Who: UK Information Commissioner’s Office (ICO)
Where: UK
What: ICO Guidance for developers when creating Apps and “Top tips” for consumers when using apps
When: 19 December 2013
Law stated as at: 12 January 2014
What happened:
The UK Information Commissioner’s Office (ICO) has published guidance for app developers entitled, “Privacy in mobile apps (Guidance for App Developers)” ( the “Guidance” ) . The guidance encourages app developers to take greater responsibility for the collection and safekeeping of personal information and was developed in consultation with industry, academics and regulators. The ICO also published top tips to help consumers stay in control of their data.
The ICO had previously engaged YouGov to carry out an online survey on privacy concerns relating to the use of mobile apps and found that, of the 59% of adults in the UK who have downloaded an app in the last year, 62% were concerned about the use of their personal data, and 49% had decided not to download an app due to privacy concerns.
Background
Mobile apps are of particular concern because the devices themselves are personal, frequently used and have direct access to many different types of data. The apps are often unclear about how they deal with personal data and have small interfaces which make it difficult to communicate with users and present them with a privacy policy. In addition there have also been concerns about the security of the data collected via apps.
There have been a number of cases in the press reporting unexpected uses or loss of personal data used and generated by apps. Recent examples include allegations of improperly collected geo-location information on users and inadequate security. In December 2013 Snapchat suffered a data breach when hackers collected the usernames and phone numbers of 4.6 million of its users, raising concerns about the security of the app.
What does the Guidance recommend?
The ICO gives the following key recommendations to app developers:
Personal Data – personal data may include information which does not give the name of an individual but distinguishes one user from another and impacts how they are treated. A unique device identifier such as an IMEI number should be treated as personal data if it is used to treat individuals differently, even though this does not name an individual.
Control of Personal Data – App developers should assess who controls the personal data used and generated by the app throughout the lifecycle of the app. Examples are;-
• if the app only runs on code contained on the mobile device and does not transmit data to another location, then the app developer is unlikely to be a data controller;
• if an app allows a user to make notes which may or may not contain personal data, the user remains the data controller;
• if the app allows the user to share information with other users though a central server under the control of the app developer, then the developer will be the data controller; and
• if the app is developed on behalf of a client then the app developer is likely to be a data processor if handling personal data for the data controller.
Privacy impact assessment (PIA) – The Guidance suggests not only that app developers should carry out a privacy impact assessment but also that they should consider publishing this in order to increase transparency. As part of the PIA, consideration should be given to data minimisation and also data retention so that the app uses the least privacy intrusive data possible.
App developers should allow users to permanently delete their personal data and accounts. In addition, if they want to collect data on usage or bug report data, then this should be done either with informed consent of the user or through the use of anonymised data. In addition the ICO states that any anonymisation should be completed thoroughly so that there is “negligible risk of re-identifying the user” from the data.
Notices – Notices should include appropriate and plain English and should be transparent. Privacy information should be available as soon as possible and the developer should use a “layered approach” where further information is available to the user via links. It should also use good graphical design and consider the entire user experience of the app including any differences between different mobile platforms. The app should highlight anything that a user would consider to be particularly onerous. Information should be provided just before any processing begins – “just –in-time notifications”.
Advertising – The developer should clearly inform users if the app is supported by advertising and the user should be given information relating to any analytics within the app. One alternative is “to offer a paid-for version of the app with advertising removed”.
Security – The Guidance also states that app developers should give consideration to security practices within the app and use encrypted connections to ensure that data remains secure in transit and storage. Attention should also be paid to vulnerabilities.
Children – The Guidance states that particular care should be taken where the app is directed towards children. This is due to the increased risk of harm caused by the inappropriate collection of data.
Tips for Consumers
Consumers are advised to only download apps from official app stores and read privacy information before downloading. Regular clear outs of apps should be carried out and the ICO recommends the use of mobile security software. The ICO also reminds consumers to erase any apps from the phone before donating / selling to avoid access to information and to look for the “factory reset” option.
Why this matters:
The ICO’s Guidance is particularly apt given the recent spate of data breaches by and against app developers. This has led commentators to speculate that the rapid growth of apps has meant that their developers are unprepared for such large scale security breaches and often do not focus on privacy in their development work.
The reaction to these breaches also indicates that the public are unlikely to be tolerant of personal data security breaches and are critical of any perceived shortfall in the app’s data protection policies.
The Guidance also reinforces some key points such as the scope of personal identifiers being personal information where used to distinquish one user from another , the importance of a PIA and also the potential complexity in these arrangements and the importance of identifying responsibilities at an early stage and whether the developer will be acting as a Controller.