ICO guidance for app developersPrint publication
The ICO guidance, published just before Christmas, is directed at the designers of apps. The focus is on mobile apps but the guidance is no less applicable to apps on other devices such as games consoles.
The guidance explains what type of data that is collected by an app might constitute personal data for the purposes of the Data Protection Act 1998 (the Act) and shows for different types of app when the developer will be the data controller and when it won’t be. The data controller is responsible for ensuring users’ personal data is managed in accordance with the Act – as such, knowing whether you are a data controller and what your duties are is of paramount importance.
The guidance recommends that developers collect and process only the minimum amount of personal data necessary, even where this has been thoroughly anonymised or user consent obtained, and that users should have the ability to permanently delete their accounts.
The ICO recommends the use of “just-in-time” notifications so that the information is provided to the user just before data processing takes place. The suggestion is that “just-in-time” notifications will be particularly appropriate when “more intrusive data” such as location data is being collected.
Whilst businesses may well be worrying about how to manage personal data collected through apps, not least because this is new technology where the Act has not been tested, the ICO takes an optimistic view, believing that achieving compliance should not be an unduly onerous task.
Following the ICO recommendations would appear to make business sense as well. The ICO suggests that consumers have concerns about how their personal data may be used and clearer statements from the developer may help to assuage those concerns (and thereby encourage take-up).
On the other side, app users may be interested to know that the ICO has also published advice for them on how to safeguard their privacy. The ICO guidance can be accessed here.