The Department for Culture, Media and Sport (DCMS) and National Cyber Security Centre have collaborated to produce a voluntary code of practice for app store operators and developers.
Whilst the code focusses heavily on app store operators, it also contains obligations for app developers.
The code aims to ensure customers are protected from online threats, to reduce the threats posed by maliciously or poorly developed apps and to set out minimum security and privacy requirements for apps. So, what should developers do to comply?
- Ensure the baseline security and privacy requirements are met: Developers should not request permissions from users which are not functionally required for the app and should ensure that the primary function of an app will operate even if a user chooses to disable its optional functions and permissions. There is a requirement to ensure the app adheres to security requirements, data protection by design and the broader requirements set out in data protection law. The developer should have processes in place to update the app and monitor for vulnerabilities and ensure a simple uninstall and data deletion process is available to users. Industry standard encryption should also be used.
- Ensure information about the app’s security and privacy settings are displayed to the app user. The information to be displayed includes the purpose for which personal data is processed, where data is stored, shared and processed, when the app was last updated, information on the privacy and security measures in place, a list of stakeholders who are given access to personal data and when and why an app is to be made unavailable. Developers will be sharing much of this information already as part of their obligations under UK GDPR, so this should not impose much of an additional burden.
- Ensure a vulnerability disclosure process is in place, i.e. a process by which a vulnerability in an app can be reported to the app developer. There is no prescriptive process, but there is an indication that apps which have a large number of users or significant security requirements should have a robust process in place.
- Update apps straight away when vulnerabilities are discovered.
- Ensure appropriate steps are taken (in accordance with data protection law) when a data breach arises. The code promotes information sharing between app store operators, developers and third-party developers on the basis that a data breach may affect more than one party and requires operators and developers to provide users with information on how to protect themselves if their data is involved in a breach.
- Consider getting compliant with the code and publicising the fact! This is being encouraged by DCMS, who will work with developers to check on compliance. As many of the requirements are already existing obligations under data protection law, compliance with the code, could be a good way to make your organisation stand out as one that is privacy focussed!
Find the full text of the code here.