Privacy and mobile apps Q&A

with Privacy Commissioner Phil Green

Why did you audit privacy and mobile apps?

Mobile apps are increasingly commonplace. Australians spend more time on portable devices than on computers. They use apps to give and obtain information and to access services, including government services.

In using apps, most Australians believe that trust is more important than convenience.  Privacy is an integral part of that trust.  People are becoming more discerning about privacy. They want to be able to choose the personal information they provide and how it is used, including in mobile apps.

Government agencies achieve better outcomes when they incorporate privacy in the design of mobile apps, and maintain privacy protections throughout the app’s lifecycle.

Isn’t a mobile app just another way to access a website?  Why did you look at apps separately?

Even if an app is primarily a way to access a website, agencies need to think about its privacy impact. Unlike programs for desktop computers, apps seek permission to access location, contacts and pictures, as wells as a device’s features such as the camera, microphone and GPS.

Mobile apps have additional security and privacy concerns. For example, data transmitted through a mobile app using Wi-Fi is susceptible to interception.

What was your audit approach?

Our focus was on the user’s perspective, from the time the user decides to download the app to when they finalise an interaction, for example, by submitting a form through the app.

We did not assess the platforms (such as Apple app store or Google Play store) that distribute the apps, their security, or their collection of personal information. Similarly, any vulnerabilities of the devices were not within scope.

We selected three apps, run by three different agencies. We wanted to assess whether the agencies effectively apply the privacy principles when developing and operating mobile apps for the community. Where we could, we assessed evidence directly, for example, the privacy statements accessible through the apps.

How did you select the mobile apps you reviewed?

We started by scanning the app store listings for iOS/Apple and Android/Google Play to find out how many Queensland government apps were available. There were 31 government apps listed at the time.

We selected three apps based on a range of criteria, including the volume of downloads, the type of information collected and the permissions requested.

What did you find?

The three agencies adopted different approaches to deal with their privacy obligations.

QParents is a good example of the benefits of the privacy by design approach. The Department of Education and Training considered the privacy aspects of the QParents app in detail at the development stage. It built appropriate security measures to protect personal information handled through the app.

The Department of Transport and Main Roads adopted another approach, minimising the personal information its MyTransLink app collects. The department also set up a regular technical testing regime. These are effective ways to manage privacy obligations and reduce risk.

The Queensland Police Service focused on getting the Policelink mobile app up and running. It did not consider the privacy aspects of the app when developing it but has since done so.  The QPS addressed some of the issues we identified during the audit and committed to continuing this work.

Was there anything done particularly well that you would like other agencies to follow?

We particularly liked the way the Department of Education and Training built privacy considerations into the design and operation of QParents. It conducted a comprehensive PIA because the personal information QParents collects and uses is highly sensitive.

We also liked the Department of Transport and Main Roads’ decision to minimise the personal information collected through MyTransLink.

You mentioned a PIA or privacy impact assessment. What is it?

A PIA is a tool that agencies can use to assess the privacy impacts of a new project. Different projects will require different PIAs depending on the risk, the sensitivity and the volume of the personal information handled. The principles are scalable and applicable to any government agency. At a minimum agencies conduct a threshold privacy assessment.

We published a guideline about PIAs. It explains what agencies should consider for each step of the PIA process:

You also mentioned privacy by design. Can you tell us more about it?

‘Privacy by design’ means building privacy into the design, operation, and management of a system or business process.

One of the originators of the term, Ann Cavoukian, has formulated seven principles supporting this approach, including:

  • anticipating and preventing privacy issues rather than reacting to them
  • ensuring data security for the lifecycle of the personal information
  • respecting user perspectives, by having strong privacy defaults, good notifications and user-friendly options.

How would a mobile app incorporate privacy by design?

Agencies start the privacy by design process by mapping the flow of personal information, and how they will collect, use, disclose, access, store and delete it. This helps to identify privacy vulnerabilities in a systematic way.

We encourage agencies to design the app so that they do not collect unnecessary personal information.

When they collect personal information, agencies should design the app to securely collect, transmit and store the personal information. This includes putting appropriate controls in place on both the mobile device and the relevant backend systems.

A cycle of regular vulnerability testing helps protect the information against unauthorised access, loss or misuse.

What advice do you have for government agencies about mobile apps?

First, consider the privacy implications of an app when you develop it and reassess the privacy impact when you release new functionalities or updates for the app.

Then, clearly explain what personal information the app collects, and how you will use the information.  Describe not just the permissions that the mobile app seeks, but also the reasons for the permissions.

Cyber security is a critical risk to privacy and personal information.  You should test the security of the app prior to deployment, upgrades or updates, and regularly throughout its lifecycle.

Finally, when you use contractors to develop and operate mobile apps, the contracts should bind the contractors to the privacy principles.