A full-scale investigation into the personal data practices of major female health apps – including those that monitor periods and fertility cycles – has given the sector the all-clear after finding no evidence of serious compliance issues or of harm to users.
The Information Commissioner’s Office launched the probe last September, following a poll it commissioned that showed a third of women use apps to track periods or fertility and more than half have concerns over data security.
It found that transparency over how data was used (59%) and how secure it was (57%) were bigger concerns than cost (55%) and ease of use (55%) when it came to choosing an app.
The review saw the ICO contact app providers to find out more about their privacy practices, as well as engaging with app users to understand their experiences.
Despite finding no issues, the ICO is calling on all app developers to remember the importance of protecting users’ personal information, especially where sensitive information is involved.
ICO deputy commissioner of regulatory policy Emily Keaney said: “Signing up to an app often involves handing over large amounts of personal information, especially with apps that support our health and wellbeing. Users deserve peace of mind that their data is secure, and they are only expected to share information that is necessary.”
The regulator has shared four practical tips to help app developers comply with their data protection obligations and maintain the privacy of their users.
– Developers need to ensure their apps are being transparent with how they use people’s personal information. They must provide people with information including: the purposes for processing their personal data, the retention periods for that personal data, and who it will be shared with. This information must be concise, clear and easily accessible.
– Genuine consent means offering people a real choice. App developers must ensure they have the right consent to use people’s personal information. Data protection law sets a high standard for consent, which must be explicit, unambiguous and involve a clear action to opt-in. They must not use pre-ticked boxes or any default method for consent. They must also make it easy for people to withdraw their consent at any time.
– Data protection law requires that firms must have a valid lawful basis in order to process personal data, such as consent, contract or legitimate interests. When deciding on the lawful basis, firms need to consider the purposes and context of their processing to determine which lawful basis (or bases) is most appropriate. They must not adopt a one-size-fits-all approach.
– Those developing apps must be accountable for the personal information they hold. If they are determining the purpose and means of processing data, they are the data controller. The data controller is responsible for complying with data protection law and must take appropriate measures to ensure any processing of data is lawful.
The ICO said it will also be sharing advice to app users in the coming weeks, outlining steps they can take to further protect their privacy.
Keaney concluded: “When we announced we were looking into period and fertility apps, we received a helpful response from users who were able to share their experiences with us. We want to reassure them that we haven’t found any evidence these apps are using their data in a way that could cause them harm.
“However, our review has highlighted there are improvements app developers could make to ensure they are meeting all their obligations to be transparent with their users and keep their data safe.”
Related stories
ICO to probe women’s health apps amid security fears
Probe finds little evidence of ‘sex pest text’ epidemic
‘Astonishing’ Fitbit data privacy practices spark probe
Big tech’s privacy claims ‘are nonsense’, analysis claims
Revealed: Data breaches which will get the ICO calling