Annex Guide to Privacy by Design Documentation for Software Engineers Version 1.0

Total Page:16

File Type:pdf, Size:1020Kb

Annex Guide to Privacy by Design Documentation for Software Engineers Version 1.0

Annex Guide to Privacy by Design Documentation for Software Engineers Version 1.0

Committee Note Draft 01 25 June 2014 Specification URIs This version: http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0- cnd01.doc (Authoritative) http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0- cnd01.html http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0- cnd01.pdf Previous version: N/A Latest version: http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/pbd-se-annex-v1.0.doc (Authoritative) http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/pbd-se-annex-v1.0.html http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/pbd-se-annex-v1.0.pdf Technical Committee: OASIS Privacy by Design Documentation for Software Engineers (PbD-SE) TC Chairs: Ann Cavoukian ([email protected]), Canada Office of the Information & Privacy Commissioner of Ontario Dawn Jutla ([email protected]), Saint Mary’s University Editors: Ann Cavoukian ([email protected]), Canada Office of the Information & Privacy Commissioner of Ontario Fred Carter ([email protected]), Canada Office of the Information & Privacy Commissioner of Ontario open.org/committees/pbd-se/ “ Committee’s list. email Others send should comments the to Technical Committee by theusing Technical Committeemembers send should comments this specification on to Technical the theCheck “Latest location version” noted above forpossible later revisions of this document. EngineersSoftware (PbD-SE) on TC the above date.The level approvalof is alsolisted above. documentThis was revised last or theapproved by OASIS Privacy by Design Documentation for Status: Engineers (PbD-SE) 1.0 Version Annex This asGuide serves primer a for Abstract: Related work: Finneran Tom ( Jonathan Fox ( Sander Fieten, DawsonFrank ( Sabo ( John Dawn Jutla ( pbd-se-annex-v1.0-cnd01 website.OASIS PropertyIntellectual Rights (the IPR Policy Policy"). "OASIS The full All capitalized interms the text following have the meanings assigned them to in the OASIS Copyright OASIS© Open All Rights2014. Reserved. http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/pbd-se-annex-v1.0.html open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0-cnd01.html and Finneran. Tom June OASIS Committee25 2014. DraftNote 01. Ann Carter,Cavoukian, Fred Dawn Jutla,Sabo, John Frank Dawson, Sander Fieten, Jonathan Fox, Annex Guide to Privacy Designby Documentation Software for VersionEngineers 1.0 [pbd-se-annex-v1.0] When thisdocumentreferencing the citation following format should used: be format:Citation Non-Standards TrackNon-Standards Send A CommentSend A v1.0.html and LatestSander Fieten. version: Cavoukian, Fred Carter, DawnJutla, John FrankSabo, Dawson, JonathanFox, Tom Finneran,  documentThis is related to: Privacy Privacy Designby Documentation Software for Engineers 1.0Version [email protected] [email protected] . [email protected] [email protected] [email protected] [email protected] ” button the on Technical Committee’s web page at The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track . . ), ), , Individual ), ), Individual Saint Mary’s Saint Mary’s University http://docs.oasis-open.org/pbd-se/pbd-se/v1.0/pbd-se- ), Individual ), Privacy by DocumentationDesign for Software ), ), ), ), Nokia Corporation Intel Corporation Copyright © Copyright OASIS Open Reserved.Rights© All 2014. http://docs.oasis- Policy https://www.oasis- . may be found at the . Latest version: . Edited. by Ann . . Edited. by 25 June 252014 Page 2 of 44

[Type the document title] PURPOSE. ORRIGHTS MERCHANTABILITY ANY WARRANTIES IMPLIED OF OR FOR A FITNESS PARTICULAR THATWARRANTY OF THEUSE THE OWNERSHIP HEREIN INFRINGE INFORMATION WILL NOT ANY EXPRESS ALLINCLUDINGDISCLAIMS WARRANTIES, ORBUT IMPLIED, LIMITED ANYNOT TO documentThis and the containedinformation is herein provided an on "AS IS" andbasis OASIS successors or assigns. The limited permissions granted aboveare perpetual not and will be by revoked OASIS or its translate it intolanguages than other English. applicable copyrights, to as forthset IPR in the Policy,must OASIS be or required followed) as to ordocument deliverable produced by Technical an Committee OASIS (in which case the rules copyright the references notice OASIS, or to asexcept for needed purpose the of developing any However, thisdocumentworks. itself may be not modified in any including way, by removing abovethat the copyright notice and this section included are on all such derivative copies and published, copied, distributed, and orin whole part, without restriction anyof kind, provided works that on comment explain or otherwise it or assist in its implementation may be prepared, documentThis and of translations it may be furnishedcopied and to others, and derivative pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . 25 June 252014 Page 3 of 44

[Type the document title] 2 1 Table Contentsof pbd-se-annex-v1.0-cnd01 3 Non-Standards TrackNon-Standards 2.7 for 2.7 Respect Privacy User* Keep – it User-Centric 2.6 Visibility and Transparency Keep– it Open to2.5 SecurityEnd End Lifecycle – Protection 2.4 Functionality Full Positive-sum,— Zero-sum Not 2.3 Privacy Embedded in Design 2.2 thePrivacy as Default 2.1 Reactive;Proactive not Preventative not Remedial 1.1 Non-Normative References 3.2 and3.2 Scope Document Privacy Requirements 3.1 Organizational Privacy Readiness Operationalizing the PbD Principlesin Software Engineering Encourage2.7.3 Direct / User Data Subject Access Support 2.7.2 User Data / Input andSubject Direction Anticipate2.7.1 and Inform Open2.6.3 Emulation to Open2.6.2 Review to Open2.6.1 Collaboration Use and2.5.3 Metrics Satisfy Privacy Properties Control2.5.2 Access Protect2.5.1 Continuously Practical and2.4.3 Demonstrable Results Accommodate2.4.2 Legitimate Objectives NoLoss2.4.1 of Functionality Human-Proof2.3.4 Reviewed2.3.3 and Assessed Systematic and2.3.2 Auditable Holistic2.3.1 and Integrative Limiting2.2.2 Use, Collection, and Retention Purpose2.2.1 Specificity Proactiveand2.1.3 Iterative Defined 2.1.2 Community of Practice Demonstrable 2.1.1 Leadership Privacy Designby Introduction 2.2.2.6 Disposal, and Destruction Redaction 2.2.2.5 Retention and Disclosures2.2.2.4 Uses Parties 2.2.2.3 CollectingThird from Fair Means 2.2.2.2 Collectingand by Lawful 2.2.2.1 Limiting Collection ...... forSoftware Engineers ...... The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply ...... This Non-Standards is a Work Product. Track ...... Copyright © Copyright OASIS Open Reserved.Rights© All 2014...... 25 June 252014 Page 4 of 11 11 10 10 10 10 10 18 17 17 16 16 16 16 16 15 15 15 15 15 15 15 14 14 14 14 14 14 14 14 13 12 12 12 11 13 13 44 9 6 6

[Type the document title] 4 pbd-se-annex-v1.0-cnd01 B. HistoryAppendix Revision A.Appendix Acknowledgements Non-Standards TrackNon-Standards 4.8 4.8 Privacy Checklists 4.7 PhaseDeployment Considerations Validation4.6 Testing / /4.5 Coding Development 4.4 4.3 4.2 ModelsDocumenting Visual forPrivacy Requirements &DesignAnalysis 4.1 3.10 Sign PbD-SEoff with methodologycheck list throughout3.9 Artifacts Review SDLCthe Retirement3.8 for Plan Software of Product/Service/Solution 3.7 CodeReview 3.6 Design Responsibility3.5 Assign forPbD-SE Operationalization Artifactsand Output Privacy3.4 Resource(s)Identify support to the DevelopmentSolution Team 3.3 PrivacyConduct Risk andAnalysis Privacy Property Analysis 4.7.3 Retirement4.7.3 Maintenance4.7.2 Fielding4.7.1 4.6.1 Privacy Properties4.3.1 Modeling 4.2.2 Languages Spreadsheet4.2.1 Modeling DevelopmentSoftware Life Cycle Documentation for Privacy by Design Privacy by Design Privacy by Design 4.2.2.4 4.2.2.3 4.2.2.2 4.2.2.1 Privacy Design by ...... Privacy byDesign Privacy byDesign Privacy byDesign Privacy byDesign Privacy ...... and Design Patterns and Privacy Reference Architecture ...... Use Case Template forPrivacy Requirements The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply ...... Structured Argumentation Structured ...... This Non-Standards is a Work Product. Track andDiagrams Sequence and Activity Diagrams and Misuse Diagrams Case Case and Use Diagrams ...... Copyright © Copyright OASIS Open Reserved.Rights© All 2014...... Privacy Privacy Designby ...... 25 June 252014 Page 5 of 36 29 28 28 23 23 21 20 20 20 19 19 18 18 42 41 40 40 40 40 40 40 39 39 39 37 36 32 32 29 44

[Type the document title] This Annex Annex This provides: software engineering tasks,and produce artifacts evidence as of PbD-principle compliance. Design annex This describes 1 pbd-se-annex-v1.0-cnd01 personaldestroy data.In larger organizations, where subject matter experts and organizational store,that collect, process, use, share, transportacross borders, exchange, retain secure, or privacy and security consultants, auditors, regulators, and designersother and systemsusers of managers, managers business executives,and privacy policy makers complianceand managers, engineers operate in larger contexts, thisspecification is alsoof interest useand their to project documentation show to compliance to engineersSoftware are implementing, responsible for and documenting or referencing solo platforms. and/or projects on all sizes.of This includes software engineers in working platform teams or on specificationThis is targetedto all software engineers. They work may organizationsin (virtual) Non-Standards TrackNon-Standards           Introduction (PbD) requirements, translate the conformance principlesto requirements within Annex) DesignPrivacy by for Maintenance and Retirement (developed in a future of version DesignPrivacy by Patterns (developed futurein a version Annex) of exhibit. tocustomize their context, and Privacy Properties that software solutions should exampleAn Privacy by Reference Design for Architecture software engineers to and integrate them corewith requirements. functional Privacy UseA Template that software helps engineers privacy document requirements principles. privacy-embedded documentation demonstrate to compliance Privacyto by Design methodology A organizationfor an and its softwareengineers produce to and reference software development cycle life softwareconceptionfrom to software retirement. processA ensure to that privacy requirements considered are throughout entirethe SoftwareIntermediate engineering Documentation Checklists softwarefrom conception to software retirement. ofElaboration privacy considerations for entirethe softwaredevelopment cycle life andsub-principles, documentation, to and thus PbD-SE criteria.compliance ofElaboration the mapping of Privacy bythe Design principlesto engineering-related engineers. and gapoperations among policymakers, stakeholders, business and software ofcontext softwareengineering. effect, In it closes communications, a requirements, elaborated An andexpression explanation the of Privacy by Design principlesin the

a methodology a engineers help to andmodel document The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Privacy Privacy Designby Copyright © Copyright OASIS Open Reserved.Rights© All 2014. principles. However, principles. software as . Privacy Privacy by 25 June 252014 Page 6

of 44

[Type the document title] [Dennedy et al 2014] et [Dennedy [CICA 2014] 2012] [Cavoukian 1995] [Cavoukian 2009] [BIRO 1.1 documentation. stakeholders have in clear theroles SDLC, their contributions may an be explicit of part the pbd-se-annex-v1.0-cnd01 2014a] [Jutla 2014] [Jutla et[Jutla al 2013] and 2009] Keller [Jacka Non-Standards TrackNon-Standards [Jutla and Bodorik 2005] and Bodorik [Jutla Dawn N. Dawn EvolvingOASISJutla,by Privacy Design Standards, 9,April 2014, available at N. Dawn Jutla, N. Dawn Bodorik(2005),Peter Jutla, Sociotechnical for Architecture OnlinePrivacy, IEEE MikeJacka,Paulette Keller. FinneranMichelle Dennedy Privacy Model,CICA/AICPA Maturity atavailable http://www.cica.ca/resources-and-member- byPrivacy Design:Leadership, Methods, Results,and 8:Chapter byPrivacy Design:The7 Foundational Principles andImplementation Mapping of Fair 2011] [Cavoukian Privacy-EnhancingTechnologies: ThePath to Anonymity, VolumeII,atavailable The BIRO Cross-border Project, of healthflow information: byis'privacy enough? design' Dawn NJutla, Dawn M2M TelematicsVehiclethe and Privacy Design DocumentationOASIS by for Non-Normative References Satisfaction. . Peter BodorikPeter

John and Wiley Sons doi:10.1109/MSP.2005.50. SecurityPrivacy,and vol. 3, 2,no.29-39, pp. March-April 2005, 2014,pages.400 Manifesto:Getting Code Policy from andto to QA Value, Apress,Jan. organizations/docs/item48094.pdf benefits/privacy-resources-for-firms-and- Protection:Coming Springer,of Age, Brussels, Belgium. ConferenceInt. on Privacy Computers, DataProtection & European Data http://link.springer.com/chapter/10.1007%2F978-94-007-5170-5_8 implement-7found-principles.pdf InformationPractices at http://www.privacybydesign.ca/content/uploads/1995/03/anoni-v2.pdf http://www.ncbi.nlm.nih.gov/pubmed/22562711 performancePrivacy assessment EUBIROD. Availablein at Munich,15April2014, slide deckavailable attendees. to Engineers Software European (PbD-SE), IdentityCloud and Conference, 14dawn_jutla.pdf http://csrc.nist.gov/news_events/privacy_workshop_040914/nist_pew_20 SantaClara. Unifiedthe Modeling Language The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track , ,

BusinessProcess Mapping: Improving Customer JonathanFox , , Sohail Ali Sohail . . p. (2013).

, , 257. ThomasFinneran www.ipc.on.ca/images/Resources/pbd-

ISBN EngineeringforPrivacy Big with Data Apps Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . IEEE IEEE .

0-470-44458-4 Big Data Big Congress2013 (2014). The(2014).Privacy Engineer’s . . . 25 June 252014 : 38-45. : Page , , 5th 7 of 44

[Type the document title] Annex to thePrivacy Design by Documentation for Software Engineers 1.0 Version 1.0][PbD-SE Annex TrackStandards or Non-Standards Track) is: NOTE 1987][Zachmann 2014] [Shostack et[Jutla al 2014] 2014b] [Jutla pbd-se-annex-v1.0-cnd01 http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/pbd-se-annex-v1.0.doc be:The "Latest version"permanent URI will open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0-cnd01.doc Sander June Fieten, 25 2014.OASISCommittee Note 01. PrincipalURI Cavoukian, Fred Carter, DawnJutla, John FrankSabo, Dawson, JonathanFox, Tom Finneran, Non-Standards TrackNon-Standards J. Zachmann. J. AdamShostackThreat (2014), Designing Modeling: for Security,Wiley,Feb 2014.624 pages. 800-53] [NIST [PbD-FIPPS] N. Dawn Cavoukian,Ann Jutla, John Sabo, MichaelT. Fred Willett, Carter, Chibba, Michelle N. Dawn ofOverview theJutla, PbD-SEand OASIS PMRM emergingprivacy standards, : The proper : forformat citationtechnical of workproduced by TC an (whether OASIS Ann SecurityPrivacy and FederalInformationControls for Systems Organizationsand

Cavoukian,Foundational The7 Principles: andImplementation Mapping of Fair Aforframework information architecture. systems 26. No. No. 26. 3, 1987. 4, Appendix Revision Privacy J: Controls Catalog InformationPractices, submitted journal review, for 2014.21,April EngineersBusiness:and FromPrinciples Architecture,to Software PrivacyOperationalizing by forDesign Documentation Software 2014.22, workshop, PRIPARE Securityand Cyber Forum, Privacy Athens,May The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track http://bit.ly/vjvrPE Copyright © Copyright OASIS Open Reserved.Rights© All 2014. 2011January IBM SystemsVol. Journal, http://docs.oasis- . , EditedAnn by 25 June 252014 Page 8 of 44

[Type the document title] – – it User-CentricKeep 7. Respect Privacyfor User - it Open Keep 6. Visibilityand Transparency Life-CycleFull Protection 5. End-to-End Security Positive-Sum, not Zero-Sum 4. Functionality Full – Design 3. Privacy Embedded into Setting 2. Privacy as Defaultthe Preventative Not Remedial 1. ProactiveNot Reactive; PbD Principles Table 2.1: privacy assurance. mapping of A PbD the principlesto is FIPPs provided below. traditionalextend InformationFair Practice prescribe Principlesto the strongest ofpossible level The anprivacy as organization’s defaultmode of operation; resolvedauthorities encourage to the adoption of an2010 as essential component fundamentalof privacy Privacy andprotection; data protection unanimously recognized internationalby privacy and data protection authorities in October principles in terms software to specific engineers. The sectionThis describes the defaultcontext of 2 pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards Privacy Design by Privacy byDesign Privacy Privacy by Design framework consists seven high-levelof interrelatedand principlesthat The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply Principles MappedFair to Information Principles Practice This Non-Standards is a Work Product. Track for Software for Engineers Safeguards Demonstrable Results Systematic Methods Data Minimization Setting & Leadership Goal- Meta-FIPPs Individual Participation (beyond data subject) Accountability Privacy Privacy Designby PbD Copyright © Copyright OASIS Open Reserved.Rights© All 2014. Privacy Privacy Designby principles guidance as establishing to Traditional FIPPs Traditional Access Accuracy Consent Compliance Openness Accountability Safeguards ------Limitation Retention& Use, Disclosure Collection Limitation SpecificationPurpose --- Redress and out lays meaning the its of . framework was 25 June 252014 Page 9 of 44

[Type the document title] the highestthe levels,to and prescribe enforce standardshigh of privacy protection, generally engineering Software proceduresmethods and are in placeensure to 2.1.1 continuous of improvement. demonstrably be throughoutshared by relevant stakeholders (internal and external) culturein a generally thanhigher the standardsby set laws regulation.and This privacy commitment should commitment, at highestthe organizational levels,set to and standardsenforce high privacy –of principle This earlyemphasizes privacy risk methods,mitigation and requiresclear a 2.1 PbDthe principles softwarein a engineering context. system functionality. seeks The aid review to software-enabledof data systems, in order minimize to data privacy risks without diminishing specificationThis enables software toengineers embed privacy intothe design and architecture softwareprinciples to engineering documentation. systems and networked architectures. specification This prescribes application the PbD of requirements, and can be universally applied information to technologies, organizational withAs traditional FIPPs, PbD principlesset both forth substantive proceduraland privacy principles.pdf Information Practices Privacy Designby pbd-se-annex-v1.0-cnd01 ways. outcomes, and mitigateto or unintended negative privacy impacts in proactive and systematic in placeidentify to privacy data and protection arising from risks poor anddesigns, practices engineering Software proceduresmethods and are in placeensure to 2.1.3 stakeholders. privacy commitment shared is by organization members, user communities and relevant engineering Software proceduresmethods and are in placeensure to that 2.1.2 thanhigher prevailing requirements. legal Non-Standards TrackNon-Standards Proactive Reactive; not Preventative not Remedial Proactive Iterativeand ofPracticeCommunity Defined DemonstrableLeadership

: : The Foundational 7 Principles Implementationand Mapping of Fair at The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply www.ipc.on.ca/images/Resources/pbd-implement-7found- This Non-Standards is a Work Product. Track

the wholethe team and executive level understand to Copyright © Copyright OASIS Open Reserved.Rights© All 2014. a clear a commitment, from continuous processes are . a demonstrable Page Page 25 June 252014 10 of 44

[Type the document title] Privacy commitments expressedare by documentingand clear concise for purpose(s) collecting, 2.2.1 supports, the all of other principles.PbD defense. Non-collection, non-retention and non-use of data personal is integral to, and described “data as minimization” or “precautionary” principle, and be must the first line of aAs default rule, system settings maximallyare privacy-enhancing. ruleThis is sometimes ispurpose defined. systems NO mandates personally collection of data —unless and specific until a and compelling The defaultstarting designing for point all software-enabled information and technologies    This theapply: defaultchoice be should mostthe privacy protective. data isclear, not is be to there a ofpresumption privacy and the precautionaryprinciple is to andretention disclosure personal of data in a system.given the Where need or use personal of principle This establishingemphasizes firm, preferably automatic, limits to all use, collection, 2.2 pbd-se-annex-v1.0-cnd01 processing engaged cycle life by the development. software under includes:This dataConsistent with strictminimization principles, limits in are place in each phasethe of data and retained: The be softwareshould designed in such a way that data personal collected, is used, disclosed 2.2.2 objectives, requirements, or functionalities. the In context engineering software of designs: andusing disclosing data.Purposespersonal may be described in terms, other such as goals, Non-Standards TrackNon-Standards      uses, disclosurescollection, and retention. mostis threatthe under in the current of era ubiquitous, granular and exponential data use(s) personalof data the to intended, primary purpose(s) collection; of and theprescribes strongest of level data protection and isclosely most associated limiting with earliest stages of the data cycle. life thehas greatest impact managing on data privacy risks,by eliminatingeffectively at risk the Privacy by Design Privacy the as Default Limiting Collection, Use, and Use, Retentionand Collection, Limiting Specificity Purpose in compliance in compliance legal with requirements. within agreement the consent received thefrom data subject(s); and in conformity with specific, limitedthe purposes; mustPurposes be aswritten requirements. functional mustPurposes be limited and specific; and principle: The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 11 of 44

[Type the document title] The softwareengineer ensures that techniques, systems, proceduresand are in put place to 2.2.2.2 The softwareengineer ensures techniques, systems and procedures put are in place to: 2.2.2.1 pbd-se-annex-v1.0-cnd01 The softwareengineer ensures techniques, systems and procedures put are in place to: 2.2.2.4 The softwareengineer ensures that techniques, systems and procedures put are in place to: 2.2.2.3 Non-Standards TrackNon-Standards party. The general asrequirements documented in the above sections alsoapply. These NOTE: arerequirements for specifically datapersonal that is collected a through third 2. 1. 2. 1. 10. 9. 8. 7. 6. 5. 4. 3. 2. 1. 1. additional dataadditional about individuals. and,document where necessary, seek whereconsent the software produces or acquires b. a. thatones also collect data fairlyand lawfully. This requires that: thatensure personal data collection sources from other individualthan the reliable are associate “fair lawful” collectionand with the data source(s). lawfully,(b) adhering all to relevant rules of law. without(a) intimidationfairly, or deception, and data is obtained and confirmreview relevant for methods, before they implemented, are that personal limits establish to collection withassociated or levels types of data subject identity. identified data collection and processing that need be to andsupported; levelsestablish or identity types of such as gradations non-identifiable, of identifiable or timeassign expirations datato at of time collection or creation; auditabilityensure of or legal business adherence collection to limitation; link ofstated purpose collection the to data source identification; identified,purposes and that all data optional is identified as such; monitor the personal collection of data ensure to it is limitedthat to necessary forthe individualdocument consentto collect sensitive data;personal reviewperiodically data requirements; associate sensitivity with levels personal data collected essentialspecify versus personal optional data fulfill to identified purposes; the individualthe has implicit orprovided explicit consent); all useslimit and of disclosures data personal the to purposes specified which for (and Limiting Collection Limiting Uses DisclosuresandUses from Collecting Third Parties by Collecting Fair and Lawful Means privacy policies, and collection methods, types of consentsobtained by third parties data provider. diligence bedue performed before establishing relationship a awith third-party be reviewedbeforebe accepting datapersonal from third-party data sources. The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 12 of 44

[Type the document title] The softwareengineer ensures that techniques, systems and procedures put are in place to: 2.2.2.5 pbd-se-annex-v1.0-cnd01 The softwareengineer shall ensure techniques, systems and procedures put are in place to: 2.2.2.6 Non-Standards TrackNon-Standards 6. 5. 4. 3. 2. 1. 5. 4. 3. 2. 1. 11. 10. 9. 8. 7. 6. 5. 4. 3. 2. redaction if practices these may result in exceptions theto normal policies/practices. contractualconsider requirements when establishing disposal, destruction, and about individual an required; as and thewithin limits technology, of locate or and redact specifiedremove data personal thedocument disposal personal of data; outcarry disposalin a manner that theft,prevents loss, misuse, or unauthorized access; destruction policies; ofdispose archived, original, and records backup in accordance thewith retention and required fulfill to the identified purposes; regularly and systematically destroy, erase, or de-identify data personal that is no longer toexceptions normal policies/practices. contractualconsider requirements when establishing retention that practices may be orbusiness legal exists reason fordoing and so; personalensure data iskept not beyond the standard retention period unless justified a applicable retention policies; retain, dispose store, and of archived and copies backup of inrecords accordance with retentiondocument policies disposaland procedures; regulations) and appropriately thereafter dispose such data; of retention limit no longer than to needed purposesfulfill the (or required byas or law securityensure of data transfers. retentionaudit limits and resultingdestruction; and and adherence;ensure inform third parties relevantof collection, use,and disclosure retention requirements, justification(s)document forall without disclosures subject consent; secure consent, individual where necessary, disclosures for third to parties; whether document “secondary” selected beuse(s) may allowed law; under futuretie uses personalof data the to original collection purpose(s); andassign observe time associatedexpirations with uses; emergencyanticipate and exceptional uses disclosures;and differentiate datapersonal by both quantity,type and treat accordingly; Disposal, Destructionand Disposal, Redaction Retention The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 13 of 44

[Type the document title] 2.3.4 2.3.4 design for basis decisions. The softwareengineer ensures that detailed privacy impact andassessments risk used are as a 2.3.3 acceptedupon standards and process andframeworks, is amenable externalto review. The softwareengineer ensures that systematic,a principled approachis adopted that relies 2.3.2 privacy risks. integrative ways by adopting broad as scope a as possiblewhen identifying and mitigating The softwareengineer ensures that areprivacy commitments embedded in holisticand 2.3.1 andminimized, not degradedthrougheasily use, misconfiguration or error. resulting technology,operation or data architecture, and theiruses, shall demonstrably be consideration alternative of options design and choiceof metrics. The privacy impacts of the documenting privacy the andrisks measures taken mitigate to those risks,including standards and frameworks. Privacy impact and risk assessmentsshall be carried out, approachsystematic embedding to privacy is be to adopted—one that relies upon accepted systems designed are and developed, as how as well the resultingsystems operate in practice. A principle This integratingemphasizes privacy protections into the methods which data by 2.3 pbd-se-annex-v1.0-cnd01 technology, process architecture. or network The softwareengineer ensures that privacyembedding does impair not functionality of given a 2.4.1 maximum privacy. trade-offs rejected wherever possible, in solutions favour of that enable multi-functionality and desireddocumented, articulated, functions metrics agreed upon and applied, and zero-sum that all requirements optimized.Allare non-privacy interests and objectives must clearlybe donebe in such a way that is functionality not impaired, and the to greatest extent possible, “win-win” manner. When privacy embedding into given a technology,process, or it shallsystem, principle This to seeks allaccommodate legitimate interests and objectives in a positive-sum 2.4 increased through use, misconfiguration, or error. The softwareengineer ensures privacythat the are risks demonstrably minimized and not Non-Standards TrackNon-Standards Full Functionality —Positive-sum, Zero-sum Not Privacy in Embedded Design No ofFunctionality No Loss Human-Proof ReviewedAssessed and Systematic Auditableand Integrativeand Holistic The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 14 of 44

[Type the document title] 2.5.2 2.5.2 system scope and datathroughout the from life-cycle, creation destruction.to The softwareengineer ensures that datapersonal is continuously protected across entirethe 2.5.1 destruction. techniques, access strong controls, logging and auditing techniques, and methodssecure of data throughout its lifecycle including, among other things, appropriate ofuse encryption securityApplied standards assure to are the confidentiality, integrity availabilityand of personal destruction.to There shall gaps no inbe either protection of, or accountability forpersonal data. question, whether the personal data rest, is at in motion in or from use collection throughinitial principle This continuous emphasizes personalprotection of data across entirethe in domain 2.5 emulate to others and best become to practice. The softwareengineer ensures whereverthat, possible, optimized outcomes published are for 2.4.3 solution thata enables multi-functionality articulated,functions metrics agreed, trade-offsand rejected in the first instance, when seeking The softwareengineer ensures that all andinterests objectivesare desired documented, 2.4.2 pbd-se-annex-v1.0-cnd01 andRobust transparencyvisibility enhance the capacity forindependent verification. understanding among software provide users, and forinformed by choices users/data subjects. fulfills stated promises and objectives. Demonstrating visibility and transparency enhance relevant stakeholders, appropriate information and evidence theabout how softwareor system The softwareengineer shall create the foundation foraccountable softwareby providing, to 2.6 and shouldprivacy risks quantified be and regularly.reported privacy propertiesSection (see 4) and amenable are verification. to The securityreduction of software engineer ensures that solutions user/data support subject-level and system-level confidentiality, integrity availabilityand of data, personal and amenable are verification. to The The softwareengineer ensures that security standards applied are that the assure 2.5.3 sensitivity, and is consistentwith standards recognized criteria.and The softwareengineer ensures tothat access data personal is commensurate with its degree of Non-Standards TrackNon-Standards Visibility and TransparencyVisibility – Keep it Open End to –Lifecycle End Security Protection Use Metrics and Privacy Satisfy Use Metrics Properties ControlAccess Protect Continuously Practical Demonstrableand Results AccommodateLegitimate Objectives The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 15 of 44

[Type the document title] interests in mind,interests and convey privacy properties (where relevant) timely,in a useful, and The softwareengineer ensures softwarethat the is user/datadesigned with subject privacy 2.7.1 control, and redress. datapersonal through mechanisms designedfacilitate to informed consent, accessdirect and objective of this principleis empower to users/data subjects to active play roles in managing privacystrong defaults, appropriate notice, and anduser-centric user-friendly interfaces. key A The softwareengineer shall keep the of interests the useruppermostindividual by offering 2.7 andtechnologies systems open are scrutiny, to praiseand emulation by all. The softwareengineer ensures designthat the and operation privacy-enhancedof information 2.6.3 satisfy the privacy strongest laws, contracts, and policies norms (as required). The softwareengineer ensures designthat the and operation software of systems demonstrably 2.6.2 members stakeholders.and are outcomes documented throughout the lifecycledevelopment and communicatedto project The softwareengineer ensures that privacy requirements, risks,implementation methods and 2.6.1 pbd-se-annex-v1.0-cnd01 accesssubjects direct to data about held them, and accountan of and uses disclosures. The softwareengineer ensures that software systems designed are users/data provide to 2.7.3 subjects express to privacy preferences and in controls a and persistent effective way. The softwareengineer ensures that technologies, andoperations networks users/data allow 2.7.2 way. effective Non-Standards TrackNon-Standards Respect Privacy for User* –Keep it User-Centric EncourageDirect Data Access/ User Subject Direction/Subject Userand Data Support Input AnticipateInformand toOpen Emulation toOpen Review CollaborationOpen The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 16 of 44

[Type the document title] In order to In demonstrate adherence Privacy to by Design principles, an organization shall: 3.1 development andprocess methodology. includes pre-existing It privacy models.risk used being to privacy requirementsensure are incorporatedidentified and addressed in the upheld. The methodology addresssteps the what’s questions: changed with data, personal and privacy are properties The methodology emphasizes an iterationexpectation of one over its or more of steps. Several methodology the will need right-sizeto steps based theirresources, on andcomplexity size. dependent theon will good and memory a of individual.single organization Each entity usingor engineering methodologyis operationalized so that it is sustained functionally and not solely (SDLC)methodologycycle or organizational structure. is directedIt at the ensuring privacy Softwarethrough Engineering tasks. sectionThis defines a technology governance methodology foroperationalizing PbD Principles 3 pbd-se-annex-v1.0-cnd01 includingdocumentation, privacy policies and privacy resources, in her/his organization. engineer must documentation the required forthisstep. Others in theirorganizations but software will, the privacyto readiness. Software engineers in medium large to organizations will producenot all this of methodological step the documents working ofcontexts softwareengineers with respect Privacy capabilities maturity across varies size and organizationsage andof industry. The output Non-Standards TrackNon-Standards        Organizational Privacy Readiness Engineering Engineering PbD Software in the Principles Operationalizing to ensureto functionalized role is and personalitynot dependent. Determine training, communication and transfer/management knowledge mechanisms forengineering lead organization the and for the project. thewithin components the of engineering process and their relationship to privacy the Determine who thewithin organization is responsibleand accountable forprivacy team. privacy the andarchitect engineer and QA responsiblefor orhe/she does or a they lead Determine privacy resource’s responsibilities across projects; i.e.,is the person(s) also among divided people, several the to according extent the of firm’s resources. bothbe the privacy lead for the organization and for the project, tasks or the may be whoIdentify candidates are for privacy engineering leads for projects. person This may organization’sthe overall privacy programor is limitedthe to engineering function. Determine these resources’ responsibilities;i.e., is responsible this person for building dotted-line report the to CPO orthe be CPO. onDepending and structure size of overallorganization, thisperson may hardline or whoIdentify in the engineering organization is responsiblefor Design. Privacy by executive Establish andleadership commitment operationalizing to Privacy Design.by reference The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply anda show knowledge working theof content organizational privacy documents the policies, processes, standards, and that guidelines are This Non-Standards is a Work Product. Track This methodology is agnosticto software development life Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 17 of 44

[Type the document title] produce threat a assessment report documenting (including threat models, e.g.[Shostack, riskprevious assessmentreports available. If they not are theup-to-date, organization shall whatever For engineered,is being the softwareorganization shall examinethe recent most 3.3 in privacy threat analysis. system properties with software’sthe functional requirements. Thesedocuments mayused be equivalent diagrams scope to the integration of privacy user/data functionalitysubject-level and more of spreadsheets, data flow,data models, UML sequence and/or diagrams,oractivity engineersSoftware shall andmodel classify data and behavior common with e.g..one tools, or that scope the privacyproducts’ requirements or privacy features. methodology [2013] users’/data or EQUIVALENT, and privacy subjects’ requirementsexperience cases, theusing Privacy Use (section Template 5.1) more or the OASIS PMRM comprehensive Stakeholders shall define and document theuser/data key subject privacy stories, or privacy use requirements theestablish defaultconditions for theprivacy within product. software organization shall documentscope and initial product privacy requirements. These Based an on analysis theof product defined (e.g., casesoruse user/data subject stories),the 3.2 paramount. this step identify to and createprivacy-related roles, responsibilities, and accountabilities is CPO/privacy manager/privacy resource in order complyPbDto with principles, the guidance in Because, software engineers in small organizations may take the on responsibilitya of pbd-se-annex-v1.0-cnd01 accountable and responsibleroles privacy, for if necessary. documentation that can be reviewed correctly. Note that softwareengineera can take on interaction ongoing privacy officer/privacybetween engineer and software engineers writing for privacy impact threshold for the shallproduct, be documented. There is an expectation of thewithin organization (if one exists), and product’sthe privacy visionto aset the for goal The identity the of team’s thatprivacy “champion(s)” liaises with the responsiblePrivacy Officer 3.4 leveldetermine the of privacy resourcing. privacy propertiesSection (see 5.3.1).The evidence this from and stepsprevious used are to evaluation and selection report. For in sectionof 5 thisspecification document 3.2)Section producesprivacy a requirements report following the Privacy Use found Template For 2014], privacy impact assessment, and business impact summary. Non-Standards TrackNon-Standards whatever is beingwhatever engineered is beingwhatever engineered Identify Identify Privacy Resource(s) to Development support Solution the Conduct Privacy Risk Analysis and Privacy Property Analysis PrivacyScope and Document Requirements Team The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track This report shall address how the well satisfy controls selected , the softwareorganization shall produce privacy controls’a , scoping and documenting privacy requirements (Step 2, Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 18 of 44

[Type the document title] The softwareorganization shall: 3.5 allocationresource across teams.] as scarce software organizations hold down. Thus this costs may leadstep different to privacy resourced than others, of regardless oflevels privacyand threats, that privacy resources are [Context: Note state that the theof artshows thatsoftware some engineering teams better are together work toengineers, certify that deployed solutions comply with PbD principles. team in determining the privacy impact of dataeach attribute. Stakeholders, including software Privacyproducts/services. resource(s) would workwith data the stewards and of parts other the Responsibilities of privacy the maintainingresource(s) include PrinciplesPbD in work pbd-se-annex-v1.0-cnd01 components, connectors, data repositories, and metadata. Design mappings classes, to architectural viewpoints of the software eventual product/solution consisting of privacy services-orientedThis architecture willcomplemented(SOA) be detailedwith and contextual privacy the services-based reference (SOA) architecture, shown in Fig. 5.5 a as high-level guide. complementaryengineering of software classes or components. engineers maySoftware use privacy referenceA architecture may createdbe and documented a as later for basis software 3.6 andmanner, those simply who stay informed. and responsible resources, as those as well resources that act in a collaborative/consulting throughout the work stream. The outputthis of is thestep documentation of accountable the largera project management process. Responsibilities associatedand metrics will tracked be sharingachieves of responsibility for the principlesPbD the across solutions engineering team in assignment of resources various foroperational PbD-SE artifactand production. This step 2009]--- responsibility, consulting/collaborative, accountability, –informed document to the readiness. stepThis documents engineers’ the environment working respect to with privacy engineering Non-Standards TrackNon-Standards 5. 4. 3. 2. 1. Design Assign Responsibility for PbD-SE Operationalization and Artifacts Output ofrelease privacy engineeredsolution to with requirementsaddress overall for organizational readiness fordeployment or Document within who the organization the privacy engineering designate lead or works engineering process. Document engineers responsible the for privacy within components the of the responsibilities Document is thewho privacy engineering lead fora project, andspecific her/his Document team’sthe privacy resource’s responsibilities. and executive championthe forprivacy engineering within who the larger organization is responsiblefor privacy and software engineering, Document in thewho engineering organization responsibleis forprivacy engineering, Organizations may use framework a such as RACI the [Jacka model and Keller, The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track . Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 19 of 44

[Type the document title] A non-exhaustiveA examples list of what suchof a may plan include, not but is limited to: Product/maintenance teams shall create privacy ramp-down in a guidelines retirement plan. 3.8 software. also ensures third partyscreening of code for privacy before violations incorporation in existing User/data subject testing and/ormay studies also inform the outcome of this step.step This aroundmetrics satisfaction privacy of properties (as perSection shall guide3.6) evaluation. requirements stage,specification to examine the privacy compliance Privacy andissues. security engineersSoftware shall execute privacy tests, specific formulated at early the privacy 3.7 2005,Bodorik, et Jutla al, 2014]. context, confinement (data minimization and proportionality), and consistency [Jutla and including comprehension, consciousness, choice, and around consent and privacy, support accountability. Furthermore,the architecture shall satisfy user/data subject-level properties, observability, identifiability and systemlinkability with use, traceability auditability,and and The resultingarchitecture shall satisfy system-level privacy properties, suchminimizing as documented outputthis of stage. implementation classes, UI andarchitecture and designs, selection of technologies, shall alsobe pbd-se-annex-v1.0-cnd01 privacy document ensureartifacts to compliance PbD to principles. during thislife by cycle different stakeholders. For privacyexample, the team legal reviews the engineered product/service. shall Documents completedbe also but reviewedperiodically ofThe context the methodologyis through data a maintenance cycle life software-for a 3.9 Non-Standards TrackNon-Standards      Review Artifacts throughout SDLC the Plan for Retirement of Software Product/Service/Solution Review Code DBs areDBs active not anymore. registration In organizationscountries, notify Data (DPA)Processing Authority that the erasure, documented are in the retirement plan. softwareandFor data on securityhardware, controls, e.g.NIST directives disk hard on statementquality around experience ramp on down. communication data to processors needed.are Retirement plans containshould a organizationIf an data processors,uses or third-party service providers, similar owner. andsubjects, if applicable give tochoice as deletion, before movement new a datato dataIf controller the changes, companieshave obligation an inform to users/data for databases. shuttingare down, may inform and about archiving or disclosure/sharing requirements If software is consumer facing, organizations communicate consumers to that services The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track

Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 20 of 44

[Type the document title] Analysis Property Privacy Risk and 3.3 Conduct Architecture Reference s & Requirement Privacy 3.2 Scope -al Readiness Organization Reference 3.1 Step Methodology PbD-SE Table 3.1 Chart RACI forSoftware Engineers and organization). organizations will havedifferent RACI assignmentsaccording theirspecific to (e.g. contexts size Table an 3.1 shows exampleRACI chart that can act as checklist. isa expected thatIt privacy documentation generated and/or referenced. responsible stakeholders assess, to aat glance, whether PbD principlesare considered and step This verifies that proper documentation exists.is checklist useful A for managers and 3.10 pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards Sign off with PbD-SE methodology check list PbD-SE with off methodologycheck Sign identification controls preliminary ments, Require- Privacy Functional Organization Program in Roles/Training Privacy Document Privacy Policy orproduced bereferenced Documents to of privacy consideration n show to documentatio other diagrams and Traceability Architecture Reference & hooks to The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track CI CI RA I CI ineer Eng- Software ource Res- Privacy RACI RACI RACI RACI RACI ment. age- Man- ect Proj- CI ACI CI CI Copyright © Copyright OASIS Open Reserved.Rights© All 2014. ment. ge- Mana AC AC AI AI ACI Party Third CI RAI I I . User - CI CI ject Sub- Data I Page Page 25 June 252014 21 item -list Check ✓ ✓ x ✓ of 44

[Type the document title] Plan Retirement 3.9 Create Evaluation & Privacy Code Testing 3.8 Execute Review Periodic 3.7 Conduct Architecture Privacy Customize 3.6 Artifacts Producing RACI for 3.5 Create Allocation Resource Privacy 3.4 Identify pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards 3.10Sign-off software retirement of Plan for properties privacy satisfying evaluation for Testing and the SDLC throughout Artifacts Review of identification) (incl. services Architecture Privacy production artifact assignment to RACI SE team allocation to resource Privacy identification Final controls Risk analysis properties checklist Sign off with solution The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track RACI RACI CI RA RA RA RCI I CI CI RACI RACI RACI RACI RACI RCI CI ACI A CI RACI RI CI RACI RACI RACI RA CI RACI Copyright © Copyright OASIS Open Reserved.Rights© All 2014. AI AI AI ACI AC AC ACI AI AI I - I CI - I - - . - - - - - I C - CI C C C Page Page 25 June 252014 22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ of 44

[Type the document title] include include user privacy stories or privacy use cases in theirfunctional and analysis designs; follow engineersSoftware show consideration of privacy when they the do equivalent theof following: compliance. tools, of models methods, thoseor to described in thissection in toorder satisfy PbD-SE development cycle. life specificationThis is flexible in that use itfor allows of typesEQUIVALENT and operationalizing comprehensive understanding and documentation of privacysoftware in a development project subsection This the typedescribes of tools and that techniques software for engineers employ a 4.1 Design significant subset of equivalence documentation of fulfillto obligations, listedin Table [PbD-SE 2.1 fora01], anddesigns implementations. The current of version this section specifiestypes of and requirements encapsulatedthrough components, privacy services, or patterns in their product privacy document andrequirements design, visualize and embed and in thisprovided and section.Tools visual help models software engineers and generate 01]. Elaboration privacy documentation,of including tools and models visual forprivacy are sectionThis directly to relates normative clauses in Table 2.1 of PbD-SEthe specification [PbD-SE 4 pbd-se-annex-v1.0-cnd01 organizationthe and organizations across multiple has benefits: Privacy Use can Template inaid theirproduction. Additionally, adoptingTemplate a throughout Because documentation artifactsmemorialize analysis and actions out carried stakeholders, by a comprehensive privacy picture withassociated specific a case set use or of user stories. to help thismake manageable complexity by a providing structure foranalysis and exposing a thisdecompositiontimes can process extremely complex.be Using standardized a template can privacy principles, FIPPs, andpolicies privacy related processesbusiness into components. At PbD Among other principles. things, thisoperational focus requires breaking down abstractPbD Applying Privacy Designby and/or pragmatic use diagramming and documentation toolsvisualize, to record, and enact (elaborated in that [PMRM-01]) expresses privacy requirements as requirements; functional privacy requirements methodologies, elicitation such as, the Non-Standards TrackNon-Standards  Privacy Privacy by Design Privacy byDesign Privacy Documentation for Cycle Life Development Software . A standardizedA use template can reduce the time of and cost operationalizing PbD and improve theimprove quality and reusability of documentation Privacy Privacy Designby . . PbD Privacy Privacy Designby The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply principles, for particularly to the to softwareengineering discipline requires “operationalizing” Use TemplateCase Use for Privacy Requirements This Non-Standards is a Work Product. Track intothe requirements phase analysis theof software Privacy Privacy Defaultby Copyright © Copyright OASIS Open Reserved.Rights© All 2014. Privacy Privacy Designby and Privacy Privacy Designby . Privacy Embedded in Use Template Page Page 25 June 252014

23 of 44

[Type the document title] A PMRM-basedA templateprovides: Use Template. therefore the valuable as foundation comprehensive, fora standardized and Privacy accessible to necessary privacydeliver and ensure to privacy effective management.risk is The PMRM andmandates control requirements the with technical theservices and underlying functionality developing privacy requirements foruse It cases. enables the integration privacy policyof supports(PMRM) thisPrivacy Use Template. It represents comprehensivea methodologyfor OASIS Privacy Managementthe Reference and Model Methodology Technical Specification v1.0 ofcomplexity privacy requirements software in a development project. noted 1,As in Section simple basic while structure, alsosupporting in-depth the analysis address to needed the help accessibility,To ease foster of use wideand adoption Privacy a TemplateUse should have a pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards • • • • • •      • services functionalityservices and within Use a Case/User Story boundary and to linkages capabilitythe expose to privacy control requirements and technicaltheir supporting privacy life-cycle into insights relevant Use Case stakeholders developers in privacy-embedded Use Case/User developmentStory vis-à-vis other understandingan of relationship the theof privacy responsibilities software of methodologies.agile consistent with comprehensive v1.0 the OASIS PMRM Committee Specification, and segmentationa of Case Use components, or Stories, in User a manner generally development Casefor the Use responsible parties that affect privacydirectly management and related software comprehensivea inventory of Privacy Story Use Case/User components and the development project datapersonal or personally identifiable information involved in ais software standards-baseda format enabling ofdescription specific a Privacy Use Case in which datapersonal transferred across system and organizational boundaries. template will ensure help that Privacy by Design principlesextend the to protection of Finally, where bridge code must external to systems and applications, standardized a organization and extension the Privacy byof Design principlesmorebroadly throughout an standardizedA template thealso facilitates re-use of for newknowledge applications functionality is aIt toolmap to privacy policies, requirements and objectivesto control technical implementation has been not initiated or completed can expose It PbDgaps analysiswhere has beennot carried orout where privacy components the of project anwithin organization a common picture and clearer a understanding of all relevant providesIt all stakeholders with associated the software specified development project development development training,(privacy privacy management maturity,etc.) potential the for assessing organization in an PbDessential predicates forsoftware external privacy management services Privacy by Design The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track requirements throughout the differentstages theof Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 24 of 44

[Type the document title] The Privacy Use Components: Template in-house data data collection, oranalysis modeling tools. The template does specify not implementer’s an SDLC methodology, development practices or pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards 7. 6. 5. 4. 3. 2. 1. • • • – Use Case Domain and Owners, with Rolesthe associated Domains,   Use Case business policiesand PI and PIIPI legal,regulatoryand governing inthe PII and /or the ( with associated Use Case Data subjects is communicated,data created, processed, stored or deleted) (Relevant applications and products requiring software development where personal with Use Caseassociated Applications DescriptionUse Case Category Use Case TitleUse Case applications by andextracting making visiblerequired privacy properties. significant value as tool to a increase to opportunities achieve • Includes dataany subjects associated with any of theapplications the usecase)in case domainscase or systems and linksto theirsources) ( within privacy domains or systems, applications or products) and(The PI PII collected, created, communicated, processed, stored or deleted within specific a privacy domain Roles systems given within a domain servicesfunctional are or defined managed business in processes technical and OwnersDomain subjectthat are to thecontrol particularof a domain owner logicaland areas (such as a wide-area or network cloud computing environment) Domains The policiesregulatory and requirements governing privacy conformance within use - theroles responsibilitiesand assigned to specific participants systemsand - both- physical areas (such as a customer location or data center location) The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply - theparticipants responsible for ensuring that privacy controls and This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. Privacy by Design .

Definitions: Definitions: Page Page 25 June 252014 in 25 of 44

[Type the document title] overlapping roles overlapping roles stakeholdersof having PbD responsibilities in and roles software template is not hierarchicala model. It recognizes, does as the which on it isPMRM based, the illustrationThe following (Fig. highlights4.0) these templatecomponents. twelve Note that the pbd-se-annex-v1.0-cnd01 development. Non-Standards TrackNon-Standards 11. 10. 9. 8.  Necessary to Support ControlsPrivacy and Underlying 12. Functionality Services implementation required for developer controls Privacy applications UseCase supporting the Systems   and Systems Touch Linking Data Flows Points or Domains requirements andrequirements regulations] orsystem, applications as required internalby governance policies, business achievement of stated objectives (Control - processa to designed provide assurancereasonable regarding the set of functions ahaving relationship to operational privacy management) -(System a collection of components organized to accomplish a function specific or specified purpose -Service a collection of related functions mechanisms and that operate a for use case flows Data data – exchanges carrying PI privacy and policies among domains the in systems within privacy domains Touch points thepoints- of intersection of flows data privacy with or domains The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track

[ Note: to be developed against specific domain, Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 26 of 44

[Type the document title] Fig. Color-codedFig. 4.0 GroupingStepsof of the Privacy Use Template pbd-se-annex-v1.0-cnd01 illustrated in the following torelated template specific will components vary (particularly within large a organization) as Responsibilities forcontributing to development the of Use a Case and providing information forTemplateDevelopment Responsible Stakeholders Organizational Non-Standards TrackNon-Standards The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply

example: This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 27 of 44

[Type the document title] recorded recorded attributes software for a include:project Spreadsheets may usedbe part as of required the documentation.specification Examplesof 4.2.1 Design combination of spreadsheet, DFD, and/or representation.UML The output of the state-of-the-artThe current into industry privacy document oneconsiderations involves a of or 4.2 pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards Transfer De-Identification to ofPurpose Collection Used By Type of Format Collection Method Collected by Source PII Classification InfoPersonal Category Description Personalof Data/Data Cluster Data Repository Format ControlSecurity during Data Transfer Documenting Visual forDocumentingModels Visual Privacy Requirements Analysis & Design SpreadsheetModeling Use Template in section 4.1 mayrepresented be ways asin similar well. The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Privacy Privacy by Page Page 25 June 252014 28 of 44

[Type the document title] trail. engineering. In addition, capturing diagrams in formal documentation a provide useful audit Diagramming speeds up requirementsthe gathering and specification phase in software requirementsfunctional and clearly to represent interactionsmultiple with stakeholders. informationimplement the technology solutions, communicateto detailed understanding of power. They enable people,who understand the problem, and people,who design and complementto their spreadsheet An advantage use. modelingof is languages their expressive power, in the casethat software visual engineers choseto not withdocument spreadsheets, or The uses section illustration below for UML and determination of equivalence in expressive 4.2.2 pbd-se-annex-v1.0-cnd01 ofnumber privacy service operations that required are increases. The softwareengineer may isUML It extensible. may<> use reduce to the clutter and scaling support as the case/user story diagrams. diagram. There is similara scaling problem when representing privacy requirements in use usecomponent cases to thehide system complexityand to handle usescale in the case systems complex too are be to represented in one software page, engineers larger utilize Use cases composed are many smallerof use casescenarios and/or userstories. many As thedocument embedding privacy into of their designs they as abstract andout details. group UseUML Case diagrams recommended are forsoftware toengineers use to visualize easily and use case privacy requirements, select controls, represent and them sectionThis illustrates how softwareengineers may 4.2.2.1 agnostic the to software engineers’ of choice modeling language. Unified the Language Modeling being popular(UML) a standard. This specification remains modelingDifferent languages usedare industries. across The softwareindustry several uses with Non-Standards TrackNon-Standards preferred. subject,user/data or observ-ability of data private identity,or and complexity least is the provides least exposure identity, of link-ability other to data that can re-identify a privacy When properties. there multiple are ways to good a design solution, option the that subsections.following spreadsheet Other tabs may contain designer consideration of toaddition these fields, spreadsheettabs can contain DFDs and as models described in the alsoThese fields several document outputs of the Deletion Policy Retention Policy Disclosed to Storage or data retention site Modeling Languages Modeling Privacy byPrivacy Design

diagrams as one of theirdocumentation mediums. The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply and Use Caseand Diagrams Use This Non-Standards is a Work Product. Track visualize, document, communicate and Privacy Privacy Designby Copyright © Copyright OASIS Open Reserved.Rights© All 2014. in black-box services high-level using Use Case Template. In . Page Page 25 June 252014 29 of

44

[Type the document title] also needs the doctor’s agreement theto conditions specified in the notice that may involve actors. further also The doctor presentedneeds be to the with privacy notice, and system the case, the with addition a of whodoctor needs review to recommended treatments, and two shows Fig. a 4.2 more complexuse UML casediagram. It is the assame scenario in the previous privacy services and controlsthe they represent thewithin container apply. theand communicationsince line from container connectedthe is the to use sub case, all theAs connection line in Fig. 4.1 the from data scientist is connected to privacy container,the The third (iii) specifiesservice that anonymization de-identification) (or control to applied.is be pseudonymizationimplements the the for control data before it is used by application/app.an output the data by program, and obtaining an fromagreement her/him. (ii) The secondservice controlimplements the that requires showing the privacy notice the to on scientist, use the of thescientist and use casescenario. It contains three (i) privacy services: The first privacy service Fig. 4.1, In “super”the privacy ServicesContainer is the on communication line between the totheofPbD-extended illustrate Diagrams: concept UseCase Example the for controls use or casescenario, userstories. example An below. is provided theservices, softwareengineer can document privacy requirements and selection of privacy usingBy components that understood well are by modelers, and hookeddirectly privacy to privacy service a on case diagram.use diagram reduce and diagram’sthe by complexity clutter avoiding the of multipleinstances a of et[Jutla al, 2013]. The ServicesContainer will allhost the privacy services requireda for use case ause Privacy ServicesContainer or Container a stereotype, for example, isas shown in Fig. 4.1 pbd-se-annex-v1.0-cnd01 thewith View alternative patients treatments use case scenario. However, there is additional signifying that all privacy within controls container the to apply the data interaction scientist’s in Fig. 4.2,Further the data scientist as actor, is connectedbefore the to privacy container doctorthe actor, applicable privacy controls, and the usedoctor’s sub case. doctor’s communication lines need be to labeled properly to identify the connections between connected directly the to applicable privacy controls the within container. Furthermore, the privacy notice and agreement. Anonymization isapplied. not Consequently, the actordoctor is controlsthree communication apply: over secure channel,the pseudonymization data, of and obtained,agreement and anonymization must appliedbe output on data. the For doctor, only channel, pseudonymization input on data must apply,privacy notice must be given and and Viewalternativethe treatmentsuse casescenario:communication must be a over secure All privacy requirements, specified privacy services by within the applycontainer, to scientistthe services apply. in theAs previous case the data scientist is theconnected to container, signifying that all privacy requirements representedare using privacy services implementing controlsis shown in Fig. 4.2. communicate with scientist the and alsothe doctor secure over channels. How these privacy pseudonymized. For this casescenario an requirementadditional is that the system must conditions patient’s a from consent directive. Data shown to doctorthe needs be to Non-Standards TrackNon-Standards The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 30 of 44

[Type the document title] the View the treatment sub case–use in which caseonly securea connection is required. pseudonymization, agreement, notice and secure connection.and also He/she is connectedto theconnected to Recommended Review Treatments use sub case, which requires View treatmentsub case. use The doctor connected is now two to usesub The cases. doctor is communication is Therequired. nurse connected actor is the to control Security then toand the isAnother anew actor head who nurse viewsspecific a treatmentrecord secure only – data which on a anonymization strong method, based the on concept of l-diversity, is applied. withk-anonymity k, large is specified Thefor her. public researcher isnew a actor that accesses scientistthe is connected theto and container, not to directly the defaultcontrol, the method, toaccess anonymized an version the of data big in orderset to atroubleshoot problemissue. As control. Suppose now datathat scientistthe has requested and full received and extended in thatdetail there two are anonymization methods specified thewithin Anomymization pbd-se-annex-v1.0-cnd01 2013] 4.1Fig. Non-Standards TrackNon-Standards Single-actor Single-actor casediagramuse with privacy services implementing controls et[Jutla al, The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 31 of 44

[Type the document title] Fig. 4.2Fig. pbd-se-annex-v1.0-cnd01 valuable for detailed analysis. actorsof the to various casesanduse privacy controls. But the Activity Business Diagram is more thaninformation Use Case Diagrams. Case Use Diagrams valuableare to theshow relationships case.use TheDiagram Activity shows process relationships anddecisions, key and much more to Getting next level,theythe may use Business DiagramsActivity foreach and project each for highestthe level the of enterprise. engineers may develop Activity Enterprise Diagrams show to functionbusiness relationships at Diagram may usedbe forthe two highest of Zachmanlevels the Framework [1987]. Software Diagrams Activity UML document multiplelevels of What wedetail. call Business the Activity 4.2.2.3 stakeholderviolate privacy. Theyadd view a from threat (Seemodeling [Shostack, 2014]). Cases Misuse UML and Case Misuse Diagrams highlight and document ways actorsthe can 4.2.2.2 services implementing [Jutla controls et 2013]al, Non-Standards TrackNon-Standards VisualizingPrivacy Requirements multiple-actor with casediagramuse with privacy Privacy byPrivacy Design byPrivacy Design The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply and ActivityDiagrams andCase Misuse Diagrams This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 32 of 44

[Type the document title] principles (see Fig.principles (see 4.9). iconNote show to privacy principlesand to which modulesshow address which privacy design. The Activity System Diagram is 4.8) augmented(Figure with an Diagram Activity UML Activity System Diagrams thesupport design documentation and modulesof a within system data attributes. extensions activityBusiness diagrams andconsider express privacy details without needing use to UML and to decisions andhighlight document where privacy need concerns to addressed. be We tool. the add Activity Diagram to Object icon major datashow attributes tied processes to 4.6 illustratesFigure the Hospitality company’s Activity Business Diagram a as modelingprocess pbd-se-annex-v1.0-cnd01 4.6. Fig. Non-Standards TrackNon-Standards forVacation Business PlanningActivity a a [DennedyDiagram project Hospitality in et Company al 2014] . . Figure 4.7 illustrates the of use Business Diagrams Activity with privacy impacting The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 33 of 44

[Type the document title] pbd-se-annex-v1.0-cnd01 2014] 4.7. Fig. Non-Standards TrackNon-Standards Visualizing Privacy-Impacting Attributes a on Activity Business Diagram [Dennedyal et The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 34 of 44

[Type the document title] Fig. 4.8Fig. pbd-se-annex-v1.0-cnd01 etDennedy al2014] 4.9Fig. Non-Standards TrackNon-Standards Mapping Privacy Components [Dennedy al2014]et Privacy Privacy Designby The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track , GAPP, of, Principles FIPPs Privacy to Components [Source: Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 35 of 44

[Type the document title] 4.3 4.3 4.10 Fig. privacy services among requirements functional in UML sequence (see diagrams Fig. 4.10). engineersSoftware may also documentvisualize and privacy requirements by embedding 4.2.2.4 pbd-se-annex-v1.0-cnd01 repositories architecturalin further viewpoints. architecture,reference an equivalent or architecture,non-SOA and data incorporate todue its services-focus, software but drill engineers will possiblyguided down, by thisSOA themcomplement at the userinterface Data layer. repositories shown not are in Figure 4.11, owners, or[Jutla domains et Additional al, 2014]. privacy services, data suchfor as minimization, touch points, i.e. the at interface twoof or morestakeholders,applications, systems, data Certification, and Enforcement a form architecturalcore as pattern, they repeatable are at PMRMeight Security, services Agreement, of Usage,Access, Validation, Interaction, shrinking Organizations may adopt and customize variants such aof architecture, privacy reference organizations’ to bridge business-related privacy services collected on data at composite layer-3. then data provide to management a integration serviceor layer. Thesemiddle-layer services services (layer 1)integrated are functionalin the softwarethrough Theseprivacy APIs. services network)online social that collects data is shown at bottomthe level. Functional privacy collectsoftware to and manage client and stakeholderother data.Functional software (e.g. an customization aby softwareorganization, i.e. any organization that createsand/or uses high-level,A fullstakeholder-view, architecture privacy reference (Fig. provided 4.11) is for Non-Standards TrackNon-Standards Privacy Privacy by Design Privacy byPrivacy Design Visualizing Privacy in Services a Diagram Sequence UML or growing it depending theirareas on of and emphases privacy maturity level. The The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply and Privacy Reference Architecture andDiagrams Sequence This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 36 of 44

[Type the document title] Fig. 4.11. Fig. pbd-se-annex-v1.0-cnd01 and observ-ability privacy as property the “measure theof degree which to link-ability and degree which to the name true of the data subject is linkableto collectedthe data element”; isinformation personally identifiable”; link-ability the privacy as property measure “a of the defines theproject identify-ability privacy“as property measure a of the degree which to privacy in software. InformationThe Best Regionalthrough Outcomes Health [BIRO2009] Link-abilityability, and properties [Jutla al, et 2014, 2014b] Jutla is required in architecting theAt systems-level, the use at of least Auditability, ATOIL – Traceability, Observ-ability, Identifi- for measuring and choice in consent its privacy maturity [CICAmodel 2014]. Certified Accountants/American Institute of Chartered Public effortAccountants uses criteria 7 respect forindividuals the per as seventh Principle. PbD Note jointthat Canadianthe Institute of – 2005] Table 4.1 see below) standardizedas privacy properties for solutions meet to show to Consciousness, Choice, Context, Consent, Confinement, and Consistency and [Jutla Bodorik, user-level systems-leveland properties. theAt userlevel,we use 7Cs the (Comprehension, reasonable and attainable subset of privacyPrivacy properties. properties maydivided be into specificationThis requires software to andengineers consider create software that satisfies a 4.3.1 Non-Standards TrackNon-Standards PrivacyProperties Privacy Reference Architecture [Jutla2014a] 2014, The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 37 of 44

[Type the document title] when) andhappening what is ofawareness (User Consciousness handled) howof PII is understanding (User Comprehension (User adjusting Context unambiguous) explicit, (Informed, Consent PII) refuse share to out, divulge or (To opt-in or Choice Table 4.1 User-level privacy properties executing privacy solutions correctly. software engineer and company her/his is assured that the system is implementing and andcomponents systems; the auditability privacy system is property desirable so that the toimportant understand privacy threats or leaks arising data from flowing among software Weproperties. adopt these definitions. privacy, For the traceability privacyis property identify-ability are by affected the of use the system” variouscontextsover as system-level pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards are inare the with subway camerasand audio wearables on around you)—is listen inyour on exchange when you a provide phone number, or when you (forsituations example, when at a desk where service several can people to according context. Situational or physical context—such crowded as Users/data subjects should/mustbe to able comprehension, consciousness, limitations, and choice. consent mechanisms explicitly should incorporate mechanisms of agreement) data to use, andcollection, storage proposalsany for Privacy PII. Data subjects must first consent(meaning informed, explicit, unambiguous data. optingof in or out, whether or to not data, provide and how correctto their Data subjects should have which the data collected. is being bewill shared,how subsequently to access the andPII, the for purposes PII issubjects’ set expire, to who’scollecting data, the with data whom the iscontract being formed between useranda a data when collector, data Users/data subjects be should rights around andPII, the ofimplications contract a when one is formed. database), and what happensto it after category that. This alsoincludes legal data is being when therequested, data will expire (either a from collection or tohow access/correctthe data, limits processing to transparency, PII why the entitledare visibility to - know to all thatparties can access data subjects’ PII, PII andthe what for acrosspurpose softwareplatforms. Users/Data subjects is(PII) handled, who’s collectingit and forwhat purpose, whoand will process Users/data subjects should The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track choices understand aware regarding regarding data collection activities in terms Copyright © Copyright OASIS Open Reserved.Rights© All 2014. of when of data when collectiona occurs, how how identifiablepersonal information change privacychange preferences . Page Page 25 June 252014

38 of 44

[Type the document title] transactions) ofoutcome predictability of (User Consistency ofuse data) re-controlled and user- proportionality, minimization, (Data Confinement require conditions aspreferences 4.4 4.4 pbd-se-annex-v1.0-cnd01 for Reference OWASP Penetration Code testing/ including Review code scanning (security)] Validation and – Verification Develop tests theat same you time develop requirements. Design sectionThis describes software engineering techniquestools and operationalizing for 4.6 future version] prevent confusion with implementation in the sense end-user of Tabled deployment. for a [Note namethat “codingthe / development” is used instead “implementation” of in order to Design sectionThis describes software engineering techniquestools and operationalizing for 4.5 Non-Standards TrackNon-Standards Testing Validation/ /Coding Development Privacy by Design into testing /the validation phase of software the lifedevelopment cycle. into coding /the development phase of software the lifedevelopment cycle. ) different from different from performwhen you buy a transaction with Amazon.com or user access PII or of giving ofout PII. their is taken. involving PII certainThat is, actions should predictable be on should Users may stored.be their access forwhat purposes, PII, where andand possiblywhen/how long it Users/data subjects must/shouldbe to able in same PII different contexts. example, financial and health data) dictate could differentactions on the advertisers.to Data also contexthas (such the as sensitivity data, of for informationprovide an to application registered an with aggregatorthat sells The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply and Design and Design Patterns This Non-Standards is a Work Product. Track anticipate with reasonable certainty Copyright © Copyright OASIS Open Reserved.Rights© All 2014. set/request set/request limits what occur if will any action . on may who Page Page Privacy Privacy by Privacy by 25 June 252014 39 of 44

[Type the document title] which be should within generated organizations producing software, and available to auditors. inentries Table 2.1 of the specificationPbD-SE [PbDSE-01] as for checklist a documentation, additionIn using to Table 3.1 a as checklist, software engineers use should the third column 4.8 See subsection3.8. 4.7.3 4.7.2 4.7.1 account software by engineers. documentation guidance. it Rather, onlyis meantoffer to considerations to taken into be phasedeployment of the software development cycle.is life not It intendedproduce to strict sectionThis describes privacy issues methods and for operationalizing 4.7 4.6.1 pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards Privacy Checklists Deployment Phase Considerations Retirement Maintenance Fielding by Privacy Design The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply StructuredArgumentation This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. Privacy by Design . Page Page 25 June 252014 in the 40 of 44

[Type the document title] Participants: Participants: acknowledged: individualsThe following haveparticipated creationin of the thisspecification and gratefully are pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards Michael Willett, Individual David Weinkauf, Office of Information the & Privacyof Commissioner Ontario, Canada Colin Wallis, New GovernmentZealand Aaron MITRE Temin, Corporation Stuart Shapiro, CorporationMITRE John Individual Sabo, Drummond Reed, XDI.org Kevin MacDonald, Individual Antonio Kung, Trialog Dawn Jutla, Saint Mary’s University Gershon Janssen, Individual Member Frederick Hirsch,Nokia Jonathan IntelFox, Corporation Sander Fieten, Individual Member Ken Gan, Eli Erlikhman, SecureKey technologies, Inc. Mike Davis, Individual Frank Dawson, Nokia Michelle Office Chibba, of Information the & Privacyof Commissioner Ontario, Canada Les Chasen, Neustar Ann Cavoukian, Office the of Information & Privacy Commissionerof Ontario, Canada Fred Carter, Office the of Information &Privacy Commissioner of Ontario, Canada Kim Cameron, Microsoft Peter Brown, Individual Appendix A. AcknowledgementsAppendix Ontario LotteryCanada and Corporation Gaming The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 41 of 44

[Type the document title] 00 00 00 00 00 00 00 Revision pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards Appendix B. Revision HistoryAppendix 6 06Mar 20146 15 June15 2014 2014 Mar07/08 10 Mar 2014 10 2014 Mar 07/08 Oct 201307 Aug 201320 July 10 2013 Date The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Fieten Sander Dawn Jutla Dawn Jutla Dawn Jutla Fred Carter Cavoukian Ann Fred Carter Cavoukian Ann Fred Carter Cavoukian Ann Editor Revisions by accepted Committee30 October structure, PbD add content.new suggested revisionsv02; to modify document Incorporate member commentsTC and to sections and1 2 Revisions document to content structure, added Initial Working Draft Outline MadeChanges Edits and in removedcomments section 4. as Table 2.1) (removed this from put – Annex in Specification Suggest conformance verbs forTable 4.1. Addition further of steps in methodology 7 8’s faceand face to meetings. Refinement of 3 Sections 4 TCand with at March materials Restructuring Section Insertionof new5. of 2) Annex placedand in Specification’s new Section documentation. is(Section 4 removed this from principles privacy sub-principles, to andservices, 2). Created and added new mapping of PbD Created added and (nownew 4 Section section engineers; refined steps and re-ordered Privacy by Design Revised Section as 3 methodology a produceto Introductory paragraphs added. 2013 as for basis next working revision of draft. Copyright © Copyright OASIS Open Reserved.Rights© All 2014. documentation for software . Page Page 25 June 252014 42 of 44

[Type the document title] 00 00 00 00 00 00 00 00 00 00 00 pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards

17 June17 Jun10 2014 June3 2014 May31 2014 May10 2014 May9 2014 May9 2014 2014 April 29 2014 April 24 Apr19 2014 Mar 2014 21 Mar 20148 7 7 2014 Jan The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Frank Dawn Jutla Dawn Jutla John Sabo Dawn Jutla Dawn Jutla Finneran Tom Fox Jonathan John Sabo Fred Carter Cavoukian Ann Dawn Jutla Dawson 4.3 and 4.3.1. 4.2.2.1, 4.2.2.4 4.2.2.2, and Architecture section Added Visual Modeling sections 4.2.2,4.2, version. Removed Privacy services mapping this from Table 4.1 (now 2,Section Table 2.1). PbD-principles documentationto in Section 4 Substantially and revised completed mapping of the methodologyin Section 3. steps, createdand sample table 3.1) RACI (Fig. for inFilled text forinitial methodological all 10 Contributions methodology to 3.in Section (now section 4). Provided Spreadsheet modeling 5 for Section 3, 4, and 5 John, Fred,Colin) and minor edits for sections 1, Combined TC edits Stuart, (Jonathan, Sander, Added Fred’s to edits John’s. Feedback and edits throughout document. throughout all former sections 1, 3, 4, of5, & 6 inFilled section and1.4, multipleedits section 4, &5 new (now section 4). Substantial throughout edits sections 3, old Created added and 4.2.2.3Section Added bulleted points 3.1 in Sections and 3.5. Added Privacy TemplateUse in Section 4.1. PbD-SE Specification as Table 2.1) sub-principles intoTable (now4.1 removed to sub-principles. Substituted new descriptions of Completion of 2 Section 7 principleswith PbD and Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 43 of 44

[Type the document title] 01 01 00 00 pbd-se-annex-v1.0-cnd01 Non-Standards TrackNon-Standards 15 June15 22 Jun22 2014 ANNEX AS VERSION THIS Jun18 Jun17 2014 2014 June17 2014 The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Fred Carter Dawn Jutla Dawn Jutla Cameron Kim Fred Carter Processed all TC edits in ANNEX REVISIONS PRESENTTHIS IN ANNEX. MAJOR CONTENT PRODUCED FROM ALL ABOVE Guide to specificationaddress adoption. document intospecification and How-to Annex Processed TC input forre-organization of specification and Annex Major reorganization of specification split – into principles in former table 4.1. Edits 2 Section to and sub- minor to edits spec) 4 new+ conformance section 6 moved (now to Minor revisionssections to 2 and former section Copyright © Copyright OASIS Open Reserved.Rights© All 2014. . Page Page 25 June 252014 44 of 44

[Type the document title]

Recommended publications