With the recent announcement that the government is looking at a mobile app to help track Coronavirus cases, concerns are being raised about the implications for our privacy.
Many organisations are launching mobile apps to help with the fight against Coronavirus, co-ordinate community support and roll out new delivery services. This article looks at the privacy implications of such mobile applications.
Developing a mobile app has its own unique legal issues, from ensuring you own the intellectual property in the app and getting your contracts with suppliers and third parties right, to having clear and accessible terms of use. There are a number of legal issues that app developers need to think about and data protection is just one of these. In a previous article here we provide an overview of the various other legal issues to consider when developing a mobile app.
A particular concern for the public, particularly when looking at apps that will monitor their movements or store data about their health is privacy and security. Under data protection legislation businesses have a legal obligation to design their services using the principles of ‘privacy by design’ and this should be a key consideration when developing a mobile application.
Privacy by design means considering data protection and privacy issues upfront in everything you do, from the initial design stages until launch of the final product (in this context the launch date for your mobile application).
Privacy Considerations
When developing a new mobile app you should consider the following data protection considerations:
1. Map the data flows
In developing a mobile application with privacy by design in mind the first step should be to map the relevant data flows. You need to consider what data will be collected and how it will be processed and stored. We call this data mapping. As part of the data mapping exercise you should identify what data you will be collecting from users. In particular, you should look at whether or not your mobile app will be processing special category (previously called sensitive personal data). Special category data includes any data that reveals a data subject’s:
- Racial or ethnic origin;
- Political opinions;
- Religious and philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data for the purpose of uniquely identifying a natural person;
- Data concerning health; and
- Sex life and sexual orientation.
Special category data requires further protection under data protection legislation so it is important you identify early on whether you will be collecting this data.
In most cases you will need an appropriate policy document for processing special category data under the General Data Protection Regulation 2016 (GDPR). In order to lawfully process special category data, you must identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. Under GDPR you must determine your condition for processing special category data before you begin processing it and you should clearly document this.
2. Be clear about your lawful basis
In order to process personal data you must establish a lawful basis for doing so. The possible grounds for processing personal data under GDPR are:
- Consent;
- Fulfilment of a Contract;
- Legal obligation;
- Vital interests;
- Public task; and
- Legitimate interests.
Be clear about which lawful basis you are relying on and document this both internally and in your external facing privacy notice (see paragraph 6 below for further detail). If you intend to rely on legitimate interests remember that this requires you to balance privacy rights against the legitimate interest being pursued and you need to document this balancing exercise in a Legitimate Interests Assessment if you intend to rely on legitimate interests as a lawful basis.
3. Consider data minimisation and purpose limitation principles
Consider ways you can minimise the personal data you process as data minimisation is a key aspect of GDPR compliance. Under the data minimisation principle you must ensure the personal data you hold is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
The purpose limitation principle should also be applied and this prevents you from using personal data for new purposes if they are incompatible with the original purpose you are collecting the data for. You should document the purposes you collect data for in your privacy policy (see below).
4. Security
The security of your mobile application will be paramount particularly if you want to gain and maintain the trust of your users. GDPR requires businesses to have appropriate technical and organisational measures in place. You should look at your applications vulnerability to viruses and hacking and pay particular attention to any third party software (in particular open source software) when looking at the security of your application.
5. Check terms with any third parties
You should carefully check the terms and privacy policies of any third parties you work with including contractors working on the app, third party developers, app stores and any hosting services to ensure they contain adequate protections for personal data and contain suitable processor terms required under GDPR when they are processing personal data for you.
6. Carry out a Privacy Impact Assessment and keep it under review
A privacy impact assessment should also be carried out. A Privacy Impact Assessment allows an organisation to identify and minimise the risks posed to data subjects when carrying out a new project. Under GDPR you must do a Privacy Impact Assessment before you begin any type of processing that is likely to result in a high risk to the rights and freedoms of individuals.
It is advisable to always carry out a Privacy Impact Assessment when you are looking at new technology solutions which will process personal data due to the risks involved. Significant fines of up to €10 million or 2% of global turnover (whichever is higher) are available to the UK data protection authority the ICO for failure to carry out a Privacy Impact Assessment when required.
Privacy Impact Assessments are a key part of your accountability obligations under GDPR and help you adopt a privacy by design approach.
A Privacy Impact Assessment should:
- describe the processing you are undertaking and the intended/desired outcomes of your processing;
- assess the nature and sensitivity of the data being processed; and
- consider the nature of your relationship with the data subject.
This information will allow you to assess the necessity and proportionality of the processing activity. Wherever risks to the data subject’s rights are identified, the Privacy Impact Assessment should set out how those risks will be addressed or mitigated. Your Privacy Impact Assessment should include consideration of all of the issues identified in points 1 – 5 above.
An effective Privacy Impact Assessment should assist you in minimising the data protection risks of your app and should be undertaken as early as possible in the development stages of your mobile application.
Your Privacy Impact Assessment be treated as a “live” document and reviewed regularly.
7. Ensure your mobile app has a clear and compliant privacy policy in place
Before processing personal data you need to inform users how you will process their personal data and advise them of their rights under GDPR – this should be done in a privacy notice or privacy policy available at the download stage. Whilst the format of such policies / notices can vary there are certain items that it must contain to comply with GDPR.
You need to ensure your privacy notice / policy is fit for purpose and easily accessible on a small screen – simply using the privacy policy that is on your website is unlikely to be suitable or GDPR compliant as your mobile application will use data differently to how you process personal data on your website. It will also be hard to read on a small screen.
A layered approach which allows app users to navigate to the part of the policy which is of most interest to them by clicking various hyperlinks to the relevant part of the policy is recommended for mobile applications by both the ICO and the Article 29 Data Protection Working Party (an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission). This approach is particularly suitable for the touch-based small screens of mobile devices.
Undoubtedly the government and technology companies working on apps to combat the Coronavirus will be considering the above issues and more when considering the roll out of any new mobile application.
The ICO, the UK data protection regulator, has recently issued a statement regarding Coronavirus which makes it clear that data protection and electronic communication laws do not stop the government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email or prevent the NHS from using the latest technology to facilitate safe and speedy consultations and diagnoses.
Whilst the ICO’s re-assurances are welcome they do not give permission for organisations to ignore data protection legislation in these challenging times and it is unlikely to be extended to those not directly involved on the front line of public health in the fight against the virus. We would therefore advise any organisation looking at rolling out a new mobile application (or any other new technology) at this time to ensure they continue to apply GDPR principles when embarking on any new project and we hope you find the above checklist helpful.
To find out more about how Stephens Scown has previously helped a local App developer with their legal compliance, please follow this link. If you would like any help with your data protection compliance please do not hesitate to contact us.