Privacy Advisor

UK—ICO Releases App Guidance

January 28, 2014

By Brian Davidson, CIPP/E

The Information Commissioner’s Office (ICO) has released guidance to help app developers comply with their obligations under the UK Data Protection Act (DPA).

“Privacy in mobile apps: Guidance for app developers” was published on 19 December, setting out the key requirements that developers must meet when processing personal data through an app, covering issues such as user consent and controls, data retention and security.

The guidance recognises the unique features—and challenges—of privacy compliance in the mobile environment such as the myriad app configurations that are possible and how they handle personal data, together with the various potential “collection points” of personal data on a mobile device such as microphones, cameras and GPS, together with the more “traditional” collection points such as user data collected through e-mail, SMS, instant messaging and contacts.

The guidance provides helpful, practical examples, such as outlining who controls the personal data under the DPA for a particular type of app that they have created—for example, a simple note-taking app, a social media app that is hosted by a third-party cloud provider and an advertisement-funded game—and highlights the benefits of adopting a Privacy-by-Design approach to the development of new apps, considering issues such as default “privacy-friendly” settings and giving users effective control over their privacy settings, both at the point of initial and subsequent use of the app.

The guidance also addresses the challenges presented by a smaller screen on a mobile device in order to provide users with clear and easy-to-follow privacy information, for example by adopting a “layered” approach where the most important privacy points are summarized with more detail easily available via appropriate links if the user wants to see them. “Just-in-time” notifications are another potential solution whereby necessary information is provided to the user just before data processing occurs—for example, where a particular feature requires the use of the user’s real-time location data.

Finally, a helpful appendix provides a number of practical examples of what the ICO considers to be “good” and “poor” privacy practice in apps.

The guidance is available here.

Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.