Audit of privacy and mobile apps
This report outlines three agencies’ practices in handling personal information and adopting the privacy principles, when planning, developing and operating mobile apps.
Government agencies are increasingly using mobile apps to connect with the community and deliver services to Queenslanders. Australians are becoming more discerning about privacy, and want to be able to choose the personal information they provide and how it is used, including in mobile apps. This means government agencies need to design mobile apps with privacy in mind.
We selected three mobile apps for detailed review:
QParents – operated by the Department of Education and Training (DET).
MyTransLink – operated by the Department of Transport and Main Roads (TMR).
Policelink – operated by the Queensland Police Service (QPS).
The key findings are that government agencies need to:
- consider privacy upfront and adopt a privacy by design approach, to meet the requirements of the Information Privacy Act 2009 (Qld)
- reassess the privacy impacts of mobile apps regularly, for example when rolling out new features and updates, to identify vulnerabilities and manage their privacy obligations
- inform users of the collection, uses and usual disclosure of personal information and the reasons for permissions sought
- protect personal information, including testing the app for vulnerabilities before deploying it and at key stages of its life.
Government agencies that adopt these practices increase the likelihood that the community will use the app and benefit from it as the agency intends.
The report identifies examples of good practice and makes recommendations to all government agencies. We are considering performing a follow-on audit, in which we will assess how other agencies handle privacy when developing and operating mobile apps.