Privacy and Mobile Apps

This guideline¹ provides information about the mobile application (App) environment and its potential impact on the privacy of users. It also sets out some key considerations for Queensland Government agencies which develop mobile Apps to ensure compliance with the privacy principles in the Information Privacy Act 2009 (Qld) (IP Act).

What are mobile Apps?

A mobile application or ‘App’ is a software program designed to run on a smartphone, tablet computer or other mobile device. Apps can be one of the government’s delivery of services to the community. However, Apps which fail to protect an individual's privacy may result in low user confidence and risk attracting negative publicity.

Does the IP Act apply to mobile Apps?

Any system which involves the collection, storage, use or disclosure of personal information by a Queensland government agency³ is subject to the requirements of the IP Act, including the Information Privacy Principles (IPPs) for non-health agencies and the National Privacy Principles (NPPs) for health agencies. Because Apps potentially capture information about their users the privacy principles must be taken into account in both the App’s design and the information provided to users.

Although the IP Act only applies to Queensland government agencies App developers outside of government may find this resource useful.

Privacy challenges for mobile Apps

App capabilities present unique challenges for privacy protection. Apps have the potential to collect significant amounts of personal information about users, often without them being aware of the collection. Apps may be able to access:

the user’s address book and contact lists
call logs
internet data usage
calendar data
photographs
data about the device’s location⁴
the device’s unique identifiers⁵
information about how the user uses the App.

The scope of personal information which can potentially be collected, combined with the speed at which apps are developed and distributed, could result in the personal information of hundreds of thousands of users being collected in a short space of time.

Privacy considerations when developing mobile apps

Like any other project involving personal information privacy should be included in the planning phase of an App’s development. It will also be an important consideration for the entire life cycle of the App.

Some key privacy considerations are set out in the table below.

Action	Relevant Legislation
Complete a Privacy Impact Assessment (PIA) as part of project planning. Map the flow of personal information and how it is collected, used, disclosed, accessed, stored and deleted. This will help to identify privacy vulnerabilities in a systematic way and potential ways to manage, minimise or avoid those vulnerabilities. Publishing the PIA is an effective way of building user confidence in an App by showing a commitment to privacy and demonstrating that privacy impacts have been considered and addressed. For more information refer to the OIC Guideline: Undertaking a Privacy Impact Assessment
Consider what personal information is essential for the App. Collect only as much personal information as you need. If you cannot explain how a piece of personal information is related to the functions or activities delivered through the App then it should not be collected. Do not collect personal information just because it may be useful or valuable to the agency in the future.	IPPs 1-3 NPP 1
Tell people how the App will use personal information. During the download process and upon first use, tell users what personal information the App is collecting, what it will be used for, and who it could be shared with. Consider how best to deliver the collection notice and achieve the most impact at the right time. For example, if the App takes photos or video and tags the image with location data, provide a notice to the user the first time this function is activated. Where possible, allow users to opt out of the collection of their personal information. If the personal information could be considered by an individual as highly personal or intrusive, such as a user’s location data, sound or activation of the device camera, consider having the user provide specific consent for the App’s handling of these classes of personal information. Any component of the App that utilises consent should have capacity to enable the user to withdraw their consent at a later time. It can be difficult to communicate this information effectively in the small screen environment. Consider strategies for giving an effective notice, such as using short form notices where possible, putting important information up front with links to more detailed explanations, or using graphics, colour or sound to draw attention to notices. Where possible, provide a tool that displays the user's privacy settings with easy means of changing them.	IPP 2 NPP 1
Consider how personal information will be stored and secured. The IP Act requires that personal information is protected against unauthorised access, loss or misuse. Ensure that the storage and security of any personal information collected through the App is well planned, and that appropriate controls are in place on both the mobile device and backend systems that will store personal information. Security safeguards should be appropriate to the sensitivity of the information.	IPP 4 NPP 4
Have a clear and accessible privacy policy. Ensure you have a clear and easily accessible policy which enables users to evaluate what you propose to do with their personal information. Users should be able to access this information before deciding whether to download the App. Make sure your policy lets users know * what personal information the App collects * the purposes for which the App collects personal information * how they can access or amend their personal information (see below) * how users may complain about a breach of privacy and how you will deal with a privacy complaint * how any privacy breaches will be handled and the process for notifying individuals * whether users have the ability to delete or request the deletion of all of the data that the App has collected about them * how they can delete the App or their subscription to the App, and what will happen to personal information already collected and stored; and * whether their personal information will be transferred outside Australia. When making changes to the privacy policy, inform users in advance of the changes taking effect and provide details of what has changed so that users do not have to compare old and new policies to understand what has changed.	IPP 5 NPP 5
Access and amendment The user information that is collected by the agency responsible for the App becomes part of the agency’s general personal information holdings. As such, the information is subject to access and amendment rights - not only the administrative access provisions set out in the relevant IPPs and NPPs but also under the formal access application provisions of the RTI and IP Acts. Some types of information that can potentially be captured by Apps such as geo-location, the user’s usage patterns or the address book on their device will not only be unique to the mobile device environment but also could potentially be of interest to both the user and third parties. Agencies with Apps should incorporate the new classes of personal information into its record management systems and processes. For example, this could include an agency updating: * activity/transaction level terms used in the agency’s business classification scheme * class descriptions used in the agency’s functional retention and disposal schedule * its list of personal information holdings; and * its information asset register. Agencies should provide the user with information about access and amendment rights, for example, notices or tools provided with the App could include a link to where this information is located on the agency’s website.	IPP 6-7 NPP 6-7
Only use personal information for the purpose it was collected; only disclose personal information in permitted circumstances. Agencies may need to use and disclose personal information for an App to function. For example, geo-location data may be required to deliver certain functions in a navigation or public transport App. Agencies may need to share personal information with another entity to provide the services offered by the App. Apps should generally only use personal information for the purpose it was collected, and only disclose to the individual it is about, except in limited circumstances. Do not collect personal information about third parties from a user's device, such as a user's address book or contact list, unless you can obtain the consent of those parties. Avoid associating personal information between the App and a user's social media account unless it is obvious to the user and necessary to do so. Agencies should monitor Apps to ensure personal information is only used and disclosed in ways that are permitted by the IP Act and in accordance with their privacy policy.	IPPs 10-11 NPP 2
Will personal information be transferred out of Australia? The IP Act sets out additional requirements when personal information is transferred outside of Australia. If the development or delivery of the App will involve the transfer of personal information outside of Australia you will need to consider the obligations in section 33 of the IP Act. For more information refer to the OIC Guideline: Sending personal information out of Australia.	Section 33 IP Act
Consider whether contractors will be engaged to perform any services which involve the transfer of personal information. If an agency plans to engage a contracted service provider to perform services connected with the development or delivery of an App, compliance with the rules about contracted service providers in the IP Act may be required. For more information refer to the OIC Guideline: Agency obligations when entering into contracts and other arrangements.	Chapter 2, Part 4 IP Act
Consider the end of life of personal information. Ensure that a plan exists for when the App is deleted, or subscription ends, taking into account public records and other legal obligations.	Public Records Act 2002 (Qld) NPP 4(2)
Plan for breaches and complaints. Agencies should develop specific procedures for dealing with privacy breaches and complaints associated Apps.	Chapter 5 IP Act

Action

Relevant
Legislation

Complete a Privacy Impact Assessment (PIA) as part of project planning.

Map the flow of personal information and how it is collected, used, disclosed, accessed, stored and deleted. This will help to identify privacy vulnerabilities in a systematic way and potential ways to manage, minimise or avoid those vulnerabilities.

Publishing the PIA is an effective way of building user confidence in an App by showing a commitment to privacy and demonstrating that privacy impacts have been considered and addressed.
For more information refer to the OIC Guideline: Undertaking a Privacy Impact Assessment

Consider what personal information is essential for the App.

Collect only as much personal information as you need. If you cannot explain how a piece of personal information is related to the functions or activities delivered through the App then it should not be collected. Do not collect personal information just because it may be useful or valuable to the agency in the future.

IPPs 1-3

NPP 1

Tell people how the App will use personal information.

During the download process and upon first use, tell users what personal information the App is collecting, what it will be used for, and who it could be shared with.

Consider how best to deliver the collection notice and achieve the most impact at the right time. For example, if the App takes photos or video and tags the image with location data, provide a notice to the user the first time this function is activated. Where possible, allow users to opt out of the collection of their personal information.

If the personal information could be considered by an individual as highly personal or intrusive, such as a user’s location data, sound or activation of the device camera, consider having the user provide specific consent for the App’s handling of these classes of personal information. Any component of the App that utilises consent should have capacity to enable the user to withdraw their consent at a later time.

It can be difficult to communicate this information effectively in the small screen environment. Consider strategies for giving an effective notice, such as using short form notices where possible, putting important information up front with links to more detailed explanations, or using graphics, colour or sound to draw attention to notices.

Where possible, provide a tool that displays the user's privacy settings with easy means of changing them.

IPP 2

NPP 1

Consider how personal information will be stored and secured.

The IP Act requires that personal information is protected against unauthorised access, loss or misuse. Ensure that the storage and security of any personal information collected through the App is well planned, and that appropriate controls are in place on both the mobile device and backend systems that will store personal information. Security safeguards should be appropriate to the sensitivity of the information.

IPP 4

NPP 4

Have a clear and accessible privacy policy.

Ensure you have a clear and easily accessible policy which enables users to evaluate what you propose to do with their personal information. Users should be able to access this information before deciding whether to download the App.

Make sure your policy lets users know

* what personal information the App collects
* the purposes for which the App collects personal information
* how they can access or amend their personal information (see below)
* how users may complain about a breach of privacy and how you will deal with a privacy complaint
* how any privacy breaches will be handled and the process for notifying individuals
* whether users have the ability to delete or request the deletion of all of the data that the App has collected about them
* how they can delete the App or their subscription to the App, and what will happen to personal information already collected and stored; and
* whether their personal information will be transferred outside Australia.

When making changes to the privacy policy, inform users in advance of the changes taking effect and provide details of what has changed so that users do not have to compare old and new policies to understand what has changed.

IPP 5

NPP 5

Access and amendment

The user information that is collected by the agency responsible for the App becomes part of the agency’s general personal information holdings. As such, the information is subject to access and amendment rights - not only the administrative access provisions set out in the relevant IPPs and NPPs but also under the formal access application provisions of the RTI and IP Acts.

Some types of information that can potentially be captured by Apps such as geo-location, the user’s usage patterns or the address book on their device will not only be unique to the mobile device environment but also could potentially be of interest to both the user and third parties.

Agencies with Apps should incorporate the new classes of personal information into its record management systems and processes. For example, this could include an agency updating:

* activity/transaction level terms used in the agency’s business classification scheme
* class descriptions used in the agency’s functional retention and disposal schedule
* its list of personal information holdings; and
* its information asset register.

Agencies should provide the user with information about access and amendment rights, for example, notices or tools provided with the App could include a link to where this information is located on the agency’s website.

IPP 6-7

NPP 6-7

Only use personal information for the purpose it was collected; only disclose personal information in permitted circumstances.

Agencies may need to use and disclose personal information for an App to function. For example, geo-location data may be required to deliver certain functions in a navigation or public transport App. Agencies may need to share personal information with another entity to provide the services offered by the App. Apps should generally only use personal information for the purpose it was collected, and only disclose to the individual it is about, except in limited circumstances.

Do not collect personal information about third parties from a user's device, such as a user's address book or contact list, unless you can obtain the consent of those parties.

Avoid associating personal information between the App and a user's social media account unless it is obvious to the user and necessary to do so.

Agencies should monitor Apps to ensure personal information is only used and disclosed in ways that are permitted by the IP Act and in accordance with their privacy policy.

IPPs 10-11

NPP 2

Will personal information be transferred out of Australia?

The IP Act sets out additional requirements when personal information is transferred outside of Australia. If the development or delivery of the App will involve the transfer of personal information outside of Australia you will need to consider the obligations in section 33 of the IP Act.

For more information refer to the OIC Guideline: Sending personal information out of Australia.

Section 33 IP Act

Consider whether contractors will be engaged to perform any services which involve the transfer of personal information.

If an agency plans to engage a contracted service provider to perform services connected with the development or delivery of an App, compliance with the rules about contracted service providers in the IP Act may be required.

For more information refer to the OIC Guideline: Agency obligations when entering into contracts and other arrangements.

Chapter 2, Part 4 IP Act

Consider the end of life of personal information.

Ensure that a plan exists for when the App is deleted, or subscription ends, taking into account public records and other legal obligations.

Public Records Act 2002 (Qld)

NPP 4(2)

Plan for breaches and complaints.

Agencies should develop specific procedures for dealing with privacy breaches and complaints associated Apps.

Chapter 5

IP Act

1 In developing this information sheet OIC acknowledges the Canadian resource - ‘Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps’ developed jointly by the Office of the Privacy Commissioner Canada, the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia.
2 A 2012 Australian study found that 69 per cent of respondents reported that they had refused to use an application or website because it collected too much personal information. Full survey results are available from http://cccs.uq.edu.au/personal-information-project. The 2013 results of the Office of the Australian Information Commissioner’s (OAIC) Community Attitudes to Privacy survey reported that six in ten people opt not to use smartphone Apps because of concerns about the way personal information would be used. See http://www.oaic.gov.au/privacy/privacy-resources/privacy-reports/oaic-community-attitudes-to-privacy-survey-research-report-2013 for further information.
3 In this Guideline references to a ‘government agency’ include Ministers and bound contracted service providers, unless otherwise specified.
4 Which will generally be the location of the device’s user.
5 Each mobile device can have a number of unique identifiers, including the International Mobile Station Equipment Identity number (IMEI), Wi-fi Media Access Control (MAC) address, Internet Protocol (IP) address and Bluetooth address.

Current as at: February 13, 2014