Skip to main content
Menu
News
ICO reminds app developers of privacy responsibilities Commercial

ICO reminds app developers of privacy responsibilities

26/02/2024

Share

Mincoffs’ commercial team has been closely following the Information Commissioner’s Office’s (ICO) review of apps involved in the processing of sensitive personal data and whether users’ privacy is adequately protected. In particular, the ICO has recently reviewed period tracking and fertility tracking apps, as it investigates how they process personal data and whether there is any negative impact on users.

As a result of the review, the ICO is urging app developers to prioritise privacy to ensure that they adhere to data protection legislation and protect users’ privacy.

While no serious compliance issues or evidence of harms were identified, the organisation is reminding developers about the importance of protecting its users’ personal information, particularly where this includes collecting sensitive data (referred to as ‘special category’ data under the legislation).

 

To help developers comply with their data protection obligations, the ICO advises app developers to:

Be transparent

Users should understand how their personal information is being processed and for what purpose, how long their data will be kept and who it will be shared with.

Mincoffs’ commercial team advise that this can be achieved by way of a clear, concise and easily accessible privacy notice that is drawn to the attention of the users prior to the processing of their personal data. For apps that process of personal data, privacy notices are a mandatory requirement under the UK GDPR. Please get in touch if you would like support and advice on preparing a compliant privacy notice.

Obtain valid consent

App developers must explain to users what they are consenting to, in language they can understand. Consent must be freely given and data protection law sets a high standard, therefore the request should be prominent, concise and unambiguous. It must also be made easy for users to withdraw consent at any time.

Establish the correct lawful basis

Data protection law determines that there must be a valid lawful basis for processing personal data, such as consent, contract or legitimate interests. This must be determined before processing and should be documented. If special category data is being processed, you will need to establish a lawful basis for general processing as well as an additional ‘special category’ lawful basis for this particular kind of data.

Be accountable

App developers must be accountable for the personal information they hold. If a company determines the purposes and means by which personal data is processed, it is the data controller. As a data controller, the company is responsible for complying with data protection law and must take appropriate measures to ensure any processing of data is lawful.

 

Hannah Nagel, a solicitor in our commercial team, said:

“This update is a key reminder for businesses involved in the collection and processing of personal data via an app. Personal data is widely defined in the legislation as any information that relates to an identified or identifiable individual. This could be as simple as a name or number or could include other identifiers such as an IP address.

“In particular, where your business is involved in the processing of more sensitive personal information such as health data, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs etc. (which are categorised under the legislation as ‘special category data’), then there are additional layers of protection for such types of data to consider.

“For example, in addition to establishing a lawful basis for processing personal data, you must also meet one of the specific conditions of Article 9 of the UK GDPR for special category data.

“At the outset of a project which requires the processing of personal data, it is good practice to carry out a Data Protection Impact Assessment (DPIA) which is a process to help you identify and mitigate any data protection risks. The ICO has produced a sample DPIA template to assist with this exercise: dpia-template.docx (live.com)

 

Mincoffs’ commercial team has extensive experience in advising on data protection matters. For support, contact Antony Hall, partner and head of the team, on ahall@mincoffs.co.uk

Back to top