Privacy by Design Documentation for Software Engineers ...



Privacy by Design Documentation for Software Engineers Version 1.0

Working Draft 01

04 July 2013

Technical Committee:

OASIS Privacy by Design Documentation for Software Engineers (PbD-SE) TC

Chairs:

Ann Cavoukian (commissioner.ipc@ipc.on.ca), Office of the Information & Privacy Commissioner of Ontario, Canada

Dawn Jutla (dawn.jutla@), Saint Mary’s University

Editors:

Editor Name (Editor.Name@), Example Corp.

(TBD)

Additional artifacts:

This prose specification is one component of a Work Product that also includes:

• XML schemas: (list file names or directory name)

• Other parts (list titles and/or file names)

Related work:

This specification is related to:

• Related specifications (hyperlink, if available)

Declared XML namespaces:

•

•

Abstract:

This specification describes software tools that engineers can use to aid in producing documentation and to show compliance with the PbD principles, and privacy regulations, throughout the software development life cycle.

Status:

This Working Draft (WD) has been produced by one or more TC Members; it has not yet been voted on by the TC or approved as a Committee Draft (Committee Specification Draft or a Committee Note Draft). The OASIS document Approval Process begins officially with a TC vote to approve a WD as a Committee Draft. A TC may approve a Working Draft, revise it, and re-approve it any number of times as a Committee Draft.

Initial URI pattern:



(Managed by OASIS TC Administration; please don’t modify.)

Copyright © OASIS Open 2013. All Rights Reserved.

All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.

This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Table of Contents

1 Introduction 4

1.1 Context and Rationale 4

1.2 Objectives 4

1.3 Intended Audience 4

1.4 Outline of the Specification 4

1.5 Terminology 4

1.6 Normative References 5

1.7 Non-Normative References 5

2 Privacy by Design for Software Engineers 6

2.1 Privacy as the Default 6

2.1.1 Purpose Specificity 6

2.1.2 Collection, Use, and Retention Limitation 6

3 Software Development Life Cycle Documentation 7

3.1 Requirements Analysis Phase 7

3.1.1 Privacy by Design Use Case Template 7

3.1.2 Privacy by Design Use Case Diagrams 7

3.1.3 Privacy by Design Requirements Process 7

3.2 Design Phase 7

3.2.1 Privacy by Design Sequence Diagrams 7

3.2.2 Privacy by Design Class Diagrams 7

3.2.3 Privacy by Design Design Patterns 7

3.3 Coding / Development Phase 7

3.4 Testing / Validation Phase 7

3.4.1 Privacy by Design Structured Argumentation 7

3.5 Deployment Phase Considerations 8

3.5.1 Fielding 8

3.5.2 Maintenance 8

3.5.3 Retirement 8

4 Conformance 9

Appendix A. Acknowledgements 10

Appendix B. Example Title 11

B.1 Subsidiary section 11

B.1.1 Sub-subsidiary section 11

Appendix C. Revision History 12

1. Introduction

[All text is normative unless otherwise labeled]

1 Context and Rationale

[What is the motivation behind the PbD-SE and what purpose does it serve?] The protection of privacy in the context of software design requires normative judgments to be made on the part of software engineers. It has become increasingly apparent that software systems need to be complemented by a set of governance norms that reflect broader privacy dimensions. There is a growing demand and need for provable software privacy claims, systematic methods of privacy due diligence, and greater transparency and accountability in the design of privacy-respecting software systems, in order to promote wider adoption, gain trust and market success, and demonstrate regulatory compliance.

2 Objectives

[What does the PbD-SE set out to do?] This specification provides guidance to engineers to document privacy-enhancing objectives and associated control measures throughout the software development life cycle. This documentation may be supplemented by envelope design artifacts for privacy processes or services, and procedures for internal independent reviewers to conduct reviews of analysis and design documents, e.g. use cases, misuse cases, interface design, class diagrams, scenario diagrams etc., for explicit adherence to PbD guidelines.

3 Intended Audience

[For whom is the PbD-SE intended?] The intended audience includes, but is not limited to, software engineers, privacy policy makers, privacy and security consultants, privacy managers and executives, auditors, project managers, regulators, IT systems architects and analysts, and other designers of systems that collect, store, process, use, share, transport across borders, exchange, secure, retain or destroy personal information. In addition, other OASIS TCs and external organizations and standards bodies may find the PbD-SE useful in documenting privacy management analyses and designs in their context.

4 Outline of the Specification

[Description of the overall structure of the specification.]

5 Terminology

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be interpreted as described in [RFC2119].

[When writing Normative Statements and Conformance Clauses, specific keywords must be used throughout the specification to denote whether or not requirements are mandatory, optional, or suggested. Using a standard set of key word helps to easily identify the Normative Statements and Conformance Clauses.

OASIS specifications SHOULD use the following keywords from IETF RFC 2119. This is the default terminology to be used in all OASIS specifications. The definitions from RFC 2119 are given below, and have been simplified to highlight all the keywords:

MUST - the requirement is an absolute requirement of the specification.

MUST NOT – the requirement is an absolute prohibition of the specification

REQUIRED – see MUST

SHALL – see MUST

SHALL NOT – see MUST NOT

SHOULD – there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

SHOULD NOT – there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.

RECOMMENDED – see SHOULD.

MAY - the item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation that does not include a particular option MUST be prepared to interoperate with another implementation that does include the option, though perhaps with reduced functionality. In the same vein an implementation, which does include a particular option MUST be prepared to interoperate with another implementation that does not include the option (except, of course, for the feature the option provides).

While RFC2119 permits the use of synonyms, to achieve consistency across specifications it is recommended that MUST be used instead of SHALL, and MUST NOT instead of SHALL NOT.

RFC2119 allows both uppercase and lowercase to be used for a keyword, however to enable easy identification of the keywords and consistency across specifications uppercase MUST be used for keywords at all times.

Some OASIS specifications are intended for advancement to other bodies such as ISO/IEC and ITU-T. In those cases it is permissible to use the ISO keywords instead of the default RFC 2119 ones. A specification that makes use of ISO keywords MUST explicitly declare this in the specification.

Under no circumstances SHOULD RFC 2119 or ISO styles be used in the same documents.]

6 Normative References

[RFC2119]

Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, ., IETF RFC 2119, March 1997.

7 Non-Normative References

NOTE: The proper format for citation of technical work produced by an OASIS TC (whether Standards Track or Non-Standards Track) is:

[Citation Label]

Work Product title (italicized). Approval date (DD Month YYYY). OASIS Stage Identifier and Revision Number (e.g., OASIS Committee Specification Draft 01). Principal URI (version-specific URI, e.g., with filename component: somespec-v1.0-csd01.html).

For example:

[OpenDoc-1.2] Open Document Format for Office Applications (OpenDocument) Version 1.2. 19 January 2011. OASIS Committee Specification Draft 07. .

[CAP-1.2] Common Alerting Protocol Version 1.2. 01 July 2010. OASIS Standard. .

Privacy by Design for Software Engineers

This section describes the default context of Privacy by Design and lays out the meaning of its principles in terms specific to software engineers.

Privacy by Design consists of seven interrelated Foundational Principles that extend, traditional Fair Information Practice Principles to provide the strongest possible level of privacy assurances. It begins with principle #1, Proactive not Reactive; Preventative not Remedial. [MORE EXPLANATORY TEXT NEDED HERE]

1 Privacy as the Default

This principle:

• is the strongest level of data protection and most closely associated with limiting use of data to the intended, primary purpose of the collection – the embodiment of purpose specification and use limitation;

• is the most under attack in the current era of ubiquitous, granular and exponential data collection, use and disclosure; and

• has the most impact on managing privacy risks, by effectively eliminating risk at the start of the information life cycle

After the commitment to proactively address privacy risks and issues, the starting point for designing all information technologies and systems is NO collection of personally identifying information —unless and until a specific and compelling purpose is defined.

As a rule, default user settings should be maximally privacy-enhancing. This approach is sometimes described as “data minimization” or “precautionary principle,” and must be the first line of defense. Non-collection, non-retention and non-use of personally-identifiable information support all of the other PbD principles.

1 Purpose Specificity

[This is where IPC work on "Purpose Specificity" would go.] Privacy commitments should be expressed by documenting clear and concise purpose(s) for collecting, using and disclosing personally-identifiable information. Purposes may be described in other terms, such as goals, objectives, requirements, or functionalities. For the purposes of engineering software:

• Purposes must be limited and specific; and

• Purposes must be written in such a way so to be amendable to engineering controls

2 Collection, Use, and Retention Limitation

[This is where IPC work on "Collection, Use, and Retention Limitation" would go.] Software engineering methods and procedures must be in place to ensure that personal information is collected, used, disclosed and retained:

• in conformity with the specific, limited purposes

• in agreement with the consent received from the data subject

• in compliance with applicable laws and regulations.

Consistent with data minimization principles, strict limits should be placed on each phase of the data processing life cycle engaged by the software under development. This includes

• Limiting Collection

• Collecting by Fair and Lawful Means

• Collecting from Third Parties

• Uses and Disclosures

• Retention

• Disposal, Destruction and Redaction

Software Development Life Cycle Documentation

1 Requirements Analysis Phase

This section describes software engineering tools and techniques for operationalizing Privacy by Design into the requirements analysis phase of the software development life cycle.

1 Privacy by Design Use Case Template

[This is where John Sabo's work on the "PbD-SE Privacy Use Case Template" would go.]

2 Privacy by Design Use Case Diagrams

[This is where Dawn Jutla’s work would go.]

3 Privacy by Design Requirements Process

[This is where CERT's SQUARE process and the W3C Privacy Interest Group's Specification Privacy Assessment could be leveraged.]

2 Design Phase

This section describes software engineering tools and techniques for operationalizing Privacy by Design into the design phase of the software development life cycle.

1 Privacy by Design Sequence Diagrams

[This is where Dawn Jutla's consent-choice work in "Mapping PbD Principles to Software Engineering's UML Standard" would go.]

2 Privacy by Design Class Diagrams

[This is where Dawn Jutla's data modelling work in "Mapping PbD Principles to Software Engineering's UML Standard" would go.]

3 Privacy by Design Design Patterns

[The idea of this section needs to be explored further.]

3 Coding / Development Phase

This section describes software engineering tools and techniques for operationalizing Privacy by Design into the coding / development phase of the software development life cycle.

[Note that the name “coding / development” is used instead of “implementation” in order to prevent confusion with implementation in the sense of end-user deployment.]

4 Testing / Validation Phase

This section describes software engineering tools and techniques for operationalizing Privacy by Design into the testing / validation phase of the software development life cycle.

1 Privacy by Design Structured Argumentation

[The idea of this section needs to be explored further.]

5 Deployment Phase Considerations

This section describes privacy issues and methods for operationalizing Privacy by Design in the deployment phase of the software development life cycle. It is not intended to produce strict documentation guidance. Rather, it is only meant to offer considerations to be taken into account by software engineers.

1 Fielding

[The idea of this section needs to be explored further.]

2 Maintenance

[The idea of this section needs to be explored further.]

3 Retirement

[The idea of this section needs to be explored further.]

2. Conformance

This section outlines the requirements that must be met in order for the various "Conformance Targets" of the specification (discussed above) to be considered PbD-SE conforming. It also discusses the relationships between conformance clauses.

[This section is a compilation of the normative statements made in the above sections. For more information on what goes into the conformance section and how to write conformance clauses, see the OASIS Guidelines to Writing Conformance Clauses.]

A. Acknowledgements

The following individuals have participated in the creation of this specification and are gratefully acknowledged:

Participants:

[Participant Name, Affiliation | Individual Member]

[Participant Name, Affiliation | Individual Member]

B. Example Title

text

1. Subsidiary section

text

1. Sub-subsidiary section

text

C. Revision History

|Revision |Date |Editor |Changes Made |

|[Rev number] |[Rev Date] |[Modified By] |[Summary of Changes] |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download