Information Commissioner's Office highlights the importance of privacy in the design and development of mobile applications
Tuesday, 15th April 2014
As portable computing devices become increasingly popular, mobile applications ("apps") are rapidly becoming a part of everyday life. These apps can prove incredibly useful in storing, organising and sharing information, but often they will also have particular features that allow them to access large amounts of the user's personal data, and therefore data protection and privacy are a pressing concern.
In light of this, the Information Commissioner's Office ("ICO") has published guidance (available here) designed to assist app developers to comply with their obligations under the Data Protection Act 1998 ("DPA"), and to avoid misusing personal data when designing and developing apps.
Under the DPA, 'personal data' is defined as data which relates to a living individual who can be identified (a) from this data, or (b) from this data and other information which is in the possession of, or is likely to come into the possession of, the data controller. Unique device identifiers such as International Mobile Equipment Identity ("IMEI") numbers are therefore caught by the definition of personal data.
Apps frequently request, access and use this personal data and, as a result, app developers may be required to comply with the provisions of the DPA where they are considered a data controller.
Who is responsible for the personal data?
The responsibility to provide adequate protection of personal data rests with the person who determines the purposes for which and the manner in which any personal data is, or is to be, processed ("Data Controller").
If an app's code runs solely on the mobile device on which it is installed and does not collect, transfer or store the user's personal data elsewhere, the user will remain in control of their personal data and it is unlikely that the app developer will be caught by the definition of Data Controller for the purposes of this personal data.
Conversely, if the app sends personal data outside of the user's mobile device for processing (for example if the app allows personal data to be uploaded to a central server under the app developer's control) or allows the user's personal data to be shared with others, the developer will be considered a Data Controller and will then be responsible for protecting all personal data uploaded, in accordance with the DPA.
The ICO guidance provides some useful examples of when an app developer may be a data controller for these purposes:
- The app allows the users to share information with each other, including suggesting friends based on contacts stored on the user's devices. This is achieved by designing the app to communicate with a central server which is under the developer's control. The developer does not use 3rd party advertising, but instead provides the advertising himself. In this instance, the developer will be the data controller for any personal data received by the central server.
- Similarly, if the central server is hosted on infrastructure belonging to a cloud provider, the developer will be the data controller for any personal data received by the central server.
App developers should consider the following key points when developing and maintaining the app:
- Only collect and process the minimum data required for the tasks that the app is to perform, and do not store it for longer than is necessary.
- Allow users to permanently delete their personal data and any account that they may have set up.
- Keep users of the app suitably informed about how their personal data will be used if they install and use the app, and be sure to explain why the data is required rather than simply stating which data will be processed.
- It is vital that the data controller identifies themselves to users and provides a simple means of contact whilst ensuring that any queries or requests receive an effective response. A data controller will also need to be aware that they have a legal responsibility to reply to a user's written request for copies of any personal data that they hold.
- Provide users with a simple and obvious means of reviewing and changing their privacy settings once the app is installed and in use, and use privacy-friendly default settings.
- Consider pop-up alert notifications if particularly sensitive data is being processed, or if data is to be processed in an unusual way.
- Take appropriate measures to protect users' personal data. Make sure that any passwords are appropriately salted and hashed on central servers and use reputable, tested encryption methods to securely store and transfer data.
- Always test the app after any changes or updates to ensure that it is working as expected - this will help avoid data protection breaches resulting from unanticipated behaviour.
- If the purpose or scope of the app's data collection changes, inform users of the change and allow them to choose whether or not to continue using the app. Be aware that user consent is required for any new data processing to be implemented, unless there is a clear legal basis for the changes.
- Be aware that British users will expect apps to process their personal data in accordance with the DPA even if the app was developed overseas.