Australia: Privacy compliance for Apps is an OAIC focus!

Privacy Update (Australia)

Having kept a watchful eye on mobile privacy trends in the US, it comes as no surprise that the Office of the Australian Information Commissioner ('OAIC') has now focussed on privacy compliance in respect of apps and the mobile environment.

Draft Practice Guide issued
In April the OAIC released a consultation draft of a proposed practice guide entitled 'Mobile Privacy: A better practice guide for mobile app developers', which we expect will be soon finalised with no significant amendments ('Practice Guide').

This Practice Guide will be the key guidance on privacy in the app and mobile environment under the new Privacy Act and the Australian Privacy Principals, which are effective from 12 March 2014.  As we predicted, privacy compliance in the mobile environment (including apps) is 'front and centre' in the OAIC's thoughts and will be an area of 'increased scrutiny' for the OAIC.

Privacy by design
In the Practice Guide the OAIC recommends that app developers adopt a "privacy by design" approach where privacy–enhancing practices are applied throughout the life cycle of the personal information: that is, its collection, use (including data matching analytics), disclosure, storage and destruction.  This, the OAIC suggests, may be achieved by app developers by:

  • Knowing your privacy responsibilities: having someone in the organisation be responsible for privacy, putting in place controls to ensure third parties accessing the personal information collected respect privacy and using a privacy impact assessment to assist with privacy planning at the development stage.
  • Being open and transparent about your privacy practices: developing and posting a clear and transparent privacy policy that informs users as to what your app is doing with their personal information, monitoring processes to ensure personal information is being handled in the way described in your privacy policy and, when updating an app, inform users of any changes to the way their personal information is to be handled and give them an easy way of refusing the update.
  • Only collecting personal information that your app needs to function: limiting data collection to what is needed for the legitimate purposes of your app and allowing users to opt out of data collection outside of what they would "reasonably expect" is necessary for the functioning of the app.
  • Securing what you collect: putting in place appropriate safeguards to protect the personal information the app collects and using encryption when storing and transmitting data, giving users the ability to delete or request the deletion of all data that your app has collected about them and publishing clear policies about how long it will take to delete a user's personal information once the user removes/deletes your app.
  • Obtaining meaningful consent (despite the small screen): considering and selecting the right strategy to convey the privacy policy in a meaningful way on the small screen (eg considering short–form notices with links to more detailed explanations, a privacy dashboard that displays a user's privacy settings and provides a convenient means of changing them and/or using cues such as graphics, colour and sound to draw a user's intention to what is happening with their personal information).
  • Timing: obtaining consent at the point of downloading the app, telling users how their personal information is being handled at the time they download the app, when they first use the app and throughout the app experience to ensure their consent remains meaningful and relevant.  Ongoing disclosure will be particularly relevant for the ongoing collection of location data/personal information.

What action should Australian businesses take now?
As highlighted in our earlier Update, 'Do your apps and mobile sites comply with Australian privacy law?', we recommend that Australian businesses review and update their privacy policies and processes to ensure that they adequately cover personal information collected through their apps and mobile sites.

To avoid potential liability and in light of and together with the OAIC points of guidance listed above, Australian businesses should:

  • Ensure their app and mobile site developers are aware of the legal obligations to protect privacy
  • Ensure all apps and mobile sites contain a functional link to the privacy policy/statement of the business in a conspicuous place
  • Provide a summary of the mandatory information to be provided to users under Australian privacy law at the point or points where personal information is collected (and, in particular, consider on going notifications in respect of ongoing collection of location data)
  • Ensure the privacy policy/statement clearly identifies how personal information is collected, reasons/purposes for collection and how such information will be used and shared, in a manner that can be easily understood by users
  • Put in place adequate procedures for bringing the privacy policy (and any subsequent changes to it) to the attention of users before they enter the mobile site or download the app and obtain the user's consent regarding the use and disclosure of their personal information.

Please do not hesitate to contact a member of our dedicated privacy team if we can assist with the review/audit of your current privacy practices and policies relating to your mobile sites and apps or if you wish us to assist you with the amendments necessary to your privacy processes and policies to ensure compliance with the new privacy regime to become effective on 12 March 2014.