2. Data and Privacy Standards
Navigation
Initially, the standards identify the relevant privacy policy for the app, which is available to users through the application itself and/or the Apple App Store or Google Play Store. The more transparent the privacy policy, the better. In general, it must clearly state that user data will not be used or shared with other parties, except as described in the privacy policy or without the express consent of the user. Ideally, it will identify
- what data is collected from the user and how
- if the user is informed of the developer’s intentions with processing and sharing their data
- if the user’s consent is obtained.
The privacy policy should accurately reflect the data usage of the application. Additionally, it should inform users of the developer’s intent to use their data for marketing purposes. If user data is shared for any other purposes than basic use of the app or legal obligations, then the review considers whether the user is able to opt out of these activities.
The data and privacy criteria are listed throughout this section.
| Criteria | Criteria Origin |
2a — Q1 | Is there a privacy policy available via the web app/website? (only relevant for web apps) | ORCHA |
2a — Q2 | Is there a privacy summary published anywhere by the developer? (only relevant to mobile apps) | ORCHA |
2a — Q3 | Is the privacy policy made immediately available when the user first opens the app? | ORCHA |
2a — Q4 | Is the privacy policy made available when the user is signing up to the service? | ORCHA |
2a — Q5 | Is the privacy policy published within the app? | ORCHA |
2a — Q6 | Is the privacy policy available externally via the app, or via a linked website? | ORCHA |
2a — Q7 | Is the privacy policy available via the relevant application store? | ORCHA |
2a — Q8 | Is the privacy policy placed in another prominent location that is easily accessible? | US DHAF |
2a — Q9 | Where can the privacy policy be accessed? Guidance: Look for a link to the privacy policy. If one does not exist, does the developer describe how users can obtain the policy, whether through the app or upon request? | MHCC |
2a — Q10 | Does the privacy policy state what data the developer collects? | ORCHA |
2a — Q11 | Is the privacy policy accurate, with regards to the data the developer intends to collect? | ORCHA |
2a — Q12 | Does the application explicitly state that data collected by the application is stored locally unless the user manually exports the data? | ORCHA |
2a — Q13 | How does the developer obtain consent for the processing of user data? | ORCHA |
2a — Q14 | Does the privacy policy provide the name and contact details of their privacy officer or similar individual representative for the company? | ORCHA |
2a — Q15 | Provide the details of the representative who was identified in 2a-Q14. | ORCHA |
Once the kinds of data collected by the app is established, the standards look at how that data is used and shared and whether this is communicated to the user. The privacy policy should state all intended uses and legal bases for processing user data, such as legal obligation, research, or marketing. Users should also be given the option to withdraw consent for the use of their data, particularly for marketing.
| Criteria | Criteria Origin |
2b — Q1 | Does the developer fully inform the user of how they will collect data about them? | ORCHA |
2b — Q2 | Does the developer provide users with details on all the purposes of processing user data? | ORCHA |
2b — Q3 | What is automatically shared data used for? | ORCHA |
2b — Q4 | Does the developer appear to intend to share or process the user data collected by the application for any purposes that have not been made clear to the user, or for any purposes they deem necessary? | ORCHA |
2b — Q5 | Does the developer inform users that they would like to use their data for the purpose of marketing? | ORCHA |
2b — Q6 | Does the developer obtain informed consent separately for the purpose of marketing? | ORCHA |
2b — Q7 | Is the user informed of how they can opt out of each processing activity? | ORCHA |
2b — Q8 | If the user cannot opt out of all processing activities, does the developer clearly explain which activities they cannot opt out of and why? | ORCHA |
2b — Q9 | Is the user informed that their data will not be shared with other parties, except for the purposes that have been set out in the privacy policy? | ORCHA |
Privacy policy related to data storage and data transfer should inform the user where their data is stored, how their data is protected in storage, and how it is protected in transit between the user’s device and the host storage. The standards look for specific and secure storage techniques, such as industry-recognized encryption or firewalls.
| Criteria | Criteria Origin |
2c — Q1 | Does the data privacy policy or equivalent provide detail about where the data collected by the application will be stored (i.e., on the application or in an external data warehouse, cloud server, etc.)? | ORCHA |
2c — Q2 | Where is the data stored? | ORCHA |
2c — Q3 | Is the data stored in Canada? Guidance: This is an information provision criterion. That means this information can be displayed to end-users, so they can decide whether they would like to download an app that does not store their data in Canada. | MHCC |
2c — Q4 | Does the data privacy policy, or equivalent, state whether personal data is stored using industry-recognized secure data storage technologies? | ORCHA |
2c — Q5 | Is all personally identifiable data encrypted in transit between the device and any external host storage using industry-recognized methods? | ORCHA |
2c — Q6 | Is the user informed that online video consultations use secure industry standard encryption methods? | ORCHA |
The standards will award additional points if an application developer is compliant with any international data management standards such as ISO 27001. The privacy policy should inform users of a data retention period and a method for data destruction. The standards also identify whether the developer has a policy in place to deal with any data security breaches.
| Criteria | Criteria Origin |
2d — Q1 | Does the policy state its compliance with recognized data management standards? | US DHAF |
2d — Q2 | Does the policy contain details of the length of time data is retained? | ORCHA |
2d — Q3 | Is there a statement containing details of a method for data destruction? | ORCHA |
2d — Q4 | Is there a statement that sets out a process for managing data confidentiality breaches? Guidance: The developer’s privacy policy must provide details on the actions users should take and who they should contact in the event of a breach. | ORCHA |
2d — Q5 | Is there a statement that sets out the developer’s processes/procedures for keeping an audit trail of access to PHI? | US DHAF |
This area focuses on the General Data Protection Regulation (GDPR), which in May 2018 came into force to replace the Data Protection Act 1998. The standards are concerned that all apps, particularly those developed in the U.K. and the EU, are fully compliant with the GDPR. This means providing a clear and explicit statement of compliance and confirming that the user is entitled to its seven user rights. This framework addresses the eighth user right — the right to be informed — in the questions under Data and Privacy Standards.
The developer should also inform the user about how they can exercise these rights and commit to responding within two months or less. Under the GDPR, the policy should outline the legal basis for the collection of user data and ensure that only minimal data is collected from the user.
Similar and additional requirements and user rights are observed under PIPEDA and have been built to specifically adapt this section to the MHCC’s application standards.
All criteria relating to this section will only be asked for apps that collect and process personal and/or sensitive data and are therefore subject to PIPEDA or other provincial and territorial privacy laws deemed substantially similar to PIPEDA.
| Criteria | Criteria Origin |
2e — Q1 | Is there a statement that confirms the application’s compliance with federal and/or provincial laws and regulations in the region in which it is being applied? | MHCC |
2e — Q2 | Is the user informed of the legal basis for which data is collected from them? | ORCHA |
2e — Q3 | What is the legal basis? | MHCC |
2e — Q4 | Is the user informed that the developer will only collect minimum data items that are necessary to provide their services, therefore ensuring that data minimization principles are met? | ORCHA |
2e — Q5 | Does the policy describe the processes the developer has in place to ensure that information is correct, complete, and current? | MHCC |
2e — Q6 | Is all user data processed in Canada? | MHCC |
2e — Q7 | Are users informed of international transfers? | MHCC |
2e — Q8 | Are users informed that while their data is being processed in another jurisdiction it may be accessed by courts, law enforcement, and national security authorities of that jurisdiction? | MHCC |
2e — Q9 | Is there a statement that the policy will be updated should the purpose of data collection change? This may mean reobtaining consent (if consent was the lawful basis). | ORCHA |
2e — Q10 | Are users informed of their rights with regards to their data? | ORCHA |
2e — Q11 | Has the developer made clear the existence of the data subject’s right to request that their personal data be deleted? | ORCHA |
2e — Q12 | Has the developer made clear the existence of the data subject’s right to access their personal data? | ORCHA |
2e — Q13 | Has the developer made clear the existence of the data subject’s right to inspect their personal data? | US DHAF |
2e — Q14 | Is the user informed of their rights to know how their PHI is used and or shared? | US DHAF |
2e — Q15 | Has the developer made clear the existence of the data subject’s rights to rectify their personal data? | ORCHA |
2e — Q16 | Has the developer made clear the existence of the data subject’s rights to restrict the use of their personal data? | ORCHA |
2e — Q17 | Has the developer made clear the existence of the data subject’s rights to object to the processing of their personal data? | ORCHA |
2e — Q18 | Has the developer made clear the existence of the data subject’s rights to portability of their personal data? | ORCHA |
2e — Q19 | Has the developer made clear the existence of the data subject’s right to withdraw consent for the use of their personal data? | ORCHA |
2e — Q20 | Has the developer informed the data subjects that they may exercise their rights under applicable laws and regulations? | US DHAF/ MHCC |
2e — Q21 | Has the developer provided the user with information regarding the process for exercising said rights? | MHCC |
2e — Q22 | Has the developer made clear the existence of the user’s right to request that they are not subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significant effects on them? | ORCHA |
2e — Q23 | Is the user informed of their right to challenge the organization’s compliance with the fair information principles of PIPEDA? | MHCC |
2e — Q24 | Does the developer provide details through which the user can contact them to exercise their rights? | ORCHA |
2e — Q25 | Is the user informed of the time frame in which the developer will respond to any requests to exercise their rights? | ORCHA |
2e — Q26 | Is the user informed of any charges that might be incurred with regards to exercising their rights to access their personally identifiable information (PII)? | US DHAF |
2e — Q27 | Is the user informed of their right to have an access denial reviewed? | US DHAF |
This subsection concerns children’s data use (if applicable), or whether a user can report knowledge of a child accessing the apps without parental consent. The Office of the Privacy Commissioner of Canada refers to persons under 13 as children, those ages 13 to 18 as youth, and those 19 or older as adults. Because youth are considered old enough to make their own decisions about their data, additional criteria surrounding the processing of children’s data only apply to those under 13. The transparency of the privacy policy should extend to inform the user that any links to third-party websites or apps are not covered by the developer’s privacy policy, and that users should make themselves aware of such third-party policies. In addition, the privacy policy should contain contact details that enable the user to make further enquiries regarding their data. The standards also explore whether the application provides the user with an additional, optional layer of security to protect their data.
| Criteria | Criteria Origin |
2f — Q1 | Are users clearly informed of the use of cookies when first landing on the developer’s site/app? | ORCHA |
2f — Q2 | Are user’s required to confirm their acceptance of the developer’s use of cookies, when initially informed of their use? | ORCHA |
2f — Q3 | Does the developer address their use of cookies and collected data in their privacy policy or a separate cookie policy? | US DHAF |
2f — Q4 | Are users made aware of the use of strictly necessary cookies? | ORCHA |
2f — Q5 | Is user consent obtained for the use of non-strictly necessary cookies? | ORCHA |
2f — Q6 | Does the app save the user’s cookie preferences? | MHCC |
2f — Q7 | Are users informed of how they can easily opt out of the use of cookies? | ORCHA |
2f — Q8 | Is the product aimed at children or likely to be used by children? | MHCC |
2f — Q9 | Is the application particularly likely to be used by children, even if they are not the primary market for the product? | ORCHA |
2f — Q10 | If the product is to be used by children, what age group is the product targeted at? | MHCC |
2f — Q11 | Are users informed of how they can report to the developer any knowledge of a child accessing the application and providing personal data without parental consent? | ORCHA |
2f — Q12 | Has a process been designed and put in place that allows children to easily access, understand, and exercise their own data protection rights? | ORCHA |
2f — Q13 | Where the legal basis for processing data was consent at the time the individual was a child, are requests for the erasure of data complied with whenever possible? | ORCHA |
2f — Q14 | Have children been consulted when designing this processing practice? | ORCHA |
2f — Q15 | Has the privacy policy been written in plain, age-appropriate language? | MHCC |
2f — Q16 | Is consent sought from a responsible parent/guardian? | ORCHA |
2f — Q17 | Does the policy specify that the developer will re-obtain parental consent should the information collected materially change, the purpose for which the information is processed changes, or the information is offered to new/different third parties? | US DHAF |
2f — Q18 | Does the developer ensure that parents are able to separately consent to their own internal use of the child’s personal information, without having to consent to the disclosure of personal information to third parties? | US DHAF |
2f — Q19 | Are parents given the option to review the personal information collected from their children? | US DHAF |
2f — Q20 | Does the developer have a process for verifying the identity of the requester before responding to a request? | US DHAF |
2f — Q21 | Are parents given the option to revoke consent for the collection and processing of their children’s personal information? | US DHAF |
2f — Q22 | Are parents given the option to request that the information collected from their children be deleted? | US DHAF |
2f — Q23 | Does the developer ensure that they do not seek parental/guardian consent when providing online preventive or counselling services to children? | ORCHA |
2f — Q24 | Are there two separate versions of privacy policies, one aimed at the child and the other at the responsible parent/guardian? | ORCHA |
2f — Q25 | When marketing the product outside of their country of residence, has the developer taken into consideration other jurisdictional laws regarding children’s privacy (e.g., age restrictions)? | ORCHA |
2f — Q26 | Does the policy specify the types of personal data that will be collected from children? | US DHAF |
2f — Q27 | Does the policy specify how the developer will use the personal data collected from children? | US DHAF |
2f — Q28 | Does the policy specify whether such personal data will be shared with advertisers or other third parties? | US DHAF |
2f — Q29 | Is the user made aware that by following links to third-party websites, the developer’s policies no longer apply, and that the user should make themselves aware of the third party’s policies? | ORCHA |
2f — Q30 | Is the user informed of how they can make further inquiries about the company’s privacy policy? | ORCHA |
2f — Q31 | Does the application allow the user to set their preferences for sharing the application data with or from other apps (e.g., Facebook/Instagram/Fitbit)? | ORCHA |
2f — Q32 | Is there functionality within the application to allows the user to set their preferences for sharing application data with other users (e.g., clinicians, carers, family, friends)? | ORCHA |
2f — Q33 | Is it strictly necessary for anyone to easily access the personal information that persists on the device (e.g., to access health information during an emergency)? | ORCHA |
2f — Q34 | Are users provided options to introduce additional security measures to protect their data on the app (e.g., set additional pass codes for access to the app, after accessing the device is unlocked)? | ORCHA |
2f — Q35 | Does the application use a sign-up/sign-in verification/authentication model? | ORCHA |
2f — Q36 | What type of model is being used? (Please describe.) | ORCHA |
2f — Q37 | Do any of the following types of dark pattern appear in the app? (Please select those that appear.) | MHCC |