App Review results published by ICO - DAC Beachcroft

App Review results published by ICO's Tags

Tags related to this article

App Review results published by ICO

Published 19 April 2016

In a blogpost on 11 March 2016, the ICO's Group Manager for Technology, Simon Rice, considers how apps are used and provides a reminder to app developers that privacy should be appropriately considered. As Rice points out, apps are big business. Users expect to be able to interact with organisations on smartphones and tablets through an app. However, just because apps are intended to be convenient, quick ways to access a service, does not mean that legal requirements can be dispensed with.

In 2015, the ICO carried out a review of 21 popular apps and found some areas of concern. In particular, encryption of connections to transmit personal data. Three apps were found to use unencrypted connections in the transmission of personal data. Three apps which were using encryption methods (https connections) were not appropriately checking digital certificates, risking an attacker impersonating a server and therefore personal data being transmitted to the wrong server.

Other areas of concern include:

  • weak password requirements;
  • use of cookies without consent;
  • transmission of passwords in the URL;
  • unexplained usage of tracking ID numbers; and
  • misleading interface design.

The review also highlighted "just plain annoyance (e.g. advertising in the notification bar)". It is not immediately clear how "plain annoyance" is the ICO's concern unless the advertising is tied in to the issues identified on the use of cookies. Surely this is a user experience issue for app developers to consider?

ICO guidance for app developers – a reminder

In 2013 the ICO produced guidance for app developers. The guidance has not been updated since its first publication. Whether this 'sweep' will prompt an update to the guidance remains to be seen. However, Rice does recommend that app developers take the opportunity to read the guidance.

In light of this recommendation, we have set out the seven key questions from the guidance to ask yourself when developing an app. Much of this should not be new. The rules are the same regardless of the medium for processing data. Remember also that organisations should be considering these questions before an app is developed and take a 'privacy by design' approach.

1. Will your app deal with personal data?

Make sure you properly consider whether personal data will be processed using your app. Remember that personal data may not be as obvious as a name. Device identifiers such as IMEI numbers will constitute personal data.

2. Who is the data controller?

Once you have established that your app will be processing personal data you need to consider who is the data controller of that personal data. Who determines the manner and the purpose for processing? 

3. What data will you collect?

Make sure only the minimum data necessary is collected and it is only kept for as long as it is required for the specified purposes. Consider whether less privacy intrusive data might be collected. For example, if photos are collected strip out unnecessary metadata such as the date of creation of the image or the location. 

4. How will you inform users?

To ensure compliance with the first data protection principle, users must be clearly told what personal data will be collected and for what purpose. Make sure a privacy policy is included early in the user journey and, as a minimum, before personal data is processed. Consider the appropriate approach for displaying a privacy policy with regard to the medium through which the privacy policy will be accessed. For example, would a layered approach be more suitable? 

5. How will you give your users feedback and control?

Avoid taking an 'all or nothing' approach. Allow users to take control of their settings including by allowing users to change the choices once the app is in use. If your app uses data in an unexpected way clearly alert the user to this processing and provide an easy way to stop the processing. 

6. How will you keep the data secure?

Ensure data is encrypted where appropriate. This is especially important given the ICO's findings followings its review of mobile apps. Usernames, passwords and other particularly sensitive information should always be transmitted using encrypted connections. Consider vulnerabilities that are more relevant in respect to apps such as inter-app injection flaws. The guidance also specifically mentions that SSL and TLS connections should be checked to ensure that a connection is secure.

7. How will you test and maintain your app?

Consider what your ongoing strategy for test and maintenance of your app might be. As a general consideration, where users are given a choice as to whether personal data can be accessed, ensure that the user experience is tested in both scenarios. Make sure you regularly review your privacy policy to not only ensure that you are still complying with it but also that the most privacy friendly approach is being taken at all times.

Practical Steps

Review your app privacy policies to ensure they comply with the guidance. Rice also mentioned that the ICO has started a second investigation into finance and wellbeing apps. If you work in this field make sure your house is in order so if the ICO comes knocking you will be well armed to respond to criticisms.

Return to main page >>>


< Back to articles