OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pbd-se message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: OASIS Specification Approach


Hei PbD-SE-ers.

The latest draft of the TC specification seems to be trying to accomplish two separate things. One – To provide guidance on privacy engineering activities to complete throughout the product development lifecycle. Two – To provide guidance on templates/formats for particular artifacts/evidence of good practices for privacy engineering. I wonder if these should be separated into two deliverables? One argument is that the first deliverable objective could be specified in a normative way, based on leading and best practices. However, the second deliverable objective is elusive because of personal and organizational preferences for the templates/formats for such artifacts/evidence. In fact, even within on particular template/format there can be broad differences in deployment/usage.

Lastly, in regards to the first deliverable objective, we do not yet have what I think is a useful arrangement for conveying the guidance on privacy engineering activities. I have a “privacy architect” colleague Ian Oliver who has written public blogs about how the aviation and medical fields have leveraged “checklists” to reduce risk within their fields (i.e., pilot checklist and surgical team checklists). The latter has been documented extensively because of the significant reductions in surgical theatre mishaps and post-surgery morbidity. Dr. Oliver has applied surgical checklist best practices to privacy engineering in the form of development team checklists. Whether you are using waterfall PDLC or agile PDLC forms, you have the same three-phases around a milestone or sprint/release. You have the Pre-Event, In-Event and Post-Event stages around the milestone. The purpose of industry checklists is two-fold; one – to make sure all the team involved in the event are aware of their roles and are prepared for the event and, two – to make sure proper activities are conducted and adequate evidence of accountability is recorded of completion of those activities.

Here is a good overview of how checklists are applied in the medical/surgical context, from a publication of the World Health Organization. http://www.who.int/patientsafety/safesurgery/ss_checklist/en/

My suggestion is that OASIS PbD-SE team look at using the checklist approach to formatting the privacy engineering activities that need to be addressed during the PDLC, by creating such a checklist for the basic milestones we identify.

Frank/

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]