With rising popularity of smartphones, usage of mobile apps has also grown concurrently. Singapore reports the highest smartphone penetration in the world at 85% and one in three consumers download an app to their smartphones to access various services.
Well, using an app is great but have you wondered why do some apps ask you for personal details (like location, card details) before you download it? Do these apps really need such sensitive information to provide you with their services? The answer is you probably don’t know as most of the app owners don’t specify the reason of collecting certain data. And there lies the loophole!
In a joint study done by local data protection software-makers Appknox and Straits Interactive,
90% of mobile apps in Singapore do not adequately declare what consumer data is collected or how it is used, potentially falling foul of Singapore's Personal Data Protection Act (PDPA).
For example, a calendar app was found to have asked for access to users' location and photos, in what seems to be excessive data collection. In another instance, apps from real estate agents and financial advisers seek access to location, online identities, and even microphone and camera functions. Most of them do not explain how the data will be used. Yet, more than half of the mobile apps seek access to an immoderate amount of sensitive information which might not even be relevant to the functioning of an app.
What does Singapore’s PDPA state & what’s in it for businesses & end users?
The PDPA, implemented fully in July last year, requires organisations to tell consumers what data is collected and what it is used for.
To quote, Inform the individuals on the purposes for collection, use and disclosure of their personal data during collection.
Mobile apps collect information from users in covered layers of policies which lack a proper explanation of the objective of data being collected. There’s a constant risk of sensitive data being hacked by fraudsters who are always on the prowl. Singapore’s revised PDPA mandates companies to only collect, use or disclose personal data for reasonable purposes that help keep sensitive data secure.
The revised PDPA also aims at establishing a transparent communication between businesses & users to help users take an informed decision before they download the app.
How can businesses comply with Singapore’s PDPA?
The Personal Data Protection Commission, which enforces the Act, urged mobile app developers to review their policies to comply with the law."Organisations should only collect, use or disclose personal data for reasonable purposes," a commission spokesman said.
Let’s understand what are the requirements for a business to comply with the PDPA -
Designate a Data Protection Officer (DPO)
Map organization’s Personal Data Inventory and implement personal data protection policy
Communicate to employees on the personal data protection policies
Incorporate data protection as part of BAU
Establish regular compliance program to verify adherence to PDPA requirements: Businesses can use 3rd party mobile security tools like Appknox to check for PDPA compliance and other security related issues.
Besides taking the above measures, app developers, in general, can follow these best practices to comply with Singapore's PDPA:
Apps can build user trust by providing clear, easy-to-read and timely explanations about exactly what information will be collected and how it will be used, pursuant to each permission.
Apps should properly tailor privacy communications to the small screen through pop-ups, layered information and just-in-time notifications.
Apps can provide links to the privacy policies of their advertising partners. They should give users the option to “opt-out” of the “help us with analytics” feature, which uses software to collect user information to improve the performance of the app.