The Information Commissioner’s Office (ICO) is reminding all app developers to ensure they protect users’ privacy, following the regulator’s review of period and fertility apps.
Last year, the ICO looked closely at period and fertility apps to understand how they process personal data and identify whether there is any negative impact on users as a result.
The review saw the ICO contact several app providers to find out more about their privacy practices, as well as engaging with app users to understand their experiences.
While no serious compliance issues or evidence of harms were identified in this review, the ICO wants to remind all app developers about the importance of protecting users’ personal information, especially where sensitive information is involved.
Emily Keaney, Deputy Commissioner Regulatory Policy, said:
“Signing up to an app often involves handing over large amounts of personal information, especially with apps that support our health and wellbeing. Users deserve peace of mind that their data is secure, and they are only expected to share information that is necessary.
“When we announced we were looking into period and fertility apps, we received a helpful response from users who were able to share their experiences with us. We want to reassure users that we haven’t found any evidence these apps are using their data in a way that could cause them harm.
“However, our review has highlighted there are improvements app developers could make to ensure they are meeting all their obligations to be transparent with their users and keep their data safe.”
The regulator has shared four practical tips to help app developers comply with their data protection obligations and maintain the privacy of their users.
Be transparent
- Developers need to ensure their apps are being transparent with how they use people’s personal information. You must provide people with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’ and it must be concise, clear and easily accessible.
Obtain valid consent
- Genuine consent means offering people a real choice. App developers must ensure they have the right consent to use people’s personal information. Data protection law sets a high standard for consent, which must be explicit, unambiguous and involve a clear action to opt-in. You must not use pre-ticked boxes or any default method for consent. You must also make it easy for people to withdraw their consent at any time.
Establish the correct lawful basis
- Data protection law requires that you must have a valid lawful basis in order to process personal data, such as consent, contract or legitimate interests. When deciding on your lawful basis, you need to consider the purposes and context of your processing to determine which lawful basis (or bases) is most appropriate. You must not adopt a one-size-fits-all approach.
Be accountable
- Those developing apps must be accountable for the personal information they hold. If you are determining the purpose and means of processing data, you are the data controller. The data controller is responsible for complying with data protection law and must take appropriate measures to ensure any processing of data is lawful.
The ICO will also be sharing advice to app users in the coming weeks, outlining steps they can take to further protect their privacy.
There is a wealth of further advice and guidance on the ICO website to support organisations with getting data protection right from the start.
Notes to editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.