A: Many businesses are using mobile apps as an important marketing tool. Mobile apps are quite sophisticated and it is very important to consider data protection principles in their development.
Apps give wide access to a consumer’s device and this has resulted in high profile examples of apps accessing user data without the necessary consents.
Personal data is information relating to a living individual who is or can be identified either from the data itself or from other information that is in the possession of, or is likely to come into the possession of, a data controller. Examples of personal data that might be received from a user include photographs, address book data, location data and access details for third party services (e.g. Facebook). Even if an app does not gather any data from its users directly, the incorporation of third party analytics or advertising platforms will often involve the transmission of personal data. If the use of an app involves the collection of personal data, then it must comply with data protection principles.
The essential principles of data protection are that there must be fair collection and processing of data, the processing must be legitimate and the data must be kept only for specified, explicit and lawful purposes. Data must be collected, transmitted and stored with appropriate security measures.
The key to compliance with the data protection principles is the incorporation of a clear data protection notice, either in the app itself or in the app store or marketplace from which a user downloads the app. A well-drafted data protection notification will inform a user of the type of data that is collected by the app and will tell them to what uses the data will be put. The notification will also incorporate a reference to the user’s consent to the collection and processing of the data.
Where it is intended to use personal data collected for certain purposes, or if the personal data is classified as ‘sensitive personal data’, it will be important to obtain the express consent of users for such processing. It is also important to inform users of their right to request details of the personal data that is held about them and their right to have any inaccuracies corrected.