Businesses are increasingly using mobile applications (apps) to market and deliver their products and services to users, but do users really know how their personal information is being handled once they install an app? Businesses considering launching or updating a mobile app can take a number of steps to incorporate better privacy practices in their apps.
Mobile apps and privacy reforms
It is clear that the use of smart phones and mobile apps in Australia is on the rise. The Office of the Australian Information Commissioner (OAIC) has published figures from a 2012 Australian study where 76 per cent of respondents said they owned a smartphone, compared with 67 per cent in 2011. 87 per cent of smartphone users surveyed had installed an app on their phone.
Privacy enforcement authorities have identified mobile apps as a key area of focus due to the privacy implications for consumers. In fact, the OAIC and 27 other privacy authorities from around the world conducted a 'global privacy sweep' earlier this year, which involved examining 50 of Australia's most popular apps for privacy issues.
Ensuring your mobile app complies with Australia's privacy laws is now more important than ever. Not only are users more concerned about their privacy, but reforms to Privacy Act 1988 (the Act) in March this year imposed a number of additional obligations on many businesses and hefty penalties for non-compliance. The OAIC can now seek civil penalties of up to $1.7 million for corporations and $340,000 for individuals for breaches of the Act, including the Australian Privacy Principles (APPs).
Collecting personal information via a mobile app
The OAIC expects mobile app developers to consider which personal information is essential for the operation of the app. Under APP 3, entities must not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of the entity's functions or activities. If you cannot explain why you need the information or how it relates to your business functions or activities, the information generally should not be collected.
You should also consider the nature of the personal information being collected, and how it will be collected. In particular, determine whether the personal information is 'sensitive information'. Sensitive information includes information about an individual's racial or ethnic origin, political opinions, memberships of professional associations, religious beliefs, sexual orientation and health.
Common types of information that apps access include:
- the user's name and contact details
- the user's date of birth
- credit card details
- address books and contact lists
- photographs
- device location information
- call and SMS logs
- audio recordings
- calendar entries
The nature of the personal information collected will impact on an entity's privacy policies and procedures. If you are collecting sensitive information, the user's consent to collect the information is generally required (unless an exception applies).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
