7 steps to building privacy into a health app
With some 40,000 mHealth apps already available across various platforms, and the market set to skyrocket – pegged to grow 25 percent annually over the next five years, according to a study earlier this month from Kalorama – such practices will only grow in importance when it comes to protecting personal health information.
In an effort to provide application developers with the tools and resources needed to implement trustworthy data practices, including privacy policies, FPF and the Center for Democracy & Technology (CDT) released a publication titled "Best Practices for Mobile Application Developers."
"Developers have access to tremendous amounts of very sensitive data about their customers," said Justin Brookman, CDT's director of consumer privacy. "We're offering these Best Practices guidelines to help well-meaning developers preserve user privacy without stifling the innovation and convenience offered by new platforms."
The report is generally-focused, but does touch on the special challenges faced by health-related apps and the data they traffic in – most importantly the importance of HIPAA compliance.
As part of its best practices guide, FPF and CDT list seven "Basic Steps Towards Building Privacy into your App":
- Practice Privacy By Design. Be proactive. Ask important questions and embed privacy measures throughout the lifecycle of your product or service.
- Use Enhanced Notice. Don’t surprise users – have respect for context. Use enhanced notice in situations where users might not expect certain data to be collected.
- Provide Users with Choices & Controls. Empower users. Allow them to choose and control the way their data is collected and used.
- Secure Your Users’ Data! Always use appropriate and up-to-date security measures to protect user data.
- Ensure Accountability. Make sure someone is in charge! Designate a privacy guru, or make sure to explicitly assume the responsibility yourself.
The study suggests developers should know the privacy rules and requirements for the various app platforms, whether Apple iOS, Android or Facebook. Also, they should "give users choice and control around the unexpected collection, storage or transfer of personal information where feasible. If you are collecting or using data outside the scope of what users would reasonably expect, you should at the very least make sure your users can opt-out of such uses of their data."
- Twelve out of the 50 apps surveyed on the iOS App Store platform requested precise location information and 10 of those 12 had privacy policies. 14 out of the 50 apps surveyed on the Google Play platform requested precise location information and 10 of the 14 had privacy policies.
"Mobile apps are at the forefront of current consumer privacy concerns," write the authors of the best practices report. "High profile media attention and a series of class action lawsuits have prompted close scrutiny of app developer data practices from federal and state regulators. As a result, the U.S. the Federal Trade Commission (FTC) is actively enforcing consumer privacy rights against application developers that surreptitiously access or misuse user data.
[See also: VA aims to revvolutionzie rural care with SCAN-ECHO.]
The good news, said Jules Polonetsky, director and co-chair of the Future of Privacy Forum, "app developers are starting to get the message that access to consumer data is a privilege not a right."