If you are planning to launch a downloadable software app, it is important that you understand your obligations when it comes to your users’ privacy. Inevitably, most users will share some form of personal information to sign up and access your app’s features. This information can include at a minimum their name, email address, mobile number or gender information.

To assist app developers, the Office of the Australian Information Commissioner (OAIC) has prepared a ‘Better Practice Guide for Mobile App Developers’ (Guide). The guide provides a useful overview of the main considerations for app developers to promote awareness and diligence when it comes to the online privacy of Australians. In this article, we explore the top privacy best practices for app developers to assist you on your journey.

How Does the Privacy Act Apply to App Developers?

The Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APP) set out how businesses should handle the information of individuals. The Privacy Act defines personal information as an opinion or information about an identified or identifiable person. What constitutes ‘personal information’ will differ in each circumstance but can include any of the following:

  • location details (this can reveal user activity, patterns and habits);
  • date of birth;
  • health information;
  • email address or residential address;
  • photographs;
  • contact lists; and
  • voiceprints and face recognition biometrics;

All businesses that have an annual turnover of more than $3 million have responsibilities which are set out in the Privacy Act, subject to some exceptions. The Privacy Act can also cover small businesses with an annual turnover of less than three million, and include the following:

  • private sector health providers;
  • contractors who provide services under a Commonwealth contract;
  • businesses which conduct protection action ballots;
  • businesses which sell and/or purchase personal information; and
  • credit reporting bodies.

In Australia, if you capture personal information on your app which you use for marketing purposes or share with third parties, the Privacy Act will most likely apply. According to the Guide, the Privacy Act is also likely to cover businesses that use personal information to sell advertising through an app. To check whether your business needs to comply with the Privacy Act, you can complete the privacy checklist for small business found on the OAIC website.

Privacy Best Practice Guidelines

Regardless of whether the Privacy Act and APP directly apply to your business, it is in your best interests to build strong protections around privacy for your users. APP 1 sets out that businesses should take reasonable steps to implement practices, systems and procedures that allow for compliance with the APPs. It also requires businesses to take reasonable steps to deal with privacy complaints and general enquiries. A Privacy Manual Program is a useful resource to assist you to manage risks upfront and respond to any requests for personal information in a timely and organised manner.

1. Privacy Manual Program

The Guide recommends that each business identify someone in the organisation to be responsible for privacy even if the business is made up of a small team. Any business can build a Privacy Manual Program that works for them.

2. Privacy Impact Assessment

It is recommended you conduct a Privacy Impact Assessment (PIA) when you are in the planning stages of your app. While a PIA is voluntary, it will help you determine if a project meets the privacy requirements under the Privacy Act and the APPs. It will also assist with exploring ways to mitigate any adverse effects on privacy, if and when they arise in your organisation. At a basic level when you conduct a PIA, you will:

  • describe how personal information flows from a project (i.e. how you will collect, store, access or disclose personal information);
  • analyse potential privacy impact risks that arise from the project; and
  • find ways to manage, minimise or avoid these risks.

3. Your App Privacy Policy

Your app privacy policy should be easy to locate, and users should not have to search for it. At a minimum, your privacy policy should address the following points:

  • your business and how to get in contact with you;
  • the specific types of personal information that your app collects and stores;
  • where you will store the personal information;
  • how and when personal information will be used and disclosed; and
  • how users can enquire on privacy or make a complaint if they believe you have breached your privacy obligations.

The Privacy Act differentiates between personal and sensitive information. Sensitive information is a sub-set of personal information, and the APP gives it a higher level of protection. Under the Privacy Act, sensitive information can include the following:

  • racial or ethnic origin;
  • sexual preferences;
  • religious beliefs or affiliations;
  • criminal record, if any;
  • membership of a political association;
  • health information; and
  • genetic information.

If your app captures sensitive information, you’ll have additional privacy obligations under the APPs, and you will need to reflect this in your app privacy policy. You should set out how you will use the sensitive information you have collected and whether you will share it with third parties. Given the greater privacy impact of collecting sensitive information, it is important to seek express consent before collecting any form of sensitive information from your users.

4. Limit the Amount of Personal Information You Collect

At a practical level, you should only collect enough personal information to allow your app to function for your users optimally. It is worthwhile to consider whether you need to collect the personal information at all. Below we set out some helpful tips from the Guide:

  • delete or de-identify any information which you no longer require for a lawful purpose;
  • don’t collect sound or activate a device camera without the permission of the user;
  • Always ensure that you have received express consent to collect sensitive information from the user;
  • allow your users to change their minds about sharing personal information. If they need to uninstall the app, then you should explain this to them clearly; and
  • don’t collect and store personal information about a third party from your user’s device unless you obtain consent from those third parties. For example, your user’s address book or contact list.

5. Secure the Information That You Collect

As discussed, the APPs require you to take reasonable steps to protect any personal information that you collect. The Guide sets out the following tips:

  • ensure that someone within your business is responsible for security;
  • generate credentials securely;
  • don’t store passwords in plain text on your server; and
  • encrypt user information when it is transferred via the internet or stored.

Key Takeaways

The demand for downloadable software apps has increased over the years with the industry seeing vast innovation. While developing and launching an app is an exciting business pursuit, it is important that you meet your obligations under the Privacy Act and the APPs. This will ensure that users trust your service and remain loyal to your app, particularly when your competitors are increasing in number.

If you have questions about your obligations under the Australian Privacy Principles, get in touch with our IT lawyers on 1300 544 755 or fill in the form below.

Ask Ayatalla a Question

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.