The Information Commissioner’s Office (ICO) has recently produced Guidance to help developers of mobile device applications meet the security and data retention requirements under the Data Protection Act 1998 (DPA).
Particular issues included in the Guidance are:
- Determining whether the app will deal with personal data. “Personal data”, as defined in the DPA, may not be limited to information traditionally considered to be a personal identifier, such as names and addresses of individuals. Personal data may also include an IMEI number or user’s mobile phone number, even if it doesn’t name the individual, if it is used to treat individual users differently. If there is uncertainty as to whether or not data is personal data, organisations are urged to err on the side of caution and assume that it is personal data from the outset to ensure appropriate protection.
- Determining who the “data controller” for DPA purposes is. It might be the developer or the organisation commissioning the app. The Guidance states that it is fundamental to have worked out the answer to this question prior to the launch of an app so that the data controller can be aware of its obligations under the DPA, including registration.
- If an organisation determines how personal data collected through the app will be used, it is likely to be a data controller. If an app sends a user’s personal data elsewhere for processing, the entity in control of the transferred data is likely to be a data controller.
- If a data controller appoints a data processor for an app, there should be a written contract to ensure a proper level of security.
- Users of apps should be properly informed about what will happen to their personal data if they install and use the app, and this should be given in plain English using language appropriate to the app user (for example, an app to help school children with homework should use language a child can understand).
Examples of appropriate wording which should be included for users of apps are included in the guidance, which may be accessed here.