Sweep of Victorian Public Sector Mobile Apps. Mixed results
July 7, 2014 |
Apps are notorious for having minimal privacy protections, lousy to non existent privacy policies but an excellent source of data leakage for hackers. Privacy regulators have been focusing on privacy issues with apps in the recent past. Breach of data security or loss of data through an app is just as much a breach of the Privacy Act at the Commonwealth level or the Victorian Information Privacy Act as if it was lost on the street or via a hacking attack on line. Apps are becoming a necessary feature of service delivery for government agencies and organisations.
The findings, found here, provide:
Twenty-seven participating data protection authorities from around the world undertook a coordinated exercise to examine privacy protections and related issues raised by apps. Some of the issues considered were: whether consumers are clearly informed about the types of personal information an app collects and uses; why that data is needed; and how many apps collect information way beyond what is actually needed for an app’s functionality.
Privacy Victoria examined 64 mobile apps developed by Victorian public sector organisations. Each organisation has now been informed directly of the Sweep’s findings as they relate to their apps. While good practices were found, there were also some concerns.
Good Practice Findings
- Post-installation, prospective users being required to accept a privacy statement (incorporated in the Terms of Use) if they wish to proceed.
- Apps aimed at school children requiring parents/guardians to complete a consent form before a child can be registered to use it.
- Crime reporting apps that give users a ‘report anonymously’ option, albeit with less functionality available.
- Apps that link to an organisation’s website where it is evident that all channels have been considered in an integrated manner (i.e. mobile app, website transaction, phone and email).
Concerns
- Very few app-specific privacy policies were found: there was either no policy or there was reference to a generic (website) privacy policy.
- There were many examples of a private sector app developer being named as the App seller/Data controller rather than the responsible private sector organisation.
- In-app communications were sometimes not tailored for the ‘small screen’.
- There are two dominant platforms for mobile apps, but whereas 94% of the swept apps had an iOS (Apple) version only 62% catered for Android. This reduces the extent of citizen engagement.
The implementation of digital and mobile channels is a relatively new direction for public sector agencies, and the emphasis on mobile apps is now at the forefront, as stated in the recently updated Victorian Government ICT Strategy. However, the proliferation of mobile apps should not have negative privacy implications for Victorians.
The GPEN Privacy Sweep was an educative exercise which has highlighted concerns for organisations which that they can remedy as appropriate. The Sweep also serves as an early introduction to Privacy by Design, which Privacy Victoria has formally adopted. New communication channels lend themselves to Privacy by Design, and agencies are encouraged to familiarise themselves with the relevant principles and materials.
Privacy Victoria will be producing mobile app guidance later this year.
While Privacy Victoria’s proposal to produce a mobile app is welcome it is a long way behind the curve. Privacy guidelines for apps have been produced by the Privacy Commissioner, the Information Commissioner’s office and the Federal Trade Commission (amongst other guides and articles). The issues are clear as are the obligations. The issue is being an active regulator. That has been the problem in Australia.