Google Fit User Data and Health Research Policy

Google Fit’s Terms and Conditions, User Data and Developer Policy, and Developer Guidelines are dedicated to protecting privacy and security while facilitating health and fitness research. Google Fit APIs may only be used for health research, referred to as health research in this policy, if the research is reviewed or approved by an independent board whose aim is 1) to protect the rights, safety, and well-being of participants and 2) with the authority to scrutinize, modify, approve, or disapprove human subjects research. Independent boards include an Institutional Review Board (IRB) detailed in 45 C.F.R. §§ 46.101-115, an Ethics Committee (EC) detailed in Directive 2001/20/EC or Directive 2005/28/EC, or another entity adhering to substantially similar requirements (“Review Board”).

Google approved applications and web services using Google Fit APIs for health research will be labeled Health Research Applications or Health Research Web Services and collectively referred to as the “Health Research Applications and Web Services”. “You” and “your” as used herein refers to these Health Research Applications and Web Services. In the event of a conflict between this policy or any other terms with regard to accessing user data, this Health Research policy controls for Health Research Applications and/or Web Services.

Health Research Applications and Web Services:

  1. Are responsible for obtaining approval or waiver from a Review Board;
  2. Must comply with the below policy, the Google Fit Developer and User Data Policy, except as otherwise stated herein, and other applicable Google policies, including the Google APIs Terms of Service, Google Fit Developer Terms and Conditions, and OAuth 2.0 Policies and,
  3. Must comply with all applicable laws and regulations, including but not limited to the California Consumer Privacy Act, HIPAA, GDPR (EU & UK), DPA 2018), the Common Rule, the FDA regulations on the protection of human subjects.

It is your responsibility to monitor and ensure your compliance with these conditions on a regular basis. If, at any time, you cannot meet these conditions (or if there is a significant risk that you will not be able to meet them), you must immediately stop using our services. We also reserve the right to deny or revoke your authorization for health research if you do not comply with this policy or we have reasonable concerns about your compliance with this policy.

Health Research Attestation

Health Research Applications and Web Services must select “Health Research” during the Developer submission process. Health Research Applications and Web Services must submit:

  1. A completed intake form
  2. IRB/EC (or substantially similar equivalent) Approval/Waiver Letter
  3. IRB/EC (or substantially similar equivalent) Accreditation
  4. Exact data requested and rationale for use

Determine Eligibility for Health Research

Health Research Applications and Web Services must confirm the eligibility of a participant before obtaining informed consent and requesting permission to access participant’s data.

Transparent and Accurate Notice and Control for Health Research

After confirmation of eligibility, you must comply with the Google Fit Developer and User Data Policy’s Transparent and Accurate Notice and Control section.

In addition, Health Research Applications or Web Services must provide a disclosure via a dialog box or incremental dialogue boxes that include/s:

  1. The nature, purpose, and duration of the research;
  2. The risks and benefits to the participant;
  3. The privacy, security, and data handling measures in place to protect the data;
  4. The point of contact for any questions;
  5. The retention period(s) for data collected for the study;
  6. How to withdraw from the study;
  7. How to delete one’s data from the study throughout the lifecycle of the study, including whether the study permits deletion after the data becomes accessible to the public; and,
  8. Any other relevant documents or information required by your IRB/EC.

You must also provide an option for the participant to save, store, or email the above information, the Informed Consent documents, and any other documents required by the IRB/EC. Each participant must sign and submit the required disclosures and consents prior to participation in the study. A copy of all signed documents must be sent to the participant.

Health Research Applications and Web Services will follow the FDA’s Use of Electronic Informed Consent Questions and Answers, or substantially similar standards. For example, include plain language in your explanations with diagrams/infographics and require participants to correctly answer questions about the health research prior to their enrollment.

Limited Uses of User Data for Health Research

Health Research Applications or Web Services must comply with the below requirements. These requirements apply to the participant data, including the raw data obtained from Google Fit APIs, and data aggregated, anonymized, or derived from the participant data or the raw data.

  1. Limit your use of participant data to its intended purpose for collection.
  2. Immediately de-identify participant data to the greatest extent possible for your study.
  3. Do not use or share participant data with third parties for new research studies, or for any purpose different from the original study purposes, without obtaining a separate informed consent from participants, unless the IRB explicitly waives the requirement for separate informed consent.
  4. Do not use or share data with members of your team who do not have a genuine need to know.
  5. Only transfer participant data to third parties:
    1. If necessary to pursue the original research purpose and the third parties are bound to limit its access and use of the participant data to fulfilling that purpose;
    2. If the participant granted explicit consent to share specific data; for example, in the signed Informed Consent document presented to the participant;
    3. if necessary for security purposes (for example, investigating abuse); or,
    4. to comply with applicable laws or regulations.

All other transfers, uses, or sale of participant data is expressly prohibited, including:

  1. Transferring, selling, or using participant data for serving ads, including contextual, retargeting, personalized, or interest-based advertising.
  2. Transferring or selling participant data to third parties like advertising platforms, data brokers, or any other information resellers.
  3. Transferring, selling, or using participant data to determine credit-worthiness or for lending purposes.
  4. Transferring, selling, or using the participant data with any product or service that may qualify as a medical device pursuant to Section 201(h) of the Federal Food Drug & Cosmetic (FD&C) Act if the participant data will be used by the medical device to perform its certified function.
  5. Transferring, selling, or using participant data for any purpose or in any manner involving Protected Health Information (as defined by HIPAA) unless received by you under a valid HIPAA Authorization that was reviewed by an IRB or EC, as applicable.

An affirmative statement that your use of the data complies with the Google Fit APIs for Health Research Limited Use restrictions must be disclosed in your application or on a website belonging to your web-service or application; for example, a paragraph in your Informed Consent document, or a link on a homepage to a dedicated page or privacy policy noting: “The use of information received from Google Fit APIs will adhere to the Google Fit Developer and User Data Policy, including the Limited Use requirements.” If you are unable to add a disclosure, then your app’s privacy policy must comply with the requirements outlined in this policy. This option might make the review time for your app longer.

Secure Data Handling Recommendations for Health Research

Health Research Applications and Web Services must comply with the Google Fit User Data and Developer Policy’s Secure Data Handling section.

Health Research Applications and Web Services are also recommended to follow best practices recommended by the U.S. Department of Health and Human Services, the U.S. Food and Drug Administration regulations, or ICH Good Clinical Practice Guidelines, like applying for a Certificate of Confidentiality from the National Institutes of Health, which may protect data from compelled disclosure to third parties.

Publishing Data

Health Research Applications and Web Services may choose to publish the results of their research, but may not suggest that Google approves of the study design, scientific validity of the research, or otherwise endorses the study findings unless provided in writing by Google. Health Research Applications and Web Services must comply with the relevant laws and regulations as well as the following requirements if you plan to publish your research, or make it publicly available in any form:

  1. Register your study in a public registry; for example,
  2. Notify Google Fit for the study’s inclusion in the Google Fit Publication Library;
  3. Publicly disclose the source of the information.
  4. Refrain from publishing individual data that may be identifiable and mitigate the risk of re-identification. Examples of good practices to mitigate re-identification risk include:
    1. Wherever possible, provide summary-level aggregate data rather than individual-level de-identified data.
    2. If you must share individual-level de-identified data, instead of publishing the data publicly, provide it selectively to others only for purposes of peer review, subject to contractual commitments by the recipient not to disclose or attempt to re-identify the data.
    3. If you must publish individual-level de-identified data, you must do so in compliance with all applicable laws and at a minimum, use an accepted de-identification technique, like differential privacy, to preserve confidentiality, or obtain an expert determination that the risk of re-identification is very small.