The ICO has recently published guidance for app developers setting out questions that they should be considering during the development cycle and the relevant requirements under the Data Protection Act (DPA). Whilst the guidance is aimed at developers, clearly any organisation that offers consumers apps should take note.
The guidance has been prompted by the ever increasing use of smart mobile devices and apps. It aims to increase developers' knowledge of data protection issues and compliance with the DPA to ensure users’ privacy. Although the primary focus of the guidance is mobile apps, it is equally applicable to any app on any device (including smart TVs and games consoles).
In summary, the guidance:
- explains which types of data that might be collected by apps will be personal data (eg details about devices such IMEI number, MAC address and phone number)
- highlights for different types of app who will have ultimate responsibility for providing adequate protection for personal data (ie who will be data controller)
- recommends collecting and processing only the minimum data necessary, even if data is thoroughly anonymised or user consent is obtained
- states that users should be able to permanently delete their accounts (unless legally required otherwise)
- encourages carrying out a privacy impact assessment when planning an app
- offers some practical suggestions for giving users access to a privacy policy for the app (eg breaking down into sub-sections)
- sets out details of what makes a good privacy policy, eg using language appropriate to the audience (especially with educational and children's apps) to explain why information is being processed
- states that privacy information should be available as soon as practicable (ideally before the user downloads the app) via an app store or a link to a privacy policy. Where privacy information is provided after an app is downloaded and installed, this must be done before the app processes the relevant personal data
- recommends ‘just-in-time’ notifications for collection of more intrusive data (eg location data)
- reminds developers to consider whether the app will pass data on to advertising networks or other organisations, and whether they have informed users of this sharing (there may be contractual obligations to do so)
- reminds data controllers of the need to identify themselves and provide contact details (most app stores have space for this in their app catalogue)
- suggests that users are given granular choices for privacy settings and are able to easily alter their preferences in the app
- reminds developers that security of data is crucial. Encrypted connections should always be used for transmitting user login details and other sensitive information
- states that developers should ensure they deliver on any promises made to users such as security of data and retention periods.
The ICO's guidance is available from their website here: Privacy in mobile apps.
Any organisation that offers consumers an app and uses it to collect data about users should consider the guidance and discuss with either their in-house development team or any third party developer used.
For more information, please contact a member of our Data Protection team.