Digital Minister Privacy Mis-App

Not App-y

Last week, Digital Minister Matt Hancock MP, released an app aimed at members of his constituency, to help them engage and raise subjects of interest with him as their MP. However, within a few hours of its release, it became evident that the app had major flaws which posed a threat to privacy and were clearly in breach of data protection law. Ironically, Matt Hancock’s ministerial remit includes data protection and oversight of the Department for Culture, Media and Sport (DCMS), the parent body for the Information Commissioner’s Office.

This high-profile example of the challenges and flaws in mobile app privacy is not unique, however – many of the apps released by organisations to encourage their customers or supporters have the same problems.

#HancocksApp

When it was first released on the Apple App Store, the app had no privacy policy published – which is a breach of Apple’s Terms & Conditions. Users had to download and install the app before being given any information about how their data would be used.

The privacy notice given within the app is a generic version which the developers (Disciple Media) use on every app they produce. It contains vague language (“….sharing and processing data in a variety of ways…”) and broadly describes a large amount of data sharing with third parties without identifying who those parties are or specifying how the data will be used. Analysis has discovered that the app relies on a number of 3rd-party services for advertising and analytics (such as AppFlyer and MixPanel) which collect data from mobile devices, using it to build a profile of the individual using the device, in order to target advertising- however this is not stated clearly to the app user.

The app requires a number of permissions to function, such as access to the camera, photos, contacts, location check-ins – however, even when access to the camera was denied, the app was still able to retrieve and post a picture from the user’s camera, contrary to expectations or permissions. Explanation of why these permissions are needed and where the data goes to are not provided in detail.

The privacy notice indicates that the lawful basis for processing app user data is consent – however, as the user must tick the privacy policy to continue using the app; this is not “freely-given” or “unambiguous”. The generic privacy policy also does not provide enough information about the data uses for the consent to be considered “informed” or “specific”, either. Therefore, the consent obtained by the app is not valid under GDPR, which meets the criteria for potential enforcement action under Article 83.4.a

At the time the app was released, the Data Controller named in the privacy policy (Disciple Media) did not have a registration with the ICO, and neither did Matt Hancock in his role as MP. Failure by a Data Controller to notify the ICO of their processing (unless exempt, which neither of these two parties are) is a criminal offence.

A major security flaw was later discovered in the app – along with what appears to be re-use of software code in breach of licensing conditions. The flaw could potentially allow a malicious user to access highly confidential data which is stored in the developers’ cloud storage on Amazon.

Action points for organisations seeking to create their own mobile apps

  • Keep in mind that you will be the Data Controller for all processing of personal data that is carried out by an app you commission. You are therefore responsible for making sure that the app does not undermine individual’s data protection rights.
  • Carry out a Data Protection Impact Assessment at the very beginning of the project and keep it updated throughout the design, development, testing, deployment and support life cycle.
  • Ensure that the developer you engage to write the code for the app understands the concepts of “Data protection by design and default” and is familiar with the ICO’s guidance for privacy in mobile apps.
  • Work out the processing operations for personal data that the app requires in order to function, and the processing operations which support secondary purposes, such as analysing user demographics or tracking the performance of the app. Make sure that there is an appropriate lawful basis for each specific purpose.
  • Don’t allow the app to ask for permissions that are not essential for its function, or to collect excessive personal data.
  • Stipulate that technical reviews for privacy and security must be carried out on the app before it is launched. Ideally, these will be conducted by an independent 3rd If this is not feasible, the developer should at least provide documented evidence that privacy and security were considered at all stages of the app development.
  • If basing any processing on consent, collect informed, freely-given, specific and unambiguous consent from the app user before the processing takes place, and separately to presenting the privacy information.
  • Write a privacy notice which is specific to the app, and which meets the requirements of Articles 13 and 14 of the GDPR. Tracking, profiling, onward sharing of user data and use of data to target advertising should be clearly explained, as these would not be reasonably expected by the app user.
  • If the app has payment-processing functionality, for making donations or purchases, then the security of the payment data and the payment process are essential. Check that the developer understands and is prepared to commit to following the requirements of the Payment Application – Data Security Standard (PA-DSS).
  • Check the destinations that the data collected by the app is sent to. Third-party providers of email functions, analytics, advertising and integration with other services may be based outside the EEA. As the Data Controller, it is your responsibility to ensure that any personal data sent outside the EEA is done so with appropriate safeguards, lawful basis and conditions for transfer (Articles 44-49 of the GDPR).
  • Bear in mind that any in-app messaging may be subject to PECR if you, or others will use it to send marketing messages directly to the app users. You will need consent to do this, and this consent must be obtained separately from other consent for processing.

Protecture works with organisations of all sizes and sectors, supporting them to prepare for GDPR, with up to date framework policies and documents tailored to suit their needs, backed by on-going support, training and external audit.

For more information about how we can support you, please explore our subscription options, or call us on 0203 691 5731

Rowenna Fielding
Data Protection Lead