The Office of the Australian Information Commissioner (OAIC) recently released a guide under the title "Mobile Privacy: A better practice guide for mobile app developers" (the Guide). The intention of the Guide is to assist app developers with building "privacy-friendly" apps to ensure better privacy practices and also ensure compliance with Australian privacy laws, both under the existing National Privacy Principles, and the incoming Australian Privacy Principles, which will commence from 12 March 2014.

Privacy remains a big concern for consumers. A recent survey, Internet privacy research: report, indicated that 69 per cent of Australian app users have refused to use an application because it collected too much personal information, and 75 per cent also said they needed to know more about the ways that companies collected personal information.

The OAIC takes note that "The Australian community puts a high level of trust in the mobile apps they use and their expectation for privacy protection is equally high. Apps which fail to protect user privacy lose user confidence and gain negative publicity."

The Guide encourages developers to adopt a "privacy by design" approach that aims at building privacy and data protection up front, into the design specifications and architecture of the technology used as part of the app. Such an approach will ensure that privacy considerations are incorporated into each stage of app development.

The Guide also sets out a number of "essentials" that an app developer should consider when designing their app.

  1. Privacy Responsibilities – Management and Assessment Programs
    The OAIC recommends that developers put in place a privacy management program to help manage risks upfront. This may include:
  • appointing a privacy officer to be responsible for privacy protection;
  • having controls in place (such as contracts) to ensure that third parties (such as outsourced developers and hosts) process personal information in accordance with their obligations under privacy laws; and
  • conducting a "Privacy Impact Assessment" to ensure that all relevant issues have been considered including collection, use and storage, the possible impacts on an individual, determining potential ways to minimise impacts and encourage good practice.
  1. Transparency – Developing a Privacy Policy
    A developer should ensure that it has provided an easily accessible privacy policy as part of the app, which is transparent about how a user's personal information is collected, how it is used, and what options the user has in regards to protection or modification of their information.
  1. Obtaining Consent
    The Privacy Act requires that individuals provide their informed consent, but the OAIC acknowledges that it can be difficult to read an overabundance of legal text on a small screen. Therefore to avoid "notice fatigue", the OAIC suggests as follows:
  • provide an easy to use privacy dashboard that allows user to tighten their privacy settings and explains the consequences of making a choice to provide data; and
  • use short form notices, no longer than a single screen, that set out the key points that require attention by the user regarding collection, use and disclosure of their information
  • give users a way to modify their information, opt out of any tracking and delete their profile entirely if they wished;
  • to enhance a privacy policy, the OAIC also encourages using graphics (such icons or images to indicate when sensitive information is about to be transmitted), colour (such as altering intensity of colour to indicate the importance of a user's decision or sensitivity of information) and sound (such as selective use of sounds to draw attention to a privacy related decision that needs to be made in a timely way).
  1. Timing of User Notice and Consent
    How the policy is presented is one thing. Timing and obtaining consent is also important as a user's attention can be limited, especially when using an app on a mobile device. To get the most impact, the OAIC suggests:
  • highlighting privacy practices at the point of download, and also upon first use;
  • obtaining consent to the privacy practices at the point of download; and
  • providing real time notices (for example, if the app takes photos, upon first use, clearly state what information the app will collect or disclose, such as tagging, to allow the user to opt-out of that function).
  1. Only Collect Personal Information That the App Needs to Function
    APP developers should only collect personal information that is necessary, and should consider whether personal information is required at all.

  2. The OAIC suggests as best practice that all users opt in to collection or use of personal information. If this is not practicable, a developer should allow users a function to opt out. If either function cannot be enabled, this should be explained to users at the point of download so they can make their own informed decision about whether to install the app.

  1. Security Measures
    The Guide encourages proper security measures and protections (such as data encryption) to be implemented, to ensure that a user's personal information is properly handled.

The mobile applications industry is booming, and consumers are becoming increasingly reliant on mobile apps for banking, business, entertainment, lifestyle, and social networking.

However privacy remains a big issue for many consumers, and while the Guide is not a prescribed legal document, it is worth giving serious consideration to the recommendations provided by the OAIC to ensure an overall user and privacy friendly experience for the consumer.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.