‘Privacy by Design’ – Developing a Mobile App:

Businesses are increasingly using mobile applications (apps) to market and deliver their products and services to users, but do users really know how their personal information is being handled once they install an app? Businesses considering launching or updating a mobile app can take a number of steps to incorporate better privacy practices in their apps.

Mobile apps and privacy reforms:

It is clear that the use of smart phones and mobile apps in Australia is on the rise. The Office of the Australian Information Commissioner (OAIC) has published figures from a 2012 Australian study where 76 per cent of respondents said they owned a smartphone, compared with 67 per cent in 2011. 87 per cent of smartphone users surveyed had installed an app on their phone.

Privacy enforcement authorities have identified mobile apps as a key area of focus due to the privacy implications for consumers. In fact, the OAIC and 27 other privacy authorities from around the world conducted a ‘global privacy sweep’ earlier this year, which involved examining 50 of Australia’s most popular apps for privacy issues.

Ensuring your mobile app complies with Australia’s privacy laws is now more important than ever. Not only are users more concerned about their privacy, but reforms to Privacy Act 1988 (the Act) in March this year imposed a number of additional obligations on many businesses and hefty penalties for non-compliance. The OAIC can now seek civil penalties of up to $1.7 million for corporations and $340,000 for individuals for breaches of the Act, including the Australian Privacy Principles (APPs).

Collecting personal information via a mobile app:

The OAIC expects mobile app developers to consider which personal information is essential for the operation of the app. Under APP 3, entities must not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities. If you cannot explain why you need the information or how it relates to your business functions or activities, the information generally should not be collected.

You should also consider the nature of the personal information being collected, and how it will be collected. In particular, determine whether the personal information is ‘sensitive information’. Sensitive information includes information about an individual’s racial or ethnic origin, political opinions, memberships of professional associations, religious beliefs, sexual orientation and health.

Common types of information that apps access include:

• the user’s name and contact details
• the user’s date of birth
• credit card details
• address books and contact lists
• photographs
• device location information
• call and SMS logs
• audio recordings
• calendar entries

The nature of the personal information collected will impact an entity’s privacy policies and procedures. If collecting sensitive information, the user’s consent to collect the information is generally required (unless an exception applies).

Notifying users of privacy matters:

Before or at the time personal information is collected from users, entities must notify users of the matters set out in APP 5. These matters include the types of information that will be collected, how information will be collected, who information will be disclosed to, and whether information will be sent overseas.

Consider how you will present this information to users on a small screen, and draw their attention to the most important sections. In the OAIC’s publication ‘Mobile privacy: a better practice guide for mobile app developers’, the OAIC’s suggestions include:

• use short form notices – these are notices that are no longer than a single screen and explain what data will be collected from users, and whether information will be shared with other parties. They should also link to the entity’s full privacy policy (discussed further below);
• provide consent notices – if consent is required for a specific collection or disclosure of personal information, a targeted notice should be provided to users which allows them to consent to the collection or disclosure;
• provide a ‘privacy dashboard’ – this allow users to adjust their privacy setting by offering a privacy dashboard that is easy and straightforward to use;
• get creative – try to avoid large slabs of text by using other techniques such as graphics, colour and sound to draw users’ attention to important privacy matters.

Recording acknowledgement and consent:

Consider how you will maintain appropriate evidence that notice of the APP 5 matters was given to users at the appropriate time and that users consented (where necessary) to specific collections and disclosures. Tick-boxes built into the app can record the user’s acknowledgement that they have read the privacy notifications outlined above, and/or consent to certain collections and disclosures.

The OAIC expects you to generally highlight privacy practices and obtain acknowledgement and consent during the download or purchase process and also upon first use. You can also use tick-boxes to provide users with the opportunity to ‘opt out’ of receiving direct marketing material, as required by APP 7.

You may need to make additional privacy disclosures and obtain additional consents after the app is downloaded, depending on the app’s functions. For example, if the app accesses a user’s calendar information, the first time that this function is activated the user should be notified that their calendar data is going to be collected and be able to opt out of this feature.

Privacy Policy:

Under APP 1, entities must also have a clearly expressed and up-to-date Privacy Policy that sets out how they handle personal information. The Privacy Policy should be easily located through the app.

At a minimum, a Privacy Policy must contain the following information:

• the kind of personal information that the entity collects and holds;
• how the entity collects and holds personal information;
• the purposes for which the entity collects, holds, uses and discloses personal information;
• how an individual may access their personal information and seek the correction of such information;
• how an individual may complain about a breach of the APPs, or a registered APP code (such as the Credit Reporting Code), and how the entity will deal with such a complaint;
• whether the entity is likely to disclose personal information to overseas recipients, and if so, the countries in which such recipients are likely to be located (if practicable).

If you have a single Privacy Policy for the entire business, ensure that it includes the handling of personal information that is collected via the mobile app.

If changes are made to a Privacy Policy, users should be informed of the changes in advance and told exactly what aspects of the Privacy Policy are changing. Depending on the nature of the changes, you may need to obtain the user’s consent (for example, via a tick-box).

Securing personal information:

APP 11 requires mobile app developers to take reasonable steps to protect personal information collected by mobile apps from misuse, interference and loss, and unauthorised access, modification or disclosure.

What is considered ‘reasonable steps’ depends on the circumstances, including the nature of the information collected, the consequences for an individual if a data breach occurs, and practicability. Reasonable steps generally include implementing policies and procedures that relate to the following:

• governance
• ICT security
• data breaches
• physical security
• staff training
• workplace policies
• de-identifying and destroying personal information
• monitoring and review

ICT security and data breaches are particularly relevant to mobile apps. The OAIC expects you to consider privacy security measures when purchasing or upgrading ICT systems, and developing the mobile app. Security should not be an afterthought, or addressed once a data breach occurs. The OAIC expects mobile app developers to adopt a ‘privacy by design’ approach, which aims at building privacy and data protection into the app upfront. Depending on the particular features of the app, you may wish to consider the following security measures:

• multi-factor authentication
• minimum password strength
• lock outs after a certain number of login attempts
• encryption
• secure password storage
• testing of security systems
• back-up facilities
• anti-virus and hacking protection software

For further information about information security, see the OAIC’s Guide to Information Security.

Other obligations:

There are a number of additional obligations set out in the APPs that mobile app developers should be aware of, including obligations relating to:

• the collection of personal information
• dealing with unsolicited personal information
• use or disclosure of personal information
• direct marketing
• cross-border disclosure of personal information (including use of cloud-based data storage with overseas servers)
• adoption, use or disclosure of government related identifiers
• quality and security of personal information
• access to personal information
• correction of personal information

There is an overarching obligation in APP 1 for entities to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs.

While there are significant penalties for breaching the APPs, perhaps the most persuasive incentive to adopt a ‘privacy by design’ approach is the competitive edge this may give a mobile app. Users are concerned about their privacy and may avoid your app if you aren’t.

Article written by Katherine Temple and originally published on hnlaw.com.au

Teddington Legal Gold Coast specialises in business law and can assist your business to meet its legal obligations when developing an app. Contact us on 0439 294 745, or email [email protected]