Media release: Audit of privacy and mobile apps

The Queensland Office of the Information Commissioner’s audit report about privacy and mobile apps was tabled in Parliament today (22 August 2017).

This report outlines three agencies’ practices in handling personal information and adopting the privacy principles, when planning, developing and operating mobile apps. It identifies areas for improvement, examples of good practice and makes recommendations to all Queensland government agencies.

Information Commissioner Rachael Rangihaeata said, “The key factors in protecting personal information are to identify privacy impacts upfront, build privacy in to the design and operation of the mobile apps, and manage cyber security risks.”

“We found examples of good practice. I have been particularly pleased to see the Department of Education and Training adopt a privacy by design approach for its QParents app.”

“I also acknowledge the Department of Transport and Main Roads’ positive approach in minimising the collection of personal information through MyTransLink.”

“The Department of Education and Training and the Department of Transport and Main Roads conduct regular data security tests to protect personal information.”

“It is encouraging that the Queensland Police Service took steps during the audit to address some issues we identified about the Policelink mobile app.”

“All agencies should consider and manage privacy impacts when designing and operating mobile apps. Government agencies that adopt these practices will increase the likelihood that the community will use the app and benefit from it as the agency intends,” Ms Rangihaeata said.

The key findings are that Queensland government agencies need to:

  • consider privacy upfront and adopt a privacy by design approach, to meet the requirements of the Information Privacy Act 2009 (Qld)
  • reassess the privacy impacts of mobile apps regularly, for example when rolling out new features and updates, to identify vulnerabilities and manage their privacy obligations
  • inform users of the collection, uses and usual disclosure of personal information and the reasons for permissions sought
  • protect personal information, including testing the app for vulnerabilities before deploying it and at key stages of its life.

Read the full report here

Media contact: Steve Haigh, Manager Training and Stakeholder Relations
Phone: 07 3405 1111