Privacy Matters Profile picture
Feb 1, 2018 43 tweets 21 min read Twitter logo Read on Twitter
Oooh 👀
whoah! OMG. You’d think the Digital Minister and one responsible for data protection package would get privacy right.
1/ Hold me twitter. Here goes. (1) no Privacy Policy on the App landing page which doesn't meet Apples guidelines (2) The app is promoted as the 'Official App for Matt Hancock' but the 'seller' is Disciple Media Ltd (3) Individuals must tick to 'accept' a Privacy Policy and ToS
2/ Buried in the Privacy Policy only available AFTER install, is a statement that by accepting the PP individuals CONSENT to sharing their personal information with third parties for them to contact you directly about marketing, competitions and offers + consent to aggregating
3/ aggregating and anonymising "your data' and providing it on an 'anonymous' basis to third parties 🤔 So, not only do we gave questions of fair and lawful processing under the DPA 98, but also, non-compliance with Regulation 22 of PECRs.
4/ According to the Privacy Policy ‘US’ ‘We’ = Disciple Media Limited. Section 1 states “For the purposes of the Data Protection Act 1998 (the 'Act''), we are the data controller and we will only use the information that we collect about you lawfully (in accordance with the Act)
5/ BUT Disciple Media Limited does not appear to be registered with the @ICOnews 🤔
6/ The app also does not appear to meet the ICO's ‘Privacy in Mobile Apps Guidance' 🤔

This is just a quick review of key issues. I have not even addressed the GDPR yet. But, it is troubling that a Minister responsible for introducing data protection law can get things so wrong
7/ Disciple Media Limited also does not have a privacy policy on its website disciplemedia.com
8/ So, while Matt Hancock is registered with the @ICOnews Disciple Media Limited is not showing a current registration. Matt Hancock and Disciple Media appear to be joint data controllers. 🤔 Oh, and the app sues analytics from mix panel - ok, more digging to do
9/ the app also uses Appsflyer. Accessing the privacy policy for AppsFlyer means being exposed to 53 tracking data points and 9 ads .. oh this just gets better. #appfail #hancockgate
10/ at least on Android a Privacy Policy is presented on the app landing page
This is for iOS
11/ so, what information will Matt Hancock receive and what will Disciple Media receive and for what purposes (each) And who are these third parties and where is opt-in consent to eMarketing as required by PECRs ? #appfail
12/ lest we forget. As an MP, Matt Hancock is also subjecr to Parliamentary guidance on data protection parliament.uk/documents/foi/… <I’m thinking we could create an episode for Yes Minister!
Dear @ICOnews Could I ask if you have an entry on your register of data controllers for Disciple Media Ltd who is a data controller for the @MattHancock mobile app? If you do not, but have received an application to register, what was the date of the application. Thx
13/ The MP and Secretary of State responsible for data protection is also promoting access to his app via a URL shortened that doesn’t have a privacy policy so much that is wrong. This thread will grow as I look more closely because this isn’t a close 👀
A privacy policy is made available on Android but consent *cough* remains BURIED
14/ lest we also forget @ICOnews guidance online and apps “The code covers topics including online marketing, operating internationally, and applying individuals’ rights in an online environment. It applies equally to the public and private sectors”
15/ lest we forget that in December 2013 the UK @ICOnews was blogging on "why app developers must respect privacy". iconewsblog.org.uk/2013/12/19/ico… So will we see the @ICOnews take action in this case which breaches the DPA, PECRs and the ICO's own 'Privacy in Mobile Apps Guidance'??
16/ and a reminder of the recent GPEN sweep that the ICO also took part in, the found "website privacy notices are too vague and generally inadequate" So will the @ICOnews act? ico.org.uk/about-the-ico/…
17/ I asked IRIS at the House of Commons (Information Rights & Information Security Service) if their Guidance for members on data protection applied to a member's apps. It's up to members how much of the guidance that follow. Nor can IRIS mandate what MPs do w/data. Oh hum
18/ You can Access the app without supplying an email address but must still accept the privacy policy and ToS. You must register to to have full use - just EMAIL your full name, postcode and app username. 🤔
19/ 🤔 So, emails are sent via mandrillapp which is now part of mailchimp so one presumes emails are held in the US? So those that register will also be subject to Mailchimp’s Privacy Policy (Mandrill’s privacy policy links to the Mailchimp policy). The gift that keeps on giving
20/ According to Section 7 of #HanCocksApp privacy policy “By submitting your personal data, you agree to this transfer, storing or processing” Yes, I see, super GDPR compliant. Agreement buried in a policy ... oh yes, super GDPR compliant

support.disciplemedia.com/matt-hancock/p…
21/ To obtain a ‘green tick verification’ a person’s details will be checked against the electoral roll in order to confirm the person is a constituent. 🤔
22/ how bizarre. @TheABB spotted a change to the app privacy policy this afternoon. It referred to an ICO registration for Disciple Media. That Reg number is not appearing on the register of data controllers but is linked to a different app by Disciple Media.
23/ See support.disciplemedia.com/connected-obs/… Interestingly the changes to the #HanCocksApp seem to have disappeared ?
24/ here’s an excellent analysis on whether the app is age appropriate jenpersson.com/is-hancocks-ap… Shouldn’t an MP & Secretary of State responsible for data protection show leadership on privacy? #HanCocksApp
25/ & let’s remind ourselves what Matt Hancock said about new EU data protection rules “People to have more control over their personal data ... “ Just a pity he didn’t lead by example #HanCocksApp #MattHancock
26/ So yesterday, on the laptop I could not find a privacy policy on Disciple Media’s site. I managed to find it via a URL in their twitter handle. Ooh I feel much better - they’ll collect your info “where appropriate .. with the knowledge or consent ..” disciplemedia.com/privacy-policy/
27/ Yep. Looks like Disciple Media really understands privacy. Tracking for advertising purposes merely to read a privacy policy. That friendly cookie banner and the cookie policy doesn’t mention ad tracking just GA
28/ Unlike iOS there seems to be no way to skip sign up on the Android version on #HanCocksApp What a #privacycockup this has turned out to be
29/ erm .. I thought I would check the domain for the support address notified in the #HanCocksApp privacy policy matthancock@disciplesupport.com The Domain is parked for free.
30/ So, I thought I'd ask about that claim of Disciple Media Ltd, that they are registered with the ICO ... because I cannot find any registration but I do sniff some BS ... and in the interests of transparency and all that cc @ICOnews
31/ In the app privacy policy, Disciple Media provides this address: Atrium Building, Stables Market, London, NW1 8AH, and yet, on the Google Play app landing page its, 5-11 Mortimer Street, London W1T 3JB. No entry with the ICO for either. GDPR compliant eh? Art 13?
32/ Yesterday the iOS app did not provide a privacy policy on the app landing page as required. Today it does. But what changes have taken place to the policy? support.disciplemedia.com/matt-hancock/p… Is this sloppy, haphazard, privacy disrespectful & impactful approach what the Secretary of
33/ State, responsible for UK data protection law thinks is acceptable? What does this say for the progress of the UK Data Protection Bill? Andwhat is the @ICOnews doing about it?
Dear @MattHancock @DiscipleMedia as the Data Controllers for the #HanCocksApp could I please ask you to post the various privacy policies relied since the app was launched and to confirm the current policy. #accountability (it’s core to the GDPR). Thank you
34/ #Matthancock encouraging people to sign up via a URL shortener. I wonder if the PIA looked at that & the various tracking/data points. No Privacy Policy & no indication of the data captured by the URL shortener. Who is it? Allows DCs "to see statistics" #HanCocksApp
35/ So who is onelink.to ? An 'apply' for a job button takes you to this Swedish company mobileinteraction.se/jobb/ Perfectly clear to me. You? Again, no privacy policy. Yes Minister all over.
36/ a bit of light relief. Reviews of the #HanCocksApp GDPR review to follow in the few days

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Privacy Matters

Privacy Matters Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @PrivacyMatters

Sep 29, 2018
1/ I note the issues around the conservative party conference app .. BUT OMG! I took a peek at the Conservative Campaigner app - "the official mobile app for supporters of The Conservative Party” and OH BOY …
2/ the app was developed by Social Political Media, the same entity behind the anti-abortion apps LoveBoth & MY8 used in the Irish referendum on abortion, .. but Social Political Media also developed the …. Vote Leave app, the Trump-Pence 2016 app, the French Renaissance app
and the same ‘developer’ is behind the NRA’s official app. Oh boy.

Yep, the UK @Conservatives official campaign app is developed by a US based political campaigning app platform UCampaign ucampaignapp.com

OK need to go make Son’s supper - back soon. and Oh boy
Read 36 tweets
Aug 31, 2018
An NHS app intended to get people from ‘couch to 5k’.

“Analytics and Advertising tracking SDKs. As these features are critical to Our ability to provide users with free, high quality mobile applications it is not possible to opt out from tracking features.” < WTH! No. No. No.
I don’t have time to go through this at the mo .. but I will, given that family has asked me “is it ok from a privacy perspective? .. it is the NHS after all.” <visions of #HanCocksApp
“We are also working closely with third parties (including, for example, business partners, sub-contractors, delivery services, analytics providers, search information providers) and may receive information about you from them” <much to dig into
Read 34 tweets
May 31, 2018
Ohh look @DPCIreland look at the term ‘consent’ in the URL. Now let’s consider consent under the GDPR, I know. In know. It’s not really consent
Ooh. Choice. Not really. Take it or leave it says Facebook
Facebook Terms first. I’m sure the majority of people will be able to immediately comprehend the suite of Facebook Products .. and Business Tools that they are ageeeing to 🤔
Read 8 tweets
Apr 17, 2018
April 13. Bulgarian Presidency updated working dc on the #ePrivacy Regulation. data.consilium.europa.eu/doc/document/S…

"recital 21 now provides an example where making access to a website conditional on the acceptance of cookies is not considered justified"
But much to review and .. hmmmm

"Access to specific website content may still be made conditional on the well-informed acceptance of the storage of a cookie or similar device identifier, if it is used for a legitimate purpose ,,"
“… This will for example not be the case of a cookie which is recreated after the deletion by the end-user."
Read 16 tweets
Mar 6, 2018
So @AskLloydsBank is using legitimate interests under the GDPR to seek consent to contact customers 🤔
It’s one of the most confusing updates I’ve seen. What precisely is LloydsBank relying on for ‘consent’ and what for ‘legitimate interests’ for marketing/direct marketing/product development for example? #GDPR
Many other things are wrong. Its of ‘please contact us’ but no hyperlink with info on how/mechanism to contact.
Read 6 tweets
Sep 8, 2017
🤔 Sorry, the breach of 143m people’s data #equifax does not make today a good day to be a DPO. It’s a day when potentially 143m people will
will be concerned and anxious. They’ll be starting a journey that may last years or their lifetime in seeking to address the impact
of “identity theft” as which can have adverse impacts on multiple dimensions of their lives. It’s not a good day to be a DPO. It’s a bad day
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(