prajectory
commented
2 years ago Hi @llsandell
Thank you so much for sharing this concern on how 'types of data' may be interpreted differently given the nuance that goes into technical documentation. We appreciate flagging this to us which led us to change indicator 9a. Please have a look at the changes as executed below following meetings of the standard council and and community discussions.
The term 'types of data' has implications that are slightly wider since it again has a specific meaning for technologists. Data types or types of data, have both numerous meanings like quantitative data or qualitative data etc. The intent behind the term “types of data” was for the projects to identify and list all data collected, processed, stored or distributed. So we have further defined what 'types of data' means in this case - personally identifiable data/ personal data and have linked to the UNSDG definition for 'personal data'
'Integrity' has been added (9a) - data integrity is as important as privacy and security, as you cannot have the latter without integrity being guaranteed and baked into the design. Safety and integrity may have a step between them. How does integrity break? Usually, human error; therefore its good to have integrity that guarantees consistency and truthfulness of the data.
Details here:
https://github.com/DPGAlliance/DPG-Standard/pull/120
Again, thank you so much. For now, I am going to close this issue. Keep us posted!
I would like to add some clarity her by introducing a few more parameters. “Projects collecting, processing, storing or distributing data must identify and list, the data they include. Or (…identify and list all data included) Projects must also demonstrate how they ensure the privacy, integrity and security of this data in addition to the steps taken to prevent adverse impacts resulting from its collection, processing, storage, and distribution”. As I see it there are three “flaws” in this paragraph. The first one being “collecting data”. This should be applicable to every project that collects, process, store or distribute data. The second being the term “types of data”. Data types or types of data, have both numerous meanings like quantitative data or qualitative data, if we are addressing high level data. Short term, long term or useless data are other data types. Primitive, composite or even abstract data will also be considered types of data. Nominal, ordinal, discrete or continuous data, are all types of data, and I could go on listing data types, but that is beside the point. I think the intent behind the term “types of data” was for the projects to identify and list all data collected, processed, stored or distributed, so a rewrite would be in order. The third is the lack of the word “integrity” when it comes to adverse impacts. To me data integrity is as important as privacy and security, as you cannot have the two latter without integrity being guaranteed. Will DPIA (Data Protection Impact Assessment, or equivalent tools for assessing impact be mandatory through any of the other paragraphs? Using already in place standards will ease the task of demonstrating or verifying compliance. There might also be a need for a discussion concerning data distribution vs data sharing from a security point of view. Should there be a reference to the three “Application Security Verification Levels” in OWASP/ ASVS, somewhere here? Being able to correctly identify the level is crucial in order to achieve the right amount of security measures.