Privacy by Design and Best Practice Guide on Mobile App Development

Similar documents
Privacy Protection in Mobile App Development

Developing Mobile Apps with Privacy Protection in Mind

PolyU IT Security in our Daily Life. New Development in Personal Data Privacy related to Mobile App

Privacy Concern on Mobile App Development

Personal data privacy protection: what mobile apps developers and their clients should know

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

Online Behavioural Tracking / April 2014

What's Up with Apps in Hong Kong July 2013

Best Practice Guide (SSL Implementation) for Mobile App Development 最 佳 行 事 指 引. Jointly published by. Publication version 1.

(a) the kind of data and the harm that could result if any of those things should occur;

4.10 Information Management Policy

Cloud Computing. Introduction

Personal Data (Privacy) Ordinance and Electronic Health Record Sharing System (Points to Note for Healthcare Providers and Healthcare Professionals)

Best Practices at Research Level

European Commission initiatives on e- and mhealth

Study Report on. the Privacy Policy Transparency. ( Internet Privacy Sweep ) of. Smartphone Applications

Online Privacy in the Library

Guidance on the Proper Handling of Customers Personal Data for the Banking Industry 1

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

CITY UNIVERSITY OF HONG KONG

Legislative Council Panel on Information Technology and Broadcasting. Information Security

HOW TO: Privacy Aware Mobile Application Development


PolyU Connect Mobile Connection. Setup Guide

CITY UNIVERSITY OF HONG KONG

Last updated: 30 May Credit Suisse Privacy Policy

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

The Winnipeg Foundation Privacy Policy

Biometric Template Protection & Usage

>

Synapse Privacy Policy

Guidance on the Use of Portable Storage Devices 1

Information Security Seminar 2013

GUIDELINES FOR RESPONSIBLE USE OF IDENTITY MANAGEMENT SYSTEMS

Investigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud

BEFORE THE DEPARTMENT OF COMMERCE

Investigation Report: The Hong Kong Police Force. Leaked Internal Documents Containing Personal Data. via Foxy

Guidance on Personal Data Erasure and Anonymisation 1

Document control for sensitive company information and large complex projects.

Privacy Rights Management Using DRM Is this a good idea?

Big Data + Smart City = Weak Privacy + Weak Security?

Abilities Centre collects personal information for the following purposes:

How To Protect Your Personal Data In The United Kingdom

HKU Big Data and Privacy Workshop. Privacy Risks of Big Data Analytics From a Regulator s Point of View


1 P a g e. Lim Jun Yan, Undergraduate School of Information Systems Singapore Management University

How Does Big Data Change Your Way of Managing Information?

Data Management Session: Privacy, the Cloud and Data Breaches

Cloud Security for SME

Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile

SAFELY ENABLING MICROSOFT OFFICE 365: THREE MUST-DO BEST PRACTICES

Guidance on Personal Data Protection in Cross-border Data Transfer 1

Protect your personal data while engaging in IT related activities

Workday Mobile Security FAQ

PRIVACY AND SECURITY POLICY

Privacy Charter. Protecting Your Privacy

H&R Block Digital Tax Preparation, Online, and Mobile Application Privacy Practices and Principles

Data Compliance. And. Your Obligations

FINAL REPORT OF FINDINGS. Investigation into the personal information handling practices of WhatsApp Inc.

Privacy Governance and Compliance Framework Accountability

Adaptive Business Management Systems Privacy Policy

Service Line Warranties of Canada PRIVACY STATEMENT

The Android Developers Guide to 3 rd -Party SDK Assessment and Security

FTP-Stream Data Sheet

Monday April 2, Docket No

Privacy, the Cloud and Data Breaches

DATA PROTECTION REQUIREMENTS FOR ATTENDANCE VERIFICATION SYSTEMS (AVSs)

The 7 Foundational Principles. Implementation and Mapping of Fair Information Practices. Ann Cavoukian, Ph.D.

We Transform IDEA into Business with Right Blend of Talent, Technology & Techniques

CITY UNIVERSITY OF HONG KONG. Information Classification and

Creating a Facebook Page for your classroom is super easy! Here s how to get started!

1.1 Personal Information is information about an identifiable individual such as your name, address, telephone number and address.

Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

Security in Law Firms. What you need to know and how you can use secure to win more clients

Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?

management solutions

Appendix A Current Scope of Government Public Cloud Services and Government Public Cloud Related Services

WELCOME MESSAGE IN THE NEWS. March 2016 SINGAPORE. In this issue. Formation of the Infocommunications. Development Authority of

Documents Cloud Service Simple. Secure. Everywhere.

TOY INDUSTRY CHECKLIST FOR MOBILE APPS AND PROMOTIONS

What are the compliance challenges of Microsoft Office 365?

AdvancedMD Online Privacy Statement

3. Consent for the Collection, Use or Disclosure of Personal Information

UIIPA - Security Risk Management. June 2015

ENTERPRISE MOBILE BACKEND AS A SERVICE EVALUATION CHECKLIST

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

HomeBudget Anishu, Inc.

Legislative Council Panel on Information Technology and Broadcasting. Information Security

Code of Practice on the Identity Card Number and other Personal Identifiers Compliance Guide for Data Users

Federal Trade Commission Privacy Impact Assessment

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, Integration Guide IBM

Net2 Anywhere - Installation

debt collection software PRIVACY POLICY

Apple has been popularized by businesses and their employees as they continue to utilize

Data protection compliance checklist

Trust. The essential ingredient for innovation. Thomas Langkabel National Technology Officer Microsoft Germany

Transcription:

Mobile App Development Forum on Privacy and Security The Office of the Privacy Commissioner for Personal Data, Hong Kong 21 April 2016 Privacy by Design and Best Practice Guide on Mobile App Development Henry Chang, Chief Personal Data Officer Office of the Privacy Commissioner for Personal Data, Hong Kong

Privacy by Design and Best Practice Guide on Mobile App Development Basic principles of data protection Case studies on the good and the bad Best practice guide for mobile app development 1

Developing Mobile Apps with Privacy Protection in Mind Basic principles of data protection 2

Data Flow and Data Protection Principles (DPPs) Collection Personal Data Flow Storage, Use or Processing Retention/ Erasure IT System DPP 1 Collection DPP 3 Use DPP 2 Accuracy and retention DPP 4 Security DPP 5 Transparency DPP 6 Rights of access and correction 3

Privacy by Design Privacy by Design* is the philosophy of embedding privacy from the outset into the design specifications of accountable business processes, physical spaces, infrastructure and information technologies *http://privacybydesign.ca/ 4

The Essence of Privacy by Design A clever person solves problem, a wise person avoids it. Data Minimisation! 5

Privacy by Design When Applying to App Development 1. Is the access of the information necessary? a) If access is necessary, has it been explained in the collection statement/privacy policy? b) If access is necessary, is the uploading of the information necessary? c) If uploading is necessary, is the storage necessary? d) If access is necessary, is the sharing/transferal of the information necessary? 2. What other information is being collected/combined/associated? 3. What safeguards (such as validation, proper encryption and access controls) are in place to the information accessed/transmitted/shared/kept? 4. Is the retention policy reasonable and can app users opt-out of any of these collections and erase/delete collected information and accounts? 5. Do you have a set of process and procedures to fulfil the data access and correction obligation? 6

Technical Considerations (To be covered by PISA and HKCERT) Use reliable software development tools (SDKs; libraries) Understand what access third-party tools (such as those from Flurry) will have to mobile device data Use most granular/specific/least privileged calls you can Remember Confidentiality, Integrity and Accountability Be familiar with mobile-specific vulnerabilities/hacking techniques Perform code-review and software testing 7

Case studies on the good and the bad The good, the bad and the ugly 8

Examples The good 9

The Good - Transparent Available before installation (Nearly) single page and in simple language Specific to the types of data accessed Assured users what it would not do But don t copy this 10

The Good - Build Your Own Granular Controls For iphone: Why not port the logic to Android? 11

Examples and the ugly 12

Mistake or Don t Care? 13

Over-collection or Don t Care? 14

Best Practice Guide for Mobile App Development PCPD Website -> Resources Centre -> Publications -> Guidance Notes 15

Best Practice Guide for Mobile App Development: Modular and flow-chart approach 16

Best Practice Guide for Mobile App Development: Legal requirements 17

Best Practice Guide for Mobile App Development: Privacy by Design explained 18

Best Practice Guide for Mobile App Development: Best practice recommendations 19

Best Practice Guide for Mobile App Development: Checklist for self-evaluation 20

Best Practice Guide for Mobile App Development: Transparency 21

Your App Could be Here Next Year as a Good Example 22

What Next More practice sharing: PISA How to properly implement encryption? HKCERT How to manage security in mobile apps? PolyU How to do a black-box check? 23

Privacy by Design and Best Practice Guide on Mobile App Development 24

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information