[Change request]: Data Minimization in OOAPI

[ruttromp]

Organization

SURF

Project

No response

Contact Details

No response

Short description

This issue was identified during the development of OOAPI version 5.0. Because this was outside the scope of version 5.0, the team did not pick up the issue, but described it so that the OOAPI working group can continue to work on it.

In OOAPI version 5.0, a large number of schemas have been extended with extra attributes.

The request is to:

• Examine whether the API calls that contain user data comply with the principles of data minimisation
• Investigate which and how API calls can be made more granular so that consuming services and clients can determine what data is required in addition to the minimum set.

Reference: W3C document Data Minimization in Web APIs https://www.w3.org/2001/tag/doc/APIMinimization

Version

v5

Usecase

No response

Which institutions support this change?

No response

Proposed solution

No response

Requests and responses

No response

What is your question for the OOAPI work group?

No response

[jelmerderonde]

Add a fields query parameter that allows clients to select the fields wished for. See also https://opensource.zalando.com/restful-api-guidelines/#157 for inspiration. Another option could be excludedFields, allowing a client to specify which fields they do not want.

This could be a mechanism that allows a client to request less data. Is there also a mechanism with which the server can restrict information? Should there be?

What would be the purpose of such a mechanism? Privacy / GDPR or less data transport?

[jelmerderonde]

How would we target nested fields? We could change consumer fields to have a prefix instead of being nested in a seperate object/array.