I read with interest about the proposed chartering of the OASIS PbD-SE TC.
It was unclear to me if this TC will include in the scope of the charter the definition of a process and format for including “Privacy Considerations” in OASIS technical specifications.
Including Security Considerations in technical specification has become a common requirement in a number of industry standards groups including IETF, for internet standards. The suggestion
to create a similar requirement for “Privacy Considerations” has been proposed recently. Given that the consideration of privacy assessment findings related to the internet and web infrastructure is of considerable importance to the continued
trust in our digital market place, the proposal for required “Privacy Considerations” makes sense. But what would the process be to conduct this assessment? What would be the recommended format for such a section?
It would make sense to have this as a high priority for this proposed OASIS TC, with the resulting recommendations to be considered by the OASIS management as actionable changes
to the OASIS specification format and directives for creation of OASIS specifications.
The process, a Specification Privacy Assessment (SPA), would consist of a light-weight PIA, targeted for specification creation. The steps would include:
- Identify privacy principles and underlying privacy safeguarding requirements applicable to the scope of the specification.
- Outline data flow between internal components defined by specification.
- Outline data flow model between the internal components of specification and interactions of external components through associated format, interface or protocol used by the specification.
- Outline the threats created by these data flows for instances where a privacy control mechanism can be introduced to safeguard data protection. Document these in the privacy considerations section of the specification.
- Does the specification collect, utilize, store, transfer, manage information that could identify a person? Document these in the privacy considerations section of the specification.
- Does the standard collect, utilize, store, transfer, manage information that could identify a network connected device? Document these in the privacy considerations section of the specification.
- Document in the privacy considerations section of the specification specific approaches, beyond the privacy controls in #4, that will enhance privacy such as limits on collection, limits for retention, rules
for secure transfer, rules for limiting identification or obsfuscation.
The “Privacy Considerations” section in a specification might include the following content:
- Identify privacy principles and underlying privacy safeguarding requirements that are applicable to the specification,
- Describe the entities within the format, API or protocol specification that are control points for personal data,
- Catalog the data collected, instances of data storage, type of processing, instances of data transfer (against the privacy data lifecycle);
- Identify and list privacy threats;
- Document current and proposed technical and organizational privacy safeguards/controls to mitigate identified threats,
- Estimate the magnitude and likelihood of those risks;
- Document proposed resolutions to risks, including privacy controls introduced by the specification to thwart the identified threats.
What do you all think?
Nokia, Director Information Privacy Standards