OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pbd-se message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [pbd-se] Privacy Safeguarding Requirements - Functional or Non-Functional Requirements?


+1. I'd put it this way (as a metarequirement ;-): whenever possible, privacy requirements SHOULD be functional requirements.

=Drummond 


On Fri, Sep 13, 2013 at 12:18 PM, Kevin MacDonald <kevin@baseus.org> wrote:
Hello All,

Thank you Frank for taking the time to put forward such a clear question to the TC.
The more clear and focused we are on key guiding principals now, the smoother the remaining specification creation process will be.

My desire for the specification is to have it embody true excellence in protecting personal privacy during the creation of software systems, regardless of past practices or industry norms.

In general I believe that the more the PbD –TC specification states MUST oppose to SHOULD with regards to Privacy, the more robust system creation and implementation will be.

I am a strong proponent of "functional requirements" in this regard.


Have a great weekend,
Kevin


~~~~~~~~~~~~~~~~~~

Kevin J. MacDonald

President, baseUs inc.


Direct Line: 705.743.2888

www.baseUs.org



Greater Peterborough Innovation Cluster

DNA Building, Block B, Suite B107, Trent University

2140 East Bank Drive, Peterborough, ON, K9J 7B8


From: "Frank.Dawson@nokia.com" <Frank.Dawson@nokia.com>
Date: Friday, 13, September,2013,256 10:53 AM
To: "pbd-se@lists.oasis-open.org" <pbd-se@lists.oasis-open.org>
Subject: [pbd-se] Privacy Safeguarding Requirements - Functional or Non-Functional Requirements?

Hei Kaikki (Finnish for Hello All).
An interesting discussion in OASIS PbD-Software Engineering Technical Committee today. Should “privacy” in software be considered a functional requirement or a non-functional requirement. What can be taken from security characterization in this topic?
I think we have many examples where privacy safeguarding requirements are specified as functional requirements, when they become accepted practice and we have guidelines or design patterns how to implement. But we have other privacy safeguarding requirements that have less common practice in the field and are still non-functional in nature. For example, if an organization has good data management/stewardship and they know a lot about the consumer data they process, they might have sufficient knowledge and experience to be able to qualify a data retention and deletion plan for each category of personal information. Then this becomes very functional, in the way it is specified as a requirement on a product or service. However, there are other privacy safeguarding requirements (EG, Privacy by Default), which are so contextual (EG, not all parameters/attributes are defaultable) that this remains a non-functional requirement, today.
So, basically, my thinking is that information privacy requirements (or privacy safeguarding requirements in terminology of ISO 29100/Privacy Framework) SHOULD BE viewed as functional requirements, if at all possible. But that when we have a lack of a priori knowledge of good design pattern for implementation they remain in a limbo state where they are non-functional by definition.
What do you all think?
A “non-functional requirement specifies criteria that can be used to judge the operation of a system, rather than specific behaviors. [1]
A “functional requirementdefines specific behavior or functions of a system. [2]
Frank/
 
 
 
 
 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]