As portable computing devices become increasingly popular, mobile applications ("apps") are rapidly becoming a part of everyday life. These apps can prove incredibly useful in storing, organising and sharing information, but often they will also have particular features that allow them to access large amounts of the user's personal data, and therefore data protection and privacy are a pressing concern.
In light of this, the Information Commissioner's Office ("ICO") has published guidance (available here) designed to assist app developers to comply with their obligations under the Data Protection Act 1998 ("DPA"), and to avoid misusing personal data when designing and developing apps.
Personal Data
Under the DPA, 'personal data' is defined as data which relates to a living individual who can be identified (a) from this data, or (b) from this data and other information which is in the possession of, or is likely to come into the possession of, the data controller. Unique device identifiers such as International Mobile Equipment Identity ("IMEI") numbers are therefore caught by the definition of personal data.
Apps frequently request, access and use this personal data and, as a result, app developers may be required to comply with the provisions of the DPA where they are considered a data controller.
Who is responsible for the personal data?
The responsibility to provide adequate protection of personal data rests with the person who determines the purposes for which and the manner in which any personal data is, or is to be, processed ("Data Controller").
If an app's code runs solely on the mobile device on which it is installed and does not collect, transfer or store the user's personal data elsewhere, the user will remain in control of their personal data and it is unlikely that the app developer will be caught by the definition of Data Controller for the purposes of this personal data.
Conversely, if the app sends personal data outside of the user's mobile device for processing (for example if the app allows personal data to be uploaded to a central server under the app developer's control) or allows the user's personal data to be shared with others, the developer will be considered a Data Controller and will then be responsible for protecting all personal data uploaded, in accordance with the DPA.
The ICO guidance provides some useful examples of when an app developer may be a data controller for these purposes:
App developers should consider the following key points when developing and maintaining the app:
This isn’t Sparta! Company denied interim injunction for non-compete restrictions contained in an investment agreement
AI webinar: what you need to know about using AI in advertising
Ashfords supports protein bar brand to meet daily regulatory goals
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up