Securing personal information

APP 11 requires mobile app developers to take reasonable steps to protect personal information collected by mobile apps from misuse, interference and loss, and unauthorised access, modification or disclosure.

What is considered 'reasonable steps' depends on the circumstances, including the nature of the information collected, the consequences for an individual if a data breach occurs, and practicability. Reasonable steps generally include implementing policies and procedures that relate to the following:

  • governance
  • ICT security
  • data breaches
  • physical security
  • staff training
  • workplace policies
  • de-identifying and destroying personal information
  • monitoring and review

ICT security and data breaches are particularly relevant to mobile apps. The OAIC expects you to consider privacy security measures when purchasing or upgrading ICT systems, and developing the mobile app. Security should not be an afterthought, or addressed once a data breach occurs. The OAIC expects mobile app developers to adopt a 'privacy by design' approach, which aims at building privacy and data protection into the app upfront. Depending on the particular features of the app you may wish to consider the following security measures:

  • multi-factor authentication
  • minimum password strength
  • lock outs after a certain number of login attempts
  • encryption
  • secure password storage
  • testing of security systems
  • back-up facilities
  • anti-virus and hacking protection software

Other obligations

There are a number of additional obligations set out in the APPs that mobile app developers should be aware of, including obligations relating to:

  • the collection of personal information
  • dealing with unsolicited personal information
  • use or disclosure of personal information
  • direct marketing
  • cross-border disclosure of personal information (including use of cloud-based data storage with overseas servers)
  • adoption, use or disclosure of government related identifiers
  • quality and security of personal information
  • access to personal information
  • correction of personal information

There is an overarching obligation in APP 1 for entities to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs.

While there are significant penalties for breaching the APPs, perhaps the most persuasive incentive to adopt a 'privacy by design' approach is the competitive edge this may give a mobile app. Users are concerned about their privacy, and may avoid your app if you aren't.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.