Having kept a watchful eye on mobile privacy trends in the US, it comes as no surprise that the Office of the Australian Information Commissioner ('OAIC') has now focussed on privacy compliance in respect of apps and the mobile environment.
Draft Practice Guide issued
In April the OAIC released a consultation draft of a proposed practice guide entitled 'Mobile Privacy: A better practice guide for mobile app developers', which we expect will be soon finalised with no significant amendments ('Practice Guide').
This Practice Guide will be the key guidance on privacy in the app and mobile environment under the new Privacy Act and the Australian Privacy Principals, which are effective from 12 March 2014. As we predicted, privacy compliance in the mobile environment (including apps) is 'front and centre' in the OAIC's thoughts and will be an area of 'increased scrutiny' for the OAIC.
Privacy by design
In the Practice Guide the OAIC recommends that app developers adopt a "privacy by design" approach where privacy–enhancing practices are applied throughout the life cycle of the personal information: that is, its collection, use (including data matching analytics), disclosure, storage and destruction. This, the OAIC suggests, may be achieved by app developers by:
- Knowing your privacy responsibilities: having someone in the organisation be responsible for privacy, putting in place controls to ensure third parties accessing the personal information collected respect privacy and using a privacy impact assessment to assist with privacy planning at the development stage.
- Only collecting personal information that your app needs to function: limiting data collection to what is needed for the legitimate purposes of your app and allowing users to opt out of data collection outside of what they would "reasonably expect" is necessary for the functioning of the app.
- Securing what you collect: putting in place appropriate safeguards to protect the personal information the app collects and using encryption when storing and transmitting data, giving users the ability to delete or request the deletion of all data that your app has collected about them and publishing clear policies about how long it will take to delete a user's personal information once the user removes/deletes your app.
- Timing: obtaining consent at the point of downloading the app, telling users how their personal information is being handled at the time they download the app, when they first use the app and throughout the app experience to ensure their consent remains meaningful and relevant. Ongoing disclosure will be particularly relevant for the ongoing collection of location data/personal information.
What action should Australian businesses take now?
As highlighted in our earlier Update, 'Do your apps and mobile sites comply with Australian privacy law?', we recommend that Australian businesses review and update their privacy policies and processes to ensure that they adequately cover personal information collected through their apps and mobile sites.
To avoid potential liability and in light of and together with the OAIC points of guidance listed above, Australian businesses should:
- Ensure their app and mobile site developers are aware of the legal obligations to protect privacy
- Provide a summary of the mandatory information to be provided to users under Australian privacy law at the point or points where personal information is collected (and, in particular, consider on going notifications in respect of ongoing collection of location data)
Please do not hesitate to contact a member of our dedicated privacy team if we can assist with the review/audit of your current privacy practices and policies relating to your mobile sites and apps or if you wish us to assist you with the amendments necessary to your privacy processes and policies to ensure compliance with the new privacy regime to become effective on 12 March 2014.