The link to the Google Play store page for the OpenMRS Android client is not active anymore. Can the person in charge of our OpenMRS’s Play store account re-publish the app back to the Play store? This project is actively being worked on and we are planning to release the next version (2.7) soon. CC @raff@dkayiwa@shivtej
As a workaround, implementers and developers can go to the releases page on GitHub and manually install the latest APK.
Anyone who is in charge of community@openmrs.org, please check that. One should be able to add more users after logging in with that address to Google Play Console.
I found the email under Help Desk case 35018, which says we have a privacy policy violation. In the Play Store (infrastructure has credentials for community@openmrs.org), the org.openmrs.mobile app’s “Privacy Policy” settings says:
Your app has an apk with version code 804 that requests the following permission(s): android.permission.CAMERA,android.permission.READ_PHONE_STATE. Apps using these permissions in an APK are required to have a privacy policy set.
Assuming we’re using the camera for barcode scanning or capturing clinical images, then we will need to include a privacy policy in the play store (e.g., link to privacy policy in github repo) and somewhere in the app itself (e.g., in an about page or under settings within the app). If the android.permission.READ_PHONE_STATE privilege isn’t needed, then we should remove it.
The privacy policy should be relatively straightforward, but obviously needs to be factual. Assuming the app doesn’t store any images or personal content, then something along those lines should do – e.g., something along the lines of “While the app needs to be granted access to the camera if barcodes are being scanned or to capture clinical images, the app does not store any images and the only data transmitted is to the OpenMRS server to which the app is configured.” (note: I’m just throwing out an example off the top of my head, I’m sure looking at other app privacy policies and knowing more about what our Android app actually uses/does would yield a much better privacy policy).
The Android client should definitely include a privacy policy as of January 2019, as the app can store a patient’s photo if the provider wishes to, when registering the patient. I’ll link back with other A.C. developers regarding other permissions and data that the app currently needs.
But yes, thank you for the starter sentences for our privacy policy. We have two options on where to show it - in the Android client user guide, or in the README of the repository (or do you prefer both?). Next, we need to add the same policy to the console’s store listing page (this requires access to the dev console of OpenMRS). I found a few amazing privacy policy generators here and here and an example privacy policy for an existing app. I think these are enough to make it, what do you think?
Once the decision is made, I’ll make a JIRA issue for this and make a PR for it. Hopefully AC developers will review it a lot, and make sure it complies well.
Filed an issue at https://issues.openmrs.org/browse/AC-561 . After the privacy policy is made, we’ll also need @raff 's access to the console and just set the ‘Store Listing’ -> ‘Privacy Policy’ field there as well.
Hello everyone, I have faced similar issues for several of my apps in the playstore that got removed due to non-compliant privacy policy. Everytime I had to tackle this problem and generate a valid Privacy Policy for each app.
The auto-generated privacy policy is a good start; however, it appears to be aimed at general apps used by an individual for personal use rather than an app allowing a provider to access an electronic medical record system (e.g., I don’t think we need a section on use by children). Do we collect usage data? If not, then that text isn’t necessary.
The auto-generated generated text is a bit vague. I think we should be a little more specific about data collected. For example, what information is stored on the mobile device and what information is passed to/from the OpenMRS server and not stored locally on the device?
Once we have a privacy policy in the GitHub repo, I’d suggest we just link to it rather than trying to maintain it in multiple locations. We also need to reference it from within the app itself (e.g., provide a link to the privacy policy from a settings menu).
There’s an option for Open Source “companies” as well in this generator, I think this gives us a solid overall template. I agree that we can start to be more specific in the content of the privacy policy.
We should just keep the Information Collection and Use, Changes to This Privacy Policy and Contact Us. Under the first section, we document the specific data that is kept in the device’s local storage. An overview of the types of data stored can be seen in the user guide’s patient activity page. All data fed is stored in an encrypted database file, or just sent to the server without saving locally first. The patient photo is stored in the device’s external storage.
For each patient, data stored are:
Given, middle, family name
Photo (permission to access Gallery and Camera)
Gender
Birth date
Address: Street name, city, state, country, postal code
Biometric data is stored when capturing a vital, like in the web app. Next, I think diagnosis and encounters are sent straight to the server, and not kept locally.
See an example of a medical records privacy policy I found.
Regarding the READ_PHONE_STATE permission, this post suggests it’s only for target Android SDK 4 and below (Android 1.5 and below), so we can safely delete this.
I see your privacy policies are for personal apps like mentioned by @burke . You’ll need to adapt and create one that is for provider’s access to an OpenMRS instance and working with patient data.
We’ve just decided on the template, and still need to discuss the content of the policy. It’s very unlikely that we’ll use the content from the generator, we need to be way more specific and aim for the correct target audience - providers.
I have a question that why are we having privacy policy for children below 13?
" Children’s Privacy
These Services do not address anyone under the age of 13. We do not knowingly collect personally identifiable information from children under 13. In the case we discover that a child under 13 has provided us with personal information, we immediately delete this from our servers. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us so that we will be able to do necessary actions."