I’m an iPhone app developer. I’m interested in new apps that do interesting things. I also have an interest in data privacy. So when I heard that the Conservative Party had launched an app with a canvassing feature, I thought I should try it out.
Call A Friend
Here’s how it works. Imagine that a Conservative voter – let’s call him Peter – wants to campaign on behalf of the Conservative Party. He installs their app, and taps the “Call a friend” button. He sees some brief instructions, and taps “Continue”.
Peter then sees a list of everyone in his iPhone’s address book. He decides to call a friend – let’s call him Bob – to talk about the Conservatives. Peter taps on Bob’s name in the list, and sees Bob’s contact details.
Peter taps on Bob’s phone number to call him. They have a nice chat about the Conservatives. Despite Peter’s best efforts, Bob politely indicates that he’s intending to vote for Labour in the upcoming election.
After the call, Peter re-opens the app. He sees a screen with Bob’s name, address and postcode filled in from his address book. He adds any notes from the call, and indicates Bob’s likely voting intention.
Peter then taps “Send email”. The app creates a new email to firstname.lastname@example.org. Peter sends this email to the Conservatives. Bob’s voting intention is now displayed below his name in the app’s “Call a friend” list.
The DPA applies whenever someone stores or uses your personal information (the Act calls this “processing“ your data). From what I’ve read, if the Conservative Party are storing Bob’s name, address and voting intention in an email mailbox, or using it to help with local campaigning, then this would count as processing his data, and so the Data Protection Act would apply.
The Act requires you to be open, honest and transparent about how you use someone’s personal data. The nearest the app gets is to say that “this data will be used to help with our local campaigning”. I’m not sure that qualifies as “transparent”. Will Bob be getting a letter in the post from his local Conservative candidate to try and change his mind? Will Number 1, High Street, Anytown be getting a personal visit to persuade Bob to vote Conservative?
Moreover, this text is displayed to Peter, not Bob. In fact, the Conservative Party can’t be open and honest with Bob about its intended use of his data, because they don’t ever speak to him. Nonetheless, they may be storing and processing Bob’s personal information in their mailbox. According to the DPA helpline, as recipients of the data, the Conservative Party would have a responsibility to ensure that Bob is notified as to how his data will be used.
I decided to investigate this need for notification in more detail. The Act requires you to provide a privacy notice, saying how you intend to use the information you gather. I had a good poke around in the app, but I couldn’t find a privacy notice anywhere within the app. I looked on the websites mentioned on the app’s App Store page, but neither myconservatives.com or conservatives.com had a privacy notice for the app either. I tried the “app support” link on the App Store, but this just took me to the home page of Deluxe Entertainment Services Group. I’ve no idea who they are, but their site didn’t even mention iPhone apps, let alone a privacy notice for the Conservative Party app.
I read more. In order to process someone’s personal data, you must meet at least one of several conditions. For this app, it looks as though the relevant condition is that Bob has given “consent to the processing”.
However, the app doesn’t ask Bob for his permission at all, let alone check whether he has given his consent. The app doesn’t even ask Peter if consent was given, and doesn’t provide any guidance as to how Peter should approach Bob when he calls. By the looks of it, it is entirely Peter’s choice as to whether he even mentions the fact that Bob’s data will be sent on.
So what does this all mean? Well, if my understanding of the DPA is correct:
- It’s possible that personal data is being stored or processed by the Conservative Party, without them having any contact with the person whose data is being processed
- There is no verification that the data is provided with the consent of the person that data refers to
- The app doesn’t give a clear indication of what the data will be used for
- Neither the app nor its supporting web sites contain a privacy notice describing how the data may be stored and used
I should stress that I don’t know if or how the Conservative Party are storing or processing the data from these emails (although I have contacted them to find out, and will post again when I hear back). I would be very grateful if anyone with experience of the Data Protection Act could confirm if my reading of the Act is correct.
Disclosure: I’m not a member of, or affiliated to, any political party or organisation. I’m just bothered about people’s privacy.
UPDATE: 9 April 2010, 5:49pm
The Conservative Party app’s App Store description has been updated to say the following:
When using the “Call A Friend” feature, please confirm that you have the consent of the friend or relative whose details you are passing on to us. The Conservative Party will inform your friend or relative how it obtained his or her details. Information obtained by the Conservative Party from this App will not be used for electronic mailing purposes.
This change went live within the last half an hour.
UPDATE: 9 April 2010, 6:02pm
This updated App Store description is an improvement. However, it’s still not clear how Peter should confirm that he has the consent of the friend or relative. Is he meant to put this information in the “Notes” section of each and every submission? If so, maybe the App Store description could be updated to make this clear.
Aside #1: I wonder if the app itself will be updated, so that anyone who has already downloaded the app will also get a chance to see this message?
Aside #2: The message about not using information for electronic mailing purposes is a bit superfluous, given that Bob’s email address isn’t part of the data gathered.
UPDATE: 9 April 2010, 6:10pm
Re-reading the new App Store text: while this text mentions what the information won’t be used for, it still doesn’t say what it will be used for. Would be good to know.