As the number of companies developing mobile apps skyrockets, so too does their risk of breaching the new privacy rules and potentially attracting fines of up to $1.7 million.
The Office of the Australian Information Commissioner (OAIC) has recently released an updated guide to help app developers embed better privacy practices in their products and services, and also ensure those operating in the Australian market are compliant with Australian privacy law and best practice.
The guide sets out a number of “app privacy essentials” that developers should consider when designing their app, in light of the Australian Privacy Principles (APP) that commenced earlier this year.
Here’s what your business needs to know:
1. Privacy responsibilities – management and assessment programs
The guide now specifically refers to Australian Privacy Principle 1, which requires businesses to take reasonable steps to implement practices, procedures and systems that enable compliance with the APPs and will enable them to deal with privacy enquiries or complaints.
Putting in place a privacy management program for a business will help the business manage risks up front. Given the potentially high number of users of an app, it can also help the business to respond to requests for users’ access to their personal information and complaints in an organised manner.
- who the business is and how to contact the business;
- what kinds of personal information an app collects and stores;
- how an app collects personal information, and where it will be stored (on the device or elsewhere);
- the purposes for which an app collects the personal information;
- how personal information will be used and disclosed;
- how users may access their personal information, and correct it or seek to have it corrected;
- how users may complain about a breach of the APPs, and how a business will deal with such a complaint; and
- whether a business is likely to disclose the information outside Australia and, if it is practicable, in which countries the business is likely to disclose that information.
The guide now also deals with the obligations contained in the APPs for sending personal information overseas. APP 8 imposes specific obligations about sending personal information outside of Australia and a business may remain accountable for what happens to that information overseas. If an app collects sensitive information (which includes a user’s health information, their membership of a trade union or political association, and their sexual orientation or practices), the business is likely to have additional privacy obligations under the APPs.
3. Obtaining consent
In addition to the OAIC’s previous recommendations in relation to avoiding “notice fatigue” (including providing an easy to use privacy dashboard; using short form notices; giving a way for users to modify their information, opt out of tracking and delete their profile; and using graphics, colour and sound), the September 2014 update of the guide specifically addresses the privacy requirements for users with a disability.
Privacy policies and notices need to be accessible to users with a disability, such as people who are blind and use screen readers, people who are colour blind, and people who are deaf or hard of hearing. If an app uses tools that are not accessible to users with a disability, an alternative way for those users to get the information should be offered.
4. Timing of user notice and consent
The OAIC maintains its suggestions regarding the timing of obtaining privacy consents for an app. To make the most impact, the OAIC suggests:
- highlighting privacy practices at the point of download, and also upon first use;
- obtaining consent at the point of download; and
- providing real time or “in-context” notices (for example, upon first use of a particular feature of the app).
5. Only collect personal information that the app needs to function
APP 3 now requires that businesses only collect the personal information that is necessary. An app developer should therefore consider whether the business needs to collect personal information at all.
The OAIC suggests the following rule of thumb:
“If you cannot explain how a piece of personal information is related to the functions or activities of your app, then you probably should not be collecting it. Don’t collect personal information just because you believe it may be useful in the future.”
Subject to specific exceptions contained in the APPs, the APPs also require businesses to delete or de-identify personal information that is no longer needed for a lawful purpose, and prohibit the collection of sensitive information, unless the user has expressly consented. Therefore, app developers must ensure the apps they develop contain mechanisms for personal information that is collected from users to be properly de-identified, or otherwise contain mechanisms to obtain the required express consent from users.
6. Security measures
APP 11 requires a business to take reasonable steps to protect any personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
The OAIC continues to encourage proper security measures and protections (such as data encryption) being implemented, to ensure that users’ personal information is properly handled. Following the implementation of the APPs, the guide now includes additional recommended security measures including:
- deleting or de-identifying personal information that is no longer needed; and
- preparing, implementing and regularly updating a data breach policy and response plan.
The guide remains a better practice guide. It is designed to provide suggestions for both privacy compliance and better practice. Whether or not a business is subject to the Privacy Act, privacy remains a key concern for many consumers.
The guide, although not an enforceable legal document, is intended to help make apps more privacy-friendly for end-users/consumers, and to assist app developers in making user privacy one of the competitive advantages of their apps.
Benjamin Hunt is a lawyer at Holding Redlich.