OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pbd-se message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Privacy Safeguarding Requirements - Functional or Non-Functional Requirements?


Hei Kaikki (Finnish for Hello All).
An interesting discussion in OASIS PbD-Software Engineering Technical Committee today. Should “privacy” in software be considered a functional requirement or a non-functional requirement. What can be taken from security characterization in this topic?
I think we have many examples where privacy safeguarding requirements are specified as functional requirements, when they become accepted practice and we have guidelines or design patterns how to implement. But we have other privacy safeguarding requirements that have less common practice in the field and are still non-functional in nature. For example, if an organization has good data management/stewardship and they know a lot about the consumer data they process, they might have sufficient knowledge and experience to be able to qualify a data retention and deletion plan for each category of personal information. Then this becomes very functional, in the way it is specified as a requirement on a product or service. However, there are other privacy safeguarding requirements (EG, Privacy by Default), which are so contextual (EG, not all parameters/attributes are defaultable) that this remains a non-functional requirement, today.
So, basically, my thinking is that information privacy requirements (or privacy safeguarding requirements in terminology of ISO 29100/Privacy Framework) SHOULD BE viewed as functional requirements, if at all possible. But that when we have a lack of a priori knowledge of good design pattern for implementation they remain in a limbo state where they are non-functional by definition.
What do you all think?
A “non-functional requirement specifies criteria that can be used to judge the operation of a system, rather than specific behaviors. [1]
A “functional requirement defines specific behavior or functions of a system. [2]
Frank/
[1] http://en.wikipedia.org/wiki/Non-functional_requirement
[2] http://en.wikipedia.org/wiki/Functional_requirements
 
 
 
 
 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]