, even if they do not specifically process data in such a way.

No: If this user right has not been mentioned in the policy.

Logic

DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes.

Scoring Impact

Low value score applied if DPR02 has been answered Yes.

Guidance/Context

When informing users of their individual rights under GDPR, it is also best practice to provide them with details on how the controller can be contacted/communicated with in order to submit subject access requests.

Response Type

Yes/No

Answer Criteria

Yes: If a contact method is provided in the policy for the developer, in relation to exercising user rights.

No: If a contact method is only provided for one user right, rather than all rights mentioned.

Logic

DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes.

Scoring Impact

Low value score applied if D81 has been answered Yes.

Guidance/Context

By law an organization normally has to respond to a subject access  request within one month. If an individual has made a number of requests or a request is complex, extra time may be needed to consider and/or action the request(s). Where this is the case, the organization can take up to an extra two months to respond.

Response Type

Yes/No

Answer Criteria

Yes: If a time frame is given, and it is within two months of receipt of the request.

No: If there is no separately provided timeframe and response commitment provided with regards to the user exercising their rights. I.e. if there are only contact details for enquiries about the policy as a whole, with an expected response time.

Logic

DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes.

Scoring Impact

Low value score applied if D81 has been answered Yes.

Guidance/Context

It is a HIPAA requirement for the user to be informed of any charges which may be incurred with regards to exercise their right to access their PHI.

Response

Yes / No

Assessment Criteria

Yes: If users have been informed of charges that might be incurred when exercising their rights

No: If users have not been informed that charges may be incurred when exercising their rights.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

Medium value applied if the organization does not need to be HIPAA compliant and this is answered yes. High Risk applied if the organization needs to be HIPAA compliant and this is answered no.

Guidance/Context

It is a HIPAA requirement for the user to be informed of their right to have an access denial reviewed.

Response

Yes / No

Assessment Criteria

Yes: If users are informed that they have the right to request an access denial is reviewed.

No: If users are not informed of their right to have an access denial reviewed.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

Medium value applied if the organization does not need to be HIPAA compliant and this is answered yes. High Risk applied if the organization needs to be HIPAA compliant and this is answered no.

Guidance/Context

It is a general rule under HIPAA that local state laws are not pre-empted by HIPAA. It is also best practice to ensure users are informed of this.

Response

Yes / No

Assessment Criteria

Yes: If users are informed that local state laws, are not pre-empted by HIPAA.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

Medium - High Risk applied if no + multiplier based on nature of the data.

Guidance/Context

It is a HIPAA requirement for the user to be informed of their right to request to be reached somewhere other than home.

Response

Yes / No

Assessment Criteria

Yes: If policy states that the user has the right to be reached somewhere other than home.

No: If the policy has not mentioned this right.

Logic

DISABLED LOGIC - Disabled if D39a has not been answered Yes.

Scoring Impact

Medium value if yes and the organization is not required to be HIPAA compliant. High risk applied is no and the organization is required to be HIPAA compliant.

Guidance/Context

When reviewing a native (including “hybrid”) app, being informed of the website using cookies, while using the browser, does not answer this question as yes. Reference to “site” in the question is regarding a review of a web app.

Response Type

Yes/No

Answer Criteria

Yes (web app): If when first landing on the website a banner/pop up appears asking users to accept cookies.

Yes (Native Apps): If when first accessing the app, or at the point at which the app attempts to use cookies, the user is clearly informed of the intended use of cookies.

Logic

DISABLED LOGIC - Disabled if the app is not collecting cookies, D01 is answered No or DT10 does not contain “Cookies/Web Beacons”

Scoring Impact

Low risk if answered No + Multiplier based on the nature of the data.

Guidance/Context

It is required that developers gain consent from visitors to the site in order to store or retrieve any information on a computer, smartphone or tablet using cookies.

Response Type

Yes/No

Answer Criteria

Yes (web app): If when first landing on the website a banner/pop up appears asking users to accept cookies.

Yes (Native Apps): If, when users are informed of the use of cookies, they are required to provide a clear confirmation of their acceptance of the use of cookies.

Logic

DISABLED LOGIC - Disabled if the app is not collecting cookies, D01 is answered No or DT10 does not contain “Cookies/Web Beacons”

Scoring Impact

Low risk if answered No + Multiplier based on the nature of the data.

Guidance/Context

A paragraph explaining the products use of cookies is sufficient for this question.

Response

Yes / No

Assessment Criteria

Yes: If there is a designated paragraph or section within the privacy policy which explains the developer’s use of cookies.

Yes: If there is a whole separate cookie policy for the app.

No: If the cookie policy only addresses cookies for an associated website and not the app itself.

No: If there is no cookie policy or paragraph made available to the user.

Logic

DISABLED LOGIC - Disabled if DT11 is no.

Scoring Impact

Low Risk applied if no.

Guidance/Context

Users should be informed of the use of strictly necessary cookies, even if they have no way of restricting the use of these.

Response

Yes / No

Assessment Criteria

Yes: If there is a statement in the privacy policy.

Yes: If there is a pop up explaining the use of strictly necessary cookies.

No: If there is no statement anywhere explaining the user of strictly necessary cookies.

Logic

DISABLED LOGIC - Disabled if DT11 is no.

Scoring Impact

Low Risk applied if no + multiplier depending on nature of the data that’s collected.

Guidance/Context

Under the e-Privacy Directive 2002, manufacturers should obtain separate consent for their use of non-strictly necessary cookies.

Response

Yes / No

Assessment Criteria

Yes: If there is a pop up on the app which asks the user to consent to the use of non strictly necessary cookies.

Yes: If user is asked to provide their consent to non strictly necessary cookies upon sign up.

No: If there is no form of consent obtained for non strictly necessary cookies.

Logic

DISABLED LOGIC - Disabled if DT11 is no.

Scoring Impact

Low Value applied if yes.

Guidance/Context

Under the e-Privacy Directive 2002, manufacturers are required to ensure it is as easy for user’s to opt out of their use of cookies as it was for the user to originally opt in.

Response

Yes / No

Assessment Criteria

Yes: If there’s a statement within the privacy policy or on the app about how to opt out of the use of cookies.

No: If the user has not been told how to opt out of the use of cookies.

Logic

DISABLED LOGIC - Disabled if DT11 is no.

Scoring Impact

Low Risk applied if no + multiplier based on the nature of the data collected.

Guidance/Context

The question aims to identify if the app is targeted at children, as additional security measures should be in place if a minor’s data is being processed.

Response

Yes / No

Assessment Criteria

Yes: The app has stated it’s for child use.

No: The policy is quite clear that the app is aimed at people over 18 or they won’t take data from an under 18.

Logic

DISABLED LOGIC - Disabled if the app doesn’t collect personal data OR if the app doesn’t share any data OR if the data is only shareable through direct actions by the user.

Scoring Impact

None.

Guidance/Context

The question aims to identify if the app may collect data from children as additional security measures should be in place if a minor’s data is being processed.

Response Type

Yes/No

Answer Criteria

Yes: The app has content which may be appealing to children, but doesn’t specify an age range, OR the app is intended to be used by children.

No: If policy states they won’t collect data from under 13s, GDPR still allows for the 13-16 age range to provide consent independently

No: The policy is quite clear that the app is aimed at people over 18 or they won’t take data from an under 18 AND the app does not present any particular content or features that would encourage a minor to attempt to access and use the app.

Logic

DISABLED LOGIC - Disabled if D01 is no, Or DS06 is answered yes, Or if DT13 is answered none personal.

Scoring Impact

None

Guidance/Context

This question aims to encourage developer’s to provide the opportunity for people to contact them if they believe a child’s data may have been processed or collected incorrectly or without parental consent.

Response Type

Yes/No

Answer Criteria

Yes: If there is a statement that specifically details what a user should do to inform the developer.

Yes: If the developer specifically states that if they become aware of a minor/child providing personal data, then they will delete this data within a set period of time.

Yes: If the developer explains the app is offering online preventive or counselling services to children and therefore does not obtain parental consent as they are legally obliged to not do so.

No: If the policy does not provide any details on how the developer and/or user should respond when they become aware of a minor/child providing personal data.

Logic

DISABLED LOGIC - Disabled if D01 is no, Or DS06 is answered yes, Or if DT13 is answered none personal.

Scoring Impact

High, Medium or Low risk applied depending on if D44 is answered yes, if the app is designed for child, Pre-teen or teen with a multiplier applied based on the level of data collected (Non-personal, Personal, Sensitive)

Guidance/Context

User rights should be written in a form that the child can understand them, so they know what they are agreeing to and steps they can take to exercise their rights, this is applied to users under the age of 13 too.

Response Type

Yes/No

Answer Criteria

Logic

DISABLED LOGIC - Disabled if COP01 is no.

Scoring Impact

Low risk applied is no + multiplier based on the nature of the data.

Guidance/Context

Response Type

Yes/No

Answer Criteria

Logic

DISABLED LOGIC - Disabled if COP01 is no.

Scoring Impact

Low value applied if yes.

Guidance/Context

This question aims to discover if children were involved in the process of making their user rights easily accessible, understandable and exercisable.

Response Type

Yes/No

Answer Criteria

Logic

DISABLED LOGIC - Disabled if COP01 is no.