A fine of two hundred thousand euros that the Norwegian Privacy Authority, the DPA, has imposed on a local reality, for having developed an app, regardless of the paradigms to protect the privacy and security of users, has acted as a “flywheel”, to establish a series of requirements by design, appropriately made known to European developers.
The background is an application, made available by the school authority of Oslo, to report the absences of students by their parents: this communication had to be placed in a white field, which according to the DPA, could have started improper communications, on children’s diseases, in violation of the principles enshrined in art.9 of the GDPR, on “Treatment of special categories of personal data“.
This choice, on the part of the school organization, to leave a blank space, clearly contravenes the commitment of a privacy by design, unique able to defend the privacy of each user. As you can easily imagine, leaving such strategic decisions to the free will and common sense of users, can trigger major problems.
Too often, the Authority, in charge of privacy governance, put in hand guidelines that clarify the limits and perimeters not to be exceeded in the development of new applications, following the “Warsaw Declaration on the “appification” of society” of September 24, 2013, where it was clarified: «the data protection and privacy commissioners discussed the “appification” of society, the challenges posed by the increased use of mobile apps, as well as possible ways to address these».
And with a warning, addressed precisely to those who are responsible for developing the strategy and the mode of communication of the various applications, it was specified that: «Developers need to make a clear decision on what information is necessary for the performance of the app and ensure no additional personal data is collected without informed user consent… Developers at all times need to be aware what they offer to and request from their users».
DPA has therefore also prepared a clear set of rules on how to develop any apps, and what mistakes to avoid in conceiving them.
We start from direct experience, deciding to a) avoid free format fields, opting for pop-up menus, or drop-down lists or other paths that do not give the user freedom to enter, which follows to b) signal, through alerts and warnings, not to enter free phrases, and find solutions to immediately detect unexpected and sensitive data sets, and then delete them.
It goes without saying that, in addition to the semantic rules, it will be necessary to carry out controls, both internal and external, aimed also at the staff who are in charge of collecting and processing this type of data, designing systems capable of detecting unauthorized and fraudulent access (which did not happen in this case, where the data of about 63,000 students were stolen).
In the equally important area of cyber – security, DPA advises to:
- Implement multi-factor authentication (MFA), making it mandatory, either optional or risk-based, i.e. related to the risk threshold reached.
- Protect apps with firewall systems and use standards such as OWASP (Open Web Application Security Project).
- Accompany the user in the use, reporting, by email, every key step made, such as a change of password or payment method.
- Implement the preliminary security tests, before the application goes on sale.
What do you mean by preliminary security tests? The Norwegian Authority has deepened also this aspect, suggesting to carry out static and dynamic analysis on the elaboration and execution of the code, as well as tests able to identify logical errors, which are considered as possible gaps for cyber-criminal actions through further penetration tests.
It is necessary to reiterate the final sentence of the Warsaw Declaration that says: «Although the primary responsibility for user privacy lies with the app industry, privacy and data protection commissioners can and should raise awareness of these issues amongst the actors of the app industry as well as with app users, the general public».