The United Nations Special Rapporteur on the Right to Privacy has released a draft recommendation on the protection and use of health-related data, as part of an international consultation. But as the Grattan Institute’s Health Program Director, Stephen Duckett, shows in this submission, the document needs to be revised because it reflects a very old and static understanding of ‘health data’. At a minimum, the document should distinguish between state uses of health data for the common good (epidemiological research, health services management and evaluation), and health data surreptitiously gleaned for marketing purposes from devices covered by unread commercial ‘terms and conditions’.