Developing privacy into mobile applications

The concept of ‘privacy by design’ seeks to ensure that privacy issues are considered at the outset of a project, rather than at or after implementation, when it may be difficult (or costly) to address the concerns. With this in mind, the ICO Guidance recommends that privacy and data protection issues be considered at the time the app is being developed, rather than as an afterthought. A privacy impact assessment may be useful to assess the proposed use of data and potential impact on individuals.

This early consideration of privacy will enable the app to be designed and developed with the matters discussed below already in mind. Frequently, privacy is only considered post-development, when it is more likely that privacy compromises will be made to avoid delays and costs involved in bringing the app in line with law and good practice.

It is important for parties in control of an application and the associated data to understand how the app collects and uses data, and what specific data is being collected and used. It may be useful to map out the lifecycle of the data (including collection, storage, use, sharing and deletion), and who accesses or controls the data at each stage. This will enable the privacy issues and responsibilities to be assessed more clearly.

The app provider should keep the use of data under review as the app or data use is further developed, particularly with new or changed features. Consent of the user may be needed to use data in a different way to that intended when it was originally collected.

The ICO Guidance emphasises that the minimum data necessary for tasks performed by the app should be collected. Collecting data just in case it is needed in future is bad practice, even where the user has consented. The importance of each data type to the aims of the app should be balanced against the potential impact on the user if such data were to be misused. Considerations and conclusions should be documented, including purposes and justifications for collection of each data type and where the data may be transmitted.

As an example, the ICO Guidance suggests that if GPS data is used to find activities nearby to the user, it may be sufficient for the app to use the location of the nearest town, rather than collecting or storing the precise GPS co-ordinates of an individual.

Anonymisation can be considered where possible, for example if the app collects usage or bug report data for analysis.

Data protection law requires that users are properly informed about what will happen to their personal data if they install and use the app, and this information must be provided before the relevant data is processed (for example when the app is downloaded). Seeking consent or providing an option to refuse may be required for uses of data which do not directly relate to the key functions of the application (including data analysis or marketing communications).

These requirements can be difficult to achieve. Users expect instant access to multiple apps with complex features (and therefore complex data use) on many different types of device. This makes it challenging to describe and present the different uses of data in such a way that users will actually read and understand.

The ICO Guidance suggests a layered approach may assist with clarity – most important points are summarised and more detail available if the user wants to see it. Summarised notifications can be easily misunderstood, and care should be taken that concise wording does not convey misleading impressions. Good graphical design, including colours and symbols can assist with understanding.

‘Just-in-time’ notifications should be considered, where information is provided just before the relevant data is used. This may be particularly useful for new features, or more intrusive data such as GPS location.

The ICO Guidance provides practical examples of good and bad practice, including when users may need to be given clear options as to how their data is used.

Users have a right to be provided with a copy of any data about them which is being processed in relation to the application. The app provider (or other person controlling the data) should therefore provide a clear and easy way for users to make such a request.

Further, the ICO Guidance recommends that users should be allowed easily to review and change decisions once the app is installed and in use. There should be an obvious place to go to enable or disable privacy settings.

If clear contact details and mechanisms are not provided, the app provider may find it has to deal with requests for data and other feedback over less convenient forums chosen by the user, such as Twitter, Facebook or other social media.

Ensuring security of data is essential, including within the design of the app itself, on central severs which store data, and when data is in transit between locations. The ICO Guidance provides suggestions in relation to passwords and encryption.

If third parties are used to host the application or store data, checks should be undertaken on the security guarantees which they offer, and a written contract imposing security obligations is required.

The ICO Guidance recommends that app developers should avoid writing their own code to perform functions which have well-established implementations that can be re-used, for example in-app billing or app updates.

Data about users should not be retained for longer than is needed for the legitimate purposes of the app. Clear retention periods should therefore be defined, and adhered to by securely deleting user data when appropriate (for example when an individual no longer uses the app).