ICO urges app developers to respect users' privacy
The Information Commissioner's Office (ICO) has published guidance aimed at helping mobile app developers comply with the Data Protection Act 1998 (DPA) and ensure that the privacy of app users is protected.
The guidance follows an ICO press release issued in December, warning consumers about the need for caution when downloading mobile apps. The press release highlighted a YouGov survey, which found that 49% of app users have decided not to download an app as a result of privacy concerns. The guidance is therefore a timely reminder to developers to consider privacy implications when creating apps.
The guidance is intended to help developers understand their data protection responsibilities, including making it clear what information is collected by the app, and what it will be used for. One of the particularly useful benefits for developers is that the guidance contains examples which communicate the ICO's recommendations in a highly accessible way.
Key questions for developers to understand and address include:
- Will the app deal with personal data?
Developers should bear in mind that 'personal data' is not limited to traditional identifiers such as names and addresses. Personal data also includes information such as an IMEI number, the MAC address of a device's wireless network interface and the mobile phone number used by a device.
- Who will control the personal data collected?
Developers must understand how data will flow when the app is used and who will be in control of the data throughout the app's lifecycle. The guidance sets out examples to help show who would be the 'data controller' in various scenarios and thus who would be subject to the data controller obligations under the DPA.
- What data will be collected?
Developers should only collect and process the minimum data necessary for the tasks that they want the app to perform and personal data must not be stored for longer than is necessary for the task in hand. The ICO also recommends that developers define retention periods for the personal data that they hold.
Users should be allowed to permanently delete their personal data and any account they may have set up (unless the developer is legally obliged to retain the data). Should developers wish to collect usage or bug report data, this must be done either with the informed consent of the user or by using anonymised data.
- How will users be informed and consent gained?
Users must be properly informed about what will happen to their personal data if they install and use the app. Significantly, the ICO believes that relying on operating system (OS) permissions on their own is unlikely to be sufficient (although this may change as operating systems develop).
The ICO recommends that privacy information and notices use plain English and language appropriate for the audience, and use colours and symbols to help improve users' understanding. The ICO also supports using a 'layered' approach, where the salient points are summarised, with more detail easily available should the user wish to view it.
If apps process personal data in an unexpected way or the data is of a more sensitive nature, developers should use additional 'just-in-time' notifications where the necessary information is provided to the user just before data processing occurs. This would be particularly useful when collecting more intrusive data such as GPS location.
- How will users be given feedback and control?
Developers should make it easy for users to review and change their decisions once the app has been installed. Users should be able to navigate to a single and obvious place to allow them to configure the various settings within the app. Put simply, users should be able to disable any privacy setting as quickly as they enabled it.
- How will data be secured?
Developers should ensure that passwords are appropriately 'salted' and 'hashed' (basic encryption techniques) on any central server (where possible), and should take advantage of encrypted connections (such as SSL and TLS) to ensure security of data in transit. If an app stores data for later use, developers should consider encryption to do this, with the level of encryption reflecting the sensitivity of the data. The ICO also recommends security testing the app and any central servers before roll-out.
- How will the app be tested and maintained?
Key testing areas include the install process and the requesting of device permissions. Developers should test all platforms the app is being developed for and perform additional tests after any changes to the app's code during the development stage.
Once the app has been made available to users, developers should conduct regular checks to ensure security mechanisms are up to date and that data is not being held beyond the stated retention period. Users should be informed of any changes to the purpose or scope of data collection, which is likely to mean getting a user's consent to such changes.
- Additional legal considerations
For apps designed to send emails, SMS text messages, voicemails or to make phone calls, developers should also comply with the relevant rules on consent to direct marketing (under the Privacy and Electronic Communications Regulations).
For apps intended to use a premium rate service, developers should consider the guidance provided by PhonepayPlus, the UK regulator for premium rate numbers and services.
The ICO guidance does not mark any major shift in policy but it does consolidate relevant advice on in-app communication and will act as a useful reference for app developers. Above all, the ICO champions the concept of 'privacy by design', suggesting that developers should consider data protection compliance from the outset of a project and systematically evaluate privacy issues both during the development process and after roll-out.
The ICO acknowledges that traditional privacy policies are not necessarily the best way to present information on the small screen and touch-based interface of a typical mobile device, which (coupled with users' expectations of convenience and general reluctance to review large amounts of text) makes it difficult for app developers to present privacy information in an accessible way. Developers must therefore strike a balance between providing sufficient privacy information to allow users to make an informed choice, and not overloading them with so much information that they are put off from using the app.
In this regard, the guidance does provide some useful recommendations and illustrations. The ICO's endorsement of a 'layered' approach for setting out privacy information is welcome and should allow developers to be more confident in presenting information to users in more innovative ways. The use of screenshots to show how information could be presented is particularly useful. Other examples, such as the appendix setting out good and poor practices, also help to flesh out the ICO's messages.
As the YouGov poll suggested, privacy is an important consideration for app users and building trust is essential in an increasingly competitive app market. The guidance will help developers to understand their responsibilities and build trust with app users. If the guidance is followed, both users and developers should see the benefit.