Appendix M: SDL Privacy Bug Bar (Sample)

  • Article

Note: This sample document is for illustration purposes only. The content presented below outlines basic criteria to consider when creating privacy processes. It is not an exhaustive list of activities or criteria and should not be treated as such.

Please refer to the definitions of terms in this section.

On This Page

End-User Scenarios
Enterprise Administration Scenarios
Definition of Terms

End-User Scenarios

Usage notes: These scenarios apply to consumers, enterprise clients, and enterprise administrators acting as end users. For enterprise administrators acting in their administrative role, see the Enterprise Administrators Scenarios.

Critical

  • Lack of notice and consent

    Example: Transfer of sensitive personally identifiable information (PII) from the user's system without prominent notice and explicit opt-in consent in the UI prior to transfer.

  • Lack of user controls

    Example: Ongoing collection and transfer of non-essential PII without the ability withinthe UI for the user to stop subsequent collection and transfer.

  • Lack of data protection

    Example: PII is collected and stored in a persistent general database without an authentication mechanism for users to access and correct stored PII.

  • Lack of child protection

    Example: Age is not collected for a site or service that is attractive to or directed at children and the site collects, uses, or discloses the user's PII.

  • Improper use of cookies

    Example: Sensitive PII stored in a cookie is not encrypted.

  • Lack of internal data management and control

    Example: Access to PII stored at organization is not restricted only to those who have a valid business need or there is no policy to revoke access after it is no longer required.

  • Insufficient legal controls

    Example: Product or feature transmits data to an agent or independent third party that has not signed a legally approved contract.

Important

  • Lack of notice and consent

    Example: Transfer of non-sensitive PII from the user's computer without prominent notice and explicit opt-in consent in the UI prior to transfer.

  • Lack of user controls

    Example: Ongoing collection and transfer of non-essential anonymous data without the ability in the UI for the user to stop subsequent collection and transfer.

  • Lack of data protection

    Example: Persistently stored non-sensitive PII lacks a mechanism to prevent unauthorized access. A mechanism is not required where the user is notified in the UI that data will be shared (for example, folder labeled "Shared").

  • Data minimization

    Example: Sensitive PII transmitted to an independent third party is not necessary to achieve the disclosed business purpose.

  • Improper use of cookies

    Example: Non-sensitive PII stored in a persistent cookie is not encrypted.

Moderate

  • Lack of user controls

    Example: PII is collected and stored locally as hidden metadata without any means for a user to remove the metadata. PII is accessible by others or may be transmitted if files or folders are shared.

  • Lack of data protection

    Example: Temporarily stored non-sensitive PII lacks a mechanism to prevent unauthorized access during transfer or storage. A mechanism is not required where the sharing of information is obvious (for example, user name) or there is prominent notice.

  • Data minimization

    Example: Non-sensitive PII or anonymous data transmitted to an independent third party is not necessary to achieve disclosed business purpose.

  • Improper use of cookies

    Example: Use of persistent cookie where a session cookie would satisfy the purpose. Or, persisting a cookie for a period that is longer than necessary to satisfy the purpose.

  • Lack of internal data management and control

    Example: Data stored at organization does not have a retention policy.

Low

  • Lack of notice and consent

    Example: PII is collected and stored locally as hidden metadata without discoverable notice. PII is not accessible by others and is not transmitted if files or folders are shared.

Enterprise Administration Scenarios
Usage notes: These scenarios apply to enterprise administrators acting in their administrative role. For Enterprise administrators in an end-user role, see the End User Scenarios.

Critical

  • Lack of enterprise controls

    Example: Automated data transfer of sensitive PII from the user's system without prominent notice and explicit opt-in consent in the UI from the enterprise administrator prior to transfer.

  • Insufficient Privacy Disclosure

    Example: Deployment or development guide for enterprise administrators provides legal advice.

Important

  • Lack of enterprise controls

    Example: Automated data transfer of non-sensitive PII or anonymous data from the user's system without prominent notice and explicit opt-in consent in the UI from the enterprise administrators prior to transfer. Notice and consent must appear in the UI—not through the End-User License Agreement (EULA) or Terms of Service.

  • Insufficient privacy disclosure

    Example: Disclosure to enterprise administrators, such as deployment guide or UX, does not disclose storage or transfer of PII.

Moderate

  • Lack of enterprise controls

    Example: No mechanism is provided or identified to help the enterprise administrators prevent accidental disclosure of user data (for example, set site permissions).

Definition of Terms

anonymous data
Non-personal data that has no connection to an individual. By itself, it has no intrinsic link to an individual user. For example, hair color or height (in the absence of other correlating information) does not identify a user.

child or children
Under 14 years of age in Korea and under 13 years of age in the United States.

discoverable notice
A discoverable notice is one the user has to find (for example, by locating and reading a privacy statement of a website or by selecting a privacy statement link from a Help menu).

discrete transfer
Data transfer is discrete when it is an isolated data capture event that is not ongoing.

essential metadata
Metadata that is necessary to the application for supporting the file (for example, file extension).

explicit consent
Explicit consent requires that the user take—or have the ability to take—an explicit action before data is collected or transferred.

hidden metadata
Hidden metadata is information that is stored with a file but is not visible to the user in all views. Hidden data may include personal information or information that the user would likely not want to distribute publicly. If such information is included, the user must be made aware that this information exists and must be given appropriate control over sharing it.

implicit consent
Implicit consent does not require an explicit action indicating consent from the user; the consent is implicit in the operation the user initiates.

non-essential metadata
Metadata that is not necessary to the application for supporting the file (for example, key words).

persistent storage
Persistent storage of data means that the data continues to be available after the user exits the application.

personally identifiable information (PII)
Personally identifiable information is any information (i) that identifies or can be used to identify, contact, or locate the person to whom such information pertains, or (ii) from which identification or contact information of an individual person can be derived. Personally Identifiable Information includes, but is not limited to, name, address, phone number, fax number, e-mail address, financial profiles, medical profile, social security number, and credit card information. Additionally, to the extent that unique information (which by itself is not PII, such as a unique identifier or IP address) is associated with PII, such unique information will also be considered PII.

prominent notice
A prominent notice is one that is designed to catch the user’s attention. Prominent notices should contain a high-level, substantive summary of the privacy-impacting aspects of the feature, such as what data is being collected and how that data will be used. The summary should be fully visible to a user without additional action on the part of the user, such as having to scroll down the page. Prominent notices should also include clear instructions for where the user can get additional information (such as in a privacy statement).

sensitive PII
Sensitive personally identifiable information includes any data that could (i) be used to discriminate (ethnic heritage, religious preference, physical or mental health, for example), (ii) facilitate identity theft (like mother’s maiden name), or (iii) permit access to a user’s account (like passwords or PINs). Note that if the data described in this paragraph is not commingled with PII during storage or transfer, and it is not correlated with PII, then the data can be treated as Anonymous Data. If there is any doubt, however, the data should be treated as Sensitive PII. While not technically Sensitive PII, user data that makes users nervous (such as real-time location) should be handled in accordance with the rules for Sensitive PII.

      Critical. Release may create legal or regulatory liability for the organization.

      Important. Release may create high risk of negative reaction by privacy advocates or damage the organization’s image.

      Moderate. Some user concerns may be raised, some privacy advocates may question, but repercussion will be limited.

      Low. May cause some user queries. Scrutiny by privacy advocates unlikely.

temporary storage
Temporary storage of data means that the data is only available while the application is running.

Content Disclaimer

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.

This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.

This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2012 Microsoft Corporation. All rights reserved.

Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported