ICO guidance for app developers

Print publication


The ICO guidance, published just before Christmas, is directed at the designers of apps. The focus is on mobile apps but the guidance is no less applicable to apps on other devices such as games consoles.

The guidance explains what type of data that is collected by an app might constitute personal data for the purposes of the Data Protection Act 1998 (the Act) and shows for different types of app when the developer will be the data controller and when it won’t be. The data controller is responsible for ensuring users’ personal data is managed in accordance with the Act – as such, knowing whether you are a data controller and what your duties are is of paramount importance.

The guidance recommends that developers collect and process only the minimum amount of personal data necessary, even where this has been thoroughly anonymised or user consent obtained, and that users should have the ability to permanently delete their accounts.

The guidance recommends the use of pop-up disclosures as one way that companies can meet their obligations under the Act by informing users of how they plan to use their personal data and to obtain consent for that use. The Information Commissioner (ICO) suggests that traditional methods of meeting this requirement, such as a privacy policy, are not well suited to the mobile environment and emphasises the importance of ensuring that privacy information is provided at the earliest opportunity and if this is after an app has been downloaded, that this is done before the app processes the relevant personal data. The guidance also gives examples of the type of language that could be used to convey the necessary information (emphasising the importance of tailoring the language to the particular user type for the app in question).

The ICO recommends the use of “just-in-time” notifications so that the information is provided to the user just before data processing takes place. The suggestion is that “just-in-time” notifications will be particularly appropriate when “more intrusive data” such as location data is being collected.

Whilst businesses may well be worrying about how to manage personal data collected through apps, not least because this is new technology where the Act has not been tested, the ICO takes an optimistic view, believing that achieving compliance should not be an unduly onerous task.

Following the ICO recommendations would appear to make business sense as well. The ICO suggests that consumers have concerns about how their personal data may be used and clearer statements from the developer may help to assuage those concerns (and thereby encourage take-up).

On the other side, app users may be interested to know that the ICO has also published advice for them on how to safeguard their privacy. The ICO guidance can be accessed here.