Consumer Health Data Privacy Policy
This notice supplements the Microsoft Privacy Statement and applies to personal data defined as “consumer health data” subject to the Washington State My Health My Data Act (MHMDA), the Nevada Health Data Privacy Act (NHDPA), or other applicable state consumer health privacy law.
Consumer Health Data We Collect
As described in the Personal data we collect section of the privacy statement, the data we collect depends on the context of your interactions with Microsoft and the choices you make (including your privacy settings), the products and features you use, your location, and applicable law. Because consumer health data is defined very broadly, many of the categories of data we collect could also be considered consumer health data.
Examples of consumer health data may include:
- Information about your health-related conditions, symptoms, status, diagnoses, testing, or treatments (including surgeries, procedures, medications, or other interventions). For example, we may collect such information through surveys or other communication with you for research studies and improving product accessibility.
- Measurements of bodily functions, vital signs, or characteristics, including photographs, which may also be considered biometric information under the MHMDA, the NHDPA, or other applicable state consumer health privacy law.
- Precise location information that could reasonably indicate your attempt to acquire or receive health services or supplies. For example, if you use Bing maps to get directions to a health care provider, we may collect GPS, cell tower, and Wi-Fi hotspot location data that could reveal health-related information.
- Information that could identify your attempt to seek health care services or information, including services that allow you to assess, measure, improve, or learn about your or another person’s health. For example, we collect your Bing search queries, which may include queries concerning nutrition, wellness, fitness, medical conditions, or other health-related topics.
- Other information that may be used to infer or derive data related to the above or other health information.
Sources of Consumer Health Data
As described further in the Personal data we collect section of the privacy statement, we collect personal data (which may include consumer health data) directly from you, from your interactions with our products and services, from third parties, and from publicly available sources.
Why We Collect and Use Consumer Health Data
We collect and use consumer health data for the purposes described in the How we use personal data section of the privacy statement. Primarily, we collect and use consumer health data as reasonably necessary to provide you with the products you have requested or authorized. This may include delivering and operating the products and their features, personalization of certain product features, ensuring the secure and reliable operation of the products and the systems that support them, troubleshooting and improving the products, and other essential business operations that support the provision of the products (such as analyzing our performance, meeting our legal obligations, developing our workforce, and conducting research and development).
We may use consumer health data for other purposes for which we give you choices and/or obtain your consent as required by law – for example, for advertising or marketing purposes. See the How to access and control your personal data section of the privacy statement and the How to Exercise Your Rights section below for more details on the controls and choices you may have.
Our Sharing of Consumer Health Data
We may share each of the categories of consumer health data described above for the purposes described in the Reasons we share personal data section of the privacy statement. In particular, we may share personal data, including consumer health data, with your consent or as reasonably necessary to complete any transaction or provide any product you have requested or authorized, as described above.
For example, we share your content with third parties when you tell us to do so, such as when you send an email to a friend, share photos and documents on OneDrive, or link accounts with another service. If you make a purchase, we will share information about the transaction as necessary to process the payment, including protection against fraud. And we may disclose data when we believe that doing so is necessary to comply with applicable law or respond to valid legal process.
Third Parties With Which We Share Consumer Health Data
As necessary for the purposes described above, we share consumer health data with the following categories of third parties:
- Service providers. Vendors or agents (“processors”) working on our behalf may access consumer health data for the purposes described above. For example, companies we’ve hired to provide customer service support or assist in protecting and securing our systems and services may need access to data to provide those functions.
- Business partners. We may share consumer health data with other companies, for example, where you use a service that is cobranded and jointly operated with another company, or where you use our services to interact with another company.
- Financial institutions & payment processors. When you make a purchase or enter into a financial transaction, we will disclose payment and transactional data to banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, analytics, or other related financial services.
- Parties to a corporate transaction. We may disclose consumer health data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
- Affiliates. We enable access to data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access helps us to provide our services and operate our business. A full list of specific affiliates is available here.
- Government agencies. As described in our privacy statement and our Law Enforcement Requests Report, we disclose data to law enforcement or other government agencies when we believe doing so is necessary to comply with applicable law or respond to valid legal process.
- Other third parties. In certain circumstances, it may be necessary to provide data to other third parties, for example, to comply with the law or to protect our rights or those of our customers.
- Other users and individuals. If you use our services to interact with other users of the service or other recipients of communications, we will share data, including consumer health data, as directed by you and your interactions.
- The public. You may select options available through our services to publicly display and disclose certain information, such as your profile, demographic data, content and files, or geolocation data, which may include consumer health data.
How to Exercise Your Rights
If you are covered by the MHMDA, the NHDPA, or other applicable consumer health privacy law then you may have certain rights with respect to consumer health data, including rights to access, delete, or withdraw consent relating to such data, subject to certain exceptions. You can request to exercise such rights using the various tools and mechanisms described in the How to access and control your personal data section of the privacy statement. For example, depending on the product you use, you can access and make choices about your data through product controls. You can also access and clear some of your data through the Microsoft privacy dashboard. And if you want to access or control consumer health data processed by Microsoft that is not available via those tools or directly through the Microsoft products you use, you can always contact Microsoft at the contact information in the How to contact us section or by using our web form.
If your request to exercise a right is denied, you may appeal that decision by contacting our privacy support team via our web form. If your appeal is unsuccessful, you can raise a concern or lodge a complaint with the Washington State Attorney General at www.atg.wa.gov/file-complaint, the Nevada State Attorney General at https://ag.nv.gov/complaints/file_complaint/, or other regulatory authority as applicable.