On 17 December 2013, we issued an article on the "Mobile Privacy: A better practice guide for mobile app developers" guide (Guide) released by the Office of the Australian Information Commissioner (OAIC) 1.
Following the commencement of the Australian Privacy Principles (APPs) on 12 March 2014, the OAIC has recently released an updated September 2014 Guide to help mobile device application (app) developers embed better privacy practices in their products and services, and help developers that are operating in the Australian market to comply with Australian privacy law and best practice 2.
The Guide sets out a number of "app privacy essentials" that app developers should consider when designing their app, in light of the APPs.
We highlight here some key matters and changes to the Guide in light of the commencement of the APPs and the release of the September 2014 version of the Guide.
Privacy responsibilities – management and assessment programs
The Guide now specifically refers to APP 1, which requires businesses to take reasonable steps to implement practices, procedures and systems that enable compliance with the APPs and will enable them to deal with privacy enquiries or complaints.
Putting in place a privacy management program for a business will help the business manage risks up front. Given the potentially high number of users of an app, it can also help the business to respond to requests for users' access to their personal information and complaints in an organised manner.
- who the business is and how to contact the business;
- what kinds of personal information an app collects and stores;
- how an app collects personal information, and where it will be stored (on the device or elsewhere);
- the purposes for which an app collects the personal information;
- how personal information will be used and disclosed;
- how users may access their personal information, and correct it or seek to have it corrected;
- how users may complain about a breach of the APPs, and how a business will deal with such a complaint; and
- whether a business is likely to disclose the information outside Australia and, if it is practicable, in which countries the business is likely to disclose that information.
The Guide now also deals with the obligations contained in the APPs for sending personal information overseas. APP 8 imposes specific obligations about sending personal information outside of Australia and a business may remain accountable for what happens to that information overseas. If an app collects sensitive information (which includes a user's health information, their membership of a trade union or political association, and their sexual orientation or practices), the business is likely to have additional privacy obligations under the APPs.
In addition to the OAIC's previous recommendations in relation to avoiding "notice fatigue" (including providing an easy to use privacy dashboard; using short form notices; giving a way for users to modify their information, opt out of tracking and delete their profile; and using graphics, colour and sound), the September 2014 update of the Guide specifically addresses the privacy requirements for users with a disability.
Privacy policies and notices need to be accessible to users with a disability, such as people who are blind and use screen readers, people who are colour blind, and people who are deaf or hard of hearing. If an app uses tools that are not accessible to users with a disability, an alternative way for those users to get the information should be offered.
Timing of user notice and consent
The OAIC maintains its suggestions regarding the timing of obtaining privacy consents for an app. To make the most impact, the OAIC suggests:
- highlighting privacy practices at the point of download, and also upon first use;
- obtaining consent at the point of download; and
- providing real time or "in-context" notices (for example, upon first use of a particular feature of the app).
Only collect personal information that the app needs to function
APP 3 now requires that businesses only collect the personal information that is necessary. An app developer should therefore consider whether the business needs to collect personal information at all.
The OAIC suggests the following rule of thumb:
"If you cannot explain how a piece of personal information is related to the functions or activities of your app, then you probably should not be collecting it. Don't collect personal information just because you believe it may be useful in the future."
Subject to specific exceptions contained in the APPs, the APPs also require businesses to delete or de-identify personal information that is no longer needed for a lawful purpose, and prohibit the collection of sensitive information, unless the user has expressly consented. Therefore, app developers must ensure the apps they develop contain mechanisms for personal information that is collected from users to be properly de-identified, or otherwise contain mechanisms to obtain the required express consent from users.
APP 11 requires a business to take reasonable steps to protect any personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
The OAIC continues to encourage proper security measures and protections (such as data encryption) being implemented, to ensure that users' personal information is properly handled. Following the implementation of the APPs, the Guide now includes additional recommended security measures including:
- deleting or de-identifying personal information that is no longer needed; and
- preparing, implementing and regularly updating adata breach policy and response plan.
The Guide remains a better practice guide. It is designed to provide suggestions for both privacy compliance and better practice. Whether or not a business is subject to thePrivacy Act 1988 (Cth), privacy remains a key concern for many consumers. The Guide, although not an enforceable legal document, is intended to help make apps more privacy-friendly for end-users/consumers, and to assist app developers in making user privacy one of the competitive advantages of their apps.
1Our original article dated 17 December 2013 is available here....
2Section 5B of the Privacy Act 1988 (Cth) provides that the Act may apply to the acts or practices of an organisation that occur outside of Australian jurisdiction in certain circumstances.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.