Read on Twitter
Oooh 👀 
whoah! OMG. You’d think the Digital Minister and one responsible for data protection package would get privacy right.
1/ Hold me twitter. Here goes. (1) no Privacy Policy on the App landing page which doesn't meet Apples guidelines (2) The app is promoted as the 'Official App for Matt Hancock' but the 'seller' is Disciple Media Ltd (3) Individuals must tick to 'accept' a Privacy Policy and ToS
2/ Buried in the Privacy Policy only available AFTER install, is a statement that by accepting the PP individuals CONSENT to sharing their personal information with third parties for them to contact you directly about marketing, competitions and offers + consent to aggregating
3/ aggregating and anonymising "your data' and providing it on an 'anonymous' basis to third parties 🤔 So, not only do we gave questions of fair and lawful processing under the DPA 98, but also, non-compliance with Regulation 22 of PECRs.
4/ According to the Privacy Policy ‘US’ ‘We’ = Disciple Media Limited. Section 1 states “For the purposes of the Data Protection Act 1998 (the 'Act''), we are the data controller and we will only use the information that we collect about you lawfully (in accordance with the Act)
6/ The app also does not appear to meet the ICO's ‘Privacy in Mobile Apps Guidance' 🤔
This is just a quick review of key issues. I have not even addressed the GDPR yet. But, it is troubling that a Minister responsible for introducing data protection law can get things so wrong
This is just a quick review of key issues. I have not even addressed the GDPR yet. But, it is troubling that a Minister responsible for introducing data protection law can get things so wrong
7/ Disciple Media Limited also does not have a privacy policy on its website disciplemedia.com
8/ So, while Matt Hancock is registered with the @ICOnews Disciple Media Limited is not showing a current registration. Matt Hancock and Disciple Media appear to be joint data controllers. 🤔 Oh, and the app sues analytics from mix panel - ok, more digging to do 
9/ the app also uses Appsflyer. Accessing the privacy policy for AppsFlyer means being exposed to 53 tracking data points and 9 ads .. oh this just gets better. #appfail #hancockgate 
10/ at least on Android a Privacy Policy is presented on the app landing page 
This is for iOS
11/ so, what information will Matt Hancock receive and what will Disciple Media receive and for what purposes (each) And who are these third parties and where is opt-in consent to eMarketing as required by PECRs ? #appfail
12/ lest we forget. As an MP, Matt Hancock is also subjecr to Parliamentary guidance on data protection parliament.uk/documents/foi/… <I’m thinking we could create an episode for Yes Minister!
Dear @ICOnews Could I ask if you have an entry on your register of data controllers for Disciple Media Ltd who is a data controller for the @MattHancock mobile app? If you do not, but have received an application to register, what was the date of the application. Thx
13/ The MP and Secretary of State responsible for data protection is also promoting access to his app via a URL shortened that doesn’t have a privacy policy
so much that is wrong. This thread will grow as I look more closely because this isn’t a close 👀
External Tweet loading...
If nothing shows, it may have been deleted
by @matthancock view original on Twitter
A privacy policy is made available on Android but consent *cough* remains BURIED
14/ lest we also forget @ICOnews guidance online and apps “The code covers topics including online marketing, operating internationally, and applying individuals’ rights in an online environment. It applies equally to the public and private sectors”
15/ lest we forget that in December 2013 the UK @ICOnews was blogging on "why app developers must respect privacy". iconewsblog.org.uk/2013/12/19/ico… So will we see the @ICOnews take action in this case which breaches the DPA, PECRs and the ICO's own 'Privacy in Mobile Apps Guidance'??
16/ and a reminder of the recent GPEN sweep that the ICO also took part in, the found "website privacy notices are too vague and generally inadequate" So will the @ICOnews act? ico.org.uk/about-the-ico/…
17/ I asked IRIS at the House of Commons (Information Rights & Information Security Service) if their Guidance for members on data protection applied to a member's apps. It's up to members how much of the guidance that follow. Nor can IRIS mandate what MPs do w/data. Oh hum
18/ You can Access the app without supplying an email address but must still accept the privacy policy and ToS. You must register to to have full use - just EMAIL your full name, postcode and app username. 🤔 
19/ 🤔 So, emails are sent via mandrillapp which is now part of mailchimp so one presumes emails are held in the US? So those that register will also be subject to Mailchimp’s Privacy Policy (Mandrill’s privacy policy links to the Mailchimp policy). The gift that keeps on giving 
20/ According to Section 7 of #HanCocksApp privacy policy “By submitting your personal data, you agree to this transfer, storing or processing” Yes, I see, super GDPR compliant. Agreement buried in a policy ... oh yes, super GDPR compliant
“support.disciplemedia.com/matt-hancock/p…
“support.disciplemedia.com/matt-hancock/p…
21/ To obtain a ‘green tick verification’ a person’s details will be checked against the electoral roll in order to confirm the person is a constituent. 🤔 
22/ how bizarre. @TheABB spotted a change to the app privacy policy this afternoon. It referred to an ICO registration for Disciple Media. That Reg number is not appearing on the register of data controllers but is linked to a different app by Disciple Media. 
23/ See support.disciplemedia.com/connected-obs/… Interestingly the changes to the #HanCocksApp seem to have disappeared ?
24/ here’s an excellent analysis on whether the app is age appropriate jenpersson.com/is-hancocks-ap… Shouldn’t an MP & Secretary of State responsible for data protection show leadership on privacy? #HanCocksApp
25/ & let’s remind ourselves what Matt Hancock said about new EU data protection rules “People to have more control over their personal data ... “ Just a pity he didn’t lead by example #HanCocksApp #MattHancock 
26/ So yesterday, on the laptop I could not find a privacy policy on Disciple Media’s site. I managed to find it via a URL in their twitter handle. Ooh I feel much better - they’ll collect your info “where appropriate .. with the knowledge or consent ..” disciplemedia.com/privacy-policy/ 
27/ Yep. Looks like Disciple Media really understands privacy. Tracking for advertising purposes merely to read a privacy policy. That friendly cookie banner and the cookie policy doesn’t mention ad tracking just GA 
28/ Unlike iOS there seems to be no way to skip sign up on the Android version on #HanCocksApp What a #privacycockup this has turned out to be 
29/ erm .. I thought I would check the domain for the support address notified in the #HanCocksApp privacy policy matthancock@disciplesupport.com The Domain is parked for free. 
30/ So, I thought I'd ask about that claim of Disciple Media Ltd, that they are registered with the ICO ... because I cannot find any registration but I do sniff some BS ... and in the interests of transparency and all that cc @ICOnews 
31/ In the app privacy policy, Disciple Media provides this address: Atrium Building, Stables Market, London, NW1 8AH, and yet, on the Google Play app landing page its, 5-11 Mortimer Street, London W1T 3JB. No entry with the ICO for either. GDPR compliant eh? Art 13?
32/ Yesterday the iOS app did not provide a privacy policy on the app landing page as required. Today it does. But what changes have taken place to the policy? support.disciplemedia.com/matt-hancock/p… Is this sloppy, haphazard, privacy disrespectful & impactful approach what the Secretary of
33/ State, responsible for UK data protection law thinks is acceptable? What does this say for the progress of the UK Data Protection Bill? Andwhat is the @ICOnews doing about it?
Dear @MattHancock @DiscipleMedia as the Data Controllers for the #HanCocksApp could I please ask you to post the various privacy policies relied since the app was launched and to confirm the current policy. #accountability (it’s core to the GDPR). Thank you
34/ #Matthancock encouraging people to sign up via a URL shortener. I wonder if the PIA looked at that & the various tracking/data points. No Privacy Policy & no indication of the data captured by the URL shortener. Who is it? Allows DCs "to see statistics" #HanCocksApp 
35/ So who is onelink.to ? An 'apply' for a job button takes you to this Swedish company mobileinteraction.se/jobb/ Perfectly clear to me. You? Again, no privacy policy. Yes Minister all over.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
