An audit report from the Queensland information commissioner shows what happens when government agencies rush out mobile apps without paying sufficient attention to digital privacy, but also contains two examples of good practice.
Commissioner Rachael Rangihaeata reports the Queensland Police Service rushed out its Policelink app and only performed a privacy impact assessment in July, after she finished her audit.
“QPS focused on getting the Policelink mobile app up and running,” she writes. “It did not consider the privacy aspects of the app when developing it in 2012 because of poor project governance.
“QPS developed an initial Privacy Impact Assessment in July 2017 at the conclusion of this audit. While this is a first step in incorporating privacy into the app, there is more work to do.
“The delay in considering the privacy aspects of the mobile app means that QPS cannot demonstrate how it ensured the app met the privacy principles, the legislative requirements or its own policies about privacy.”“A PIA is a living document, and it loses relevance when agencies do not keep it up to date.”
Rangihaeata was much more pleased with the Department of Education and Training’s QParents app, which incorporated “privacy by design principles”, and MyTransLink from the Department of Transport and Main Roads, which doesn’t collect personal information because it doesn’t need to.
“It is more efficient to design an information system with privacy in mind from the outset, rather than trying to add privacy protections once the system is operational,” she explains.
The information commissioner says DET also “built appropriate security measures to protect personal information” that goes through the app.
“As a result, the privacy protections in QParents support user confidence in the app and trust in government agencies.
“TMR adopted another approach, minimising the personal information its MyTransLink mobile app collects. The department has also set up a regular technical testing regime. These are effective ways to manage an agency’s privacy obligations and reduce privacy risk.”
Rangihaeata reports the education and transport apps “protect information during collection, transfer and storage” and have “security controls and testing practices, supported by strong information governance frameworks” that demonstrate adequate privacy protection.
“QPS did not test the app before deploying it and has not set up a testing regime,” on the other hand.
“Weak governance means that QPS operates the app in isolation from its strategic information governance and its information and communication technologies (ICT) management and policies. Thus, QPS is unable to demonstrate how it manages the security, access and use of personal information collected through the Policelink app.”
The police app does collect personal information but a PIA was not done before it was launched, against the agency’s policy.
“The lack of a PIA means QPS cannot demonstrate how it ensured, at the development stage, that the app met the privacy principles,” the commissioner says. “QPS was not able to identify and manage privacy risks related to the Policelink app, for example explaining the specific purpose for which it collects demographic information.”
Even though the police service belatedly conducted a PIA, she found it was still missing key information.
“For example, the PIA does not explain why noncompliance with five specific Information Privacy Principles is necessary for law enforcement activities for all or any of the personal information collected through the Policelink mobile app.
“Similarly, the PIA does not explain the technological and procedural security measures QPS is applying to protect personal information.”
Among seven recommendations, the commissioner says DET should also update its PIA, in light of expanded permissions.
“A PIA is a living document, and it loses relevance when agencies do not keep it up to date,” she points out.
“Agencies need to reassess the privacy impacts of the app regularly, for example, when they update the app or release new features, to identify vulnerabilities and manage their privacy obligations.”
All three apps inform users of what information they collect, and provide links to “generic” information like privacy legislation as well as information specific to the app. Mixing these two together can be confusing, Rangihaeata warns.
She also felt all three could have included more information about why they need permission to collect certain information like device location or activate features like the microphone and camera.
The information commissioner urges agencies to respect the fact that “Australians are becoming more discerning about privacy, and want to be able to choose the personal information they provide and its use, including in mobile apps” — pointing specifically to permissions demanded by apps as a key area of concern for users.
Apps need these permissions for helpful features, but the companies behind them can also abuse them for other purposes. As with most digital privacy issues, it is important for government agencies to acknowledge and respond to the anxieties of citizens, not simply dismiss them as though they are irrational or paranoid.
The Centrelink app, for example, needs location access for an office locator feature to work and the Department of Human Services assures users: “We do not store your whereabouts.” Likewise DHS promises not to “retrieve any details from your calendar” or log calls.
“Users who are confident that a government agency handles their personal information appropriately are more likely to maintain trust in the agency, use an agency’s app and benefit from it,” says the Qld information commissioner.
Throughout the report, the education and transport apps are repeatedly presented as examples of good practice, while the police app demonstrates a rushed project with unclear governance.
“DET and TMR have considered the technical aspects of data protection, and the information governance, strategic information management and day-to-day operation of the QParents and MyTransLink mobile apps,” Rangihaeata states.
“Both departments tested their mobile apps before deploying them. DET and TMR have rigorous, ongoing testing regimes to identify vulnerabilities and to ensure cyber-security protections are in place. This includes identifying and mitigating the risks of the app being a means of accessing or penetrating wider departmental systems.”
In contrast, the Policelink developers basically did not think about cybersecurity — “before deploying it, or progressively as it released new functions, or in anticipation of new releases” — because they thought it was someone else’s job.
“The app developers assumed that other business units within QPS were responsible for information governance. They focussed on the immediate task of achieving functionality. QPS has not advised how it is managing the security, access and use of personal information collected through the Policelink mobile app.”