UK's ICO Issues Guidelines for an 'Appy' Christmas

ast year, 328 million apps were downloaded on Christmas Day alone, the ICO said
ast year, 328 million apps were downloaded on Christmas Day alone, the ICO said

Last year, 328 million apps were downloaded on Christmas Day alone, the ICO said. and many people will have the latest tablet PC or smartphone at the top of their Christmas list this year. An online survey carried out by YouGov for the ICO this month found that 59% of adults in the UK have downloaded an app.

But, the survey also found that 62% of people who have downloaded an app are concerned about the way apps can use their personal information. The survey found 49% of app users have decided not to download an app due to privacy concerns.

“The ICO’s survey shows yet again that security is the main factor putting the brakes on technology advancement and adoption,” said John Thielens, chief security officer at Axway, in an emailed comment to Infosecurity. “Transparency is the be all and end all for consumers when it comes to their personal information. They need to know exactly where their data is, who’s accessing it and what they’re doing with it, or the app industry risks being derailed.”

The ICO has accordingly published some top tips to help consumers stay in control of their data when using mobile apps, most of it of the common-sense variety. For instance, only download apps from official and trusted app stores; be extremely careful of using untrusted sources; read the information available about an app in the app store before you download; if you no longer use the app, uninstall it; consider downloading mobile security software; and, make sure you erase any apps from the phone before you donate, resell or recycle an old device, as these may have to access to your personal information.

“Apps do all sorts of weird and wonderful things, helping someone chat with their friends, find a local restaurant or see what’s on at their local cinema,” said ICO principal policy advisor for technology, Simon Rice, in a blog. “However, they often work by using personal information. This can include information you would not normally choose to give out to a stranger, such as the contact details of friends and relatives and details of your location.”

Thielens noted that apps aren’t just for consumers. “We’re seeing a big rise in demand for apps for the enterprise,” he said. “The bring your own device (BYOD) movement, combined with the dominance of smartphones and tablets, means employees, partners and customers alike want to access information anytime, anywhere. In this scenario, the security burden is heavily weighted on the business.”

So, with their necks on the line, businesses need to take on granular data governance throughout an organization, he recommended. “Application programming interfaces (APIs) form the foundation of any app development, and its API management that puts businesses back in the driving seat when it comes to controlling the flow of data beyond the enterprise edge,” he said.

Which brings us to app developers. “The app development industry is one of the UK’s fastest growing industries, but our survey shows almost half of app users have rejected an app due to privacy concerns,” said Rice. “Our guidance will help them achieve this by explaining the legal requirements when using personal information. That includes how to obtain lawful consent, the measures required to keep people’s information secure and advice on carrying out routine testing and maintenance.”

The guidance covers issues such as security and data retention, and highlights the benefits of taking a “privacy by design” approach to app development, covering issues like privacy-friendly defaults and giving users effective control over their privacy settings.

It also explains how developers can overcome the constraints of a small screen to provide their apps’ users with concise and easy to follow privacy information. For example developers can break down their privacy notice in to sub-sections rather than creating one long 'privacy notice' that people are forced to scroll through. It’s also important that privacy notices actually explain to people why their information is being processed, rather than just simply telling them which information will be collected.

“These are issues that must be considered at the start of the development process, but once addressed will help developers in the UK comply with the Data Protection Act and have the best chance of achieving commercial success,” Rice said.

What’s hot on Infosecurity Magazine?