urmsandeep
commented
3 years ago Instrumenting PII data tagging can be done: Developers - privacy aware development - tag at source Operators - Template / Schema sharing / Regular Expressions
Open urmsandeep opened 3 years ago
urmsandeep
commented
3 years ago Instrumenting PII data tagging can be done: Developers - privacy aware development - tag at source Operators - Template / Schema sharing / Regular Expressions
ChrisAESch
commented
3 years ago With a privacy impact assessment (PIA) you can (manually) define the data to be tagged at the beginning of the development process.
Bron Gondwana: (a) With my developer hat on, I don't find the document particularly actionable - it has an example, but otherwise doesn't clearly articulate how and what to store.
This level of specification is fine if you control all the parts of the system, but at that point this document collapses just being to an entreaty to have an obfuscation layer. If this is supposed to interoperate between systems by different vendors or within different scopes of control, it should be more rigorous in defining exact structure.
(b) Regarding that format - if I was designing something like this I would have:
(c) Anything doing redaction would redact every unknown CONTAINSPII_{Name}, and have a lookup table to decide whether to redact known items. This avoids encoding specific PII levels into the log format itself and keeps the tagging with the value through many more conversions (though I do admit it fails on non-string fields). I may be missing something here though.