Policy for Emory Mobile App Distribution (Adopted October 14, 2014)
Emory requires an internal review of all mobile applications developed at Emory prior to submission for distribution in public marketplaces, including but not limited to the Apple App Store and Google Play. This process is initiated by the Office of Technology Transfer in consultation with Legal Counsel, Marketing & Communications, and Library and Information Technology Services. To begin the process, please visit https://wiki.service.emory.edu/x/FqMlAw. As part of the Apple and Google submission processes for public distribution of mobile applications, parties distributing mobile applications must affirm their ownership of the intellectual property and accept marketplace terms and conditions, which include assuming some liability and accepting business obligations. Please note that Emory is contractually responsible for the failure of Apple to properly collect sales tax, use tax, or VAT tax anywhere in the world when those taxes are due and appropriate. Although Apple spends considerable effort tracking the ever-changing tax landscape, it is possible that errors and miscalculations can happen. If there is an underpayment assessment, the funding for that liability is not covered from a central source of funds. It will be up to the department, unit, or school to fund that expense in the unlikely event it were to arise. For these reasons reviews of the intellectual property ownership status, marketability, and potential liability to Emory are essential.
Emory must also determine if mobile applications collect, transmit, or store any sensitive data and, if so, ensure that Emory's FERPA, HIPAA, PCI, or other appropriate compliance obligations are met. Distribution of mobile applications to any external (non-Emory affiliated) people without completing Emory's mobile application review process is prohibited. Distributing mobile applications that one does not personally own may also be a violation of marketplace agreements.
Draft Policy for Emory Internal Mobile App Distribution (pending adoption)
Emory requires a review of all internal mobile applications at Emory (developed at Emory or vended) prior to distribution to end users for production use. Internal mobile applications are those intended for use by Emory people and Emory affiliates only and not segments of the general public. This process is initiated by Libraries and Information Technology Services in consultation with Legal Counsel and the Emory Healthcare and Emory University Compliance Officers. To begin this process, please visit https://wiki.service.emory.edu/x/7ILaB. While internally distributed mobile applications do not have the same business and branding requirements as publicly distributed mobile apps, internal mobile applications have many of the same legal, compliance, and security implications. For this reason Emory must perform a technical review, compliance and regulatory review, and a security review for internal mobile apps. Mobile applications may be distributed internally for development and testing purposes prior to this review, but the reviews must be completed satisfactorily prior to distributing apps for production use.
Emory requires that all internal mobile applications developed at Emory, both native apps and mobile web apps, be distributed for production use using the Emory Mobile App Catalog. Mobile web apps may also be distributed by communicating a uniform resource locator (URL) or a launch web page in addition to listing them in the Emory Mobile App Catalog. Some vended mobile apps may require distribution by the vendor or distribution through a public marketplace. These practices for vended applications are allowed when they do not introduce unmanageable risk to Emory.
Emory requires a review of all apps available in public marketplaces that are listed for download in the Emory Mobile App Catalog. The process for reviewing mobile apps endorsed by Emory and listed in the Emory Mobile App Catalog is initiated by the Libraries and Information Technology Services in consultation with Emory Healthcare and Emory University Compliance Officers and [list other parties here]. To begin this process, please visit https://wiki.service.emory.edu/x/suIGBQ. These mobile apps are endorsed in some way by Emory when they appear in the Emory Mobile App Catalog and they should be reviewed and documented to indicate the nature of their review and recommended or endorsed use.
There are two processes for mobile app review and distribution at Emory to address the requirements for internal and external distribution. Detailed descriptions of these processes are at:
- Emory Mobile App Review and Distribution Process for Public App Marketplaces
- Emory Mobile App Review and Submission Process for Internal Emory Distribution
- Emory Mobile App Endorsement and Listing Process for Apps Available in Public Marketplaces
These processes may be updated from time to time. For example, Emory is presently using an interim internal app distribution mechanism, which leaves much to be desired. Emory is currently evaluating enterprise app store products with the goal of finding a product to support an improved internal mobile app distribution process.