So, you've built a COVID-19 contact tracing app. Or maybe you've built a pandemic tracking website with self-reported infections and locations. Now what? How do you protect all this sensitive data?
Whether you are an app developer or a data custodian, you must comply with data security and privacy laws that are applicable to you, your organization, your apps, and most importantly, the data that is stored on or handled by your app.
If you are an end user, you should be aware of your rights under the laws applicable to your region. You should also educate yourself so that your can make informed choices about which technologies and services adequately safeguard your data and your privacy.
The good news is: there are a wide range of security frameworks and technical security guides to help you make your app compliant with the law. But with such a dizzying array of laws and policies, how do you know which ones apply to you?
Here are some basic questions that can help you orient yourself:
Who are you?
- What is your role in your organization?
- If you are a developer, you need to secure your app. Check our Developer Workflows for guides on secure coding practices and mobile app security checklists. You can also create an account for your app and work through the compliance checklists for regional privacy laws at our developer portal.
- If your role is IT security, check our workflows on Platform Security and Network Security. You can find a list of external security resources in our Technical Guidance section.
- If you are responsible for the security governance, some privacy laws and security frameworks recommend that your organization implement security and privacy policies. COBIT, NIST and ISO are frameworks that can provide structure to your security governance program.
- If you are the privacy officer of your organization, you must ensure that your organization's employees are trained to provide protection for consumer privacy rights. Your organization must also implement documented privacy policies and procedures to comply with your legal responsibilities.
- What country are you operating in? There are likely data protection and privacy laws that apply to your country and region. Check our Regional Guidance section for laws that apply to you and your app.
What data do you have?
- What data are you collecting and handling?
- Is it personal information? Different privacy and data protections laws have varying definitions for what is included under "personal information". For example, the California Consumer Privacy Act defines 11 types of personal information.
- Is it electronic personal health information (ePHI)? HIPAA defines 18 identifiers for an individual that must be protected when combined with that individual's health care information in the United States.
- Who does the data belong to? Where do they reside? There may be regional laws that apply to personal data of residents of that region, no matter where your business is located. Check our Regional Guidance section for laws that apply to you and your app.
- Are you collecting more data than necessary? Some privacy laws, such as the California Consumer Privacy Act, stipulate that you must disclose to your end users the categories of personal information that is collected and the purposes for which it will be used.
What are you doing with the data?
- Is the data transferred between different countries? The OECD has guidelines to help you understand how to protect transborder transfers of data.
- Do you use any third parties to store or process your end users' data? You may have legal responsibilities that govern how you and these third parties protect the dats. For example:
Are you able to comply with consumer rights?
- Are you able to tell end users what data you have about them?
- Are you able to delete end users' data upon request?
- Can your end users opt out of sale of personal information to third parties?
- Does your organization have a process for handling end user requests about their data?
Now that you've identified the laws that may apply to you, you must implement security controls to comply with those laws.
Where is your sensitive data?
- What are the locations where your data is stored? (On-device, cloud storage etc.)
- Where is your data transmitted? (Networks, paths, devices)
- Is your data encrypted?
Is your app secure?
- Do you follow secure coding practices?
- Have you tested your app security?
Who has access?
- Do you control access to your data, app and other parts of your IT infrastructure?
- Do you restrict access to authorized persons only?
- Do you have good identity management controls?
- Do you keep access logs of who has accessed sensitive data, your app codebase, and your IT infrastructure?