Privacy Rules for Software Engineers

Privacy plays important rule in software development. When building a software system, we should consider privacy as one of the key features of our requirements during requirement engineering process. There are several rules which should take into consideration to implement privacy in software system and they are as follow:

  1. No Admin Rule: Administrator has the full control over a software system, however there should be definition and areas in the system which administrator won’t have a direct access to a system. For example, one administer should be able to reset the password for an account but he or she shouldn’t see the new password and shouldn’t be able to access to the account.
  2. Identity Verification Rule: Many of you have a mean to identify yourself through legal documents issued by authorities, it could be your national ID card, passport, etc. This is your identity in the physical world. There should be a mean or ways to identify you as authenticate user in virtual word. There must be a mean to verify your physical identity with virtual identify, so no one could use your identity in your place. 
  3. Storage Box Rule: In most systems, there are many information being stored in storage, commonly it is a database. The database should be designed in a way when information for users store in places and it is not accessible by the database administrator.  
  4. Create/Delete Rule: When something is being created, it should be removable. So if a user register for an account, it should be closable too. When installing an application and it is in the history, it should be removed from the history too. In case of audit and when such actions need to be monitor or information should remain for certain period, these should be clearly state in the privacy statement. 
  5. Warrant Rule: When government need to look into certain information for purpose of investigation. There should be a process to verify the warrant and it has to be for individuals and defined group of people who involved and not the whole people. When the case involved people who are citizen of other countries or data belongs to people from other countries, then additional warrant required from the respective country and data should never disclosed without permission of their respective countries. 
  6. Private Cloud Rule: Everything which is possible in public cloud, should be done in private cloud too. For example, if someone request for a public cloud service using one specific email, the email service should available as private cloud too.
  7. Government Identity Control: Information related to identity of individual should be stored within the government of citizenship or resident. Government of the respective person should be the place to store personal information. Information storage should be handle the way which passport system is being implement and with direct control of the respective government within international law.

Comments are closed.

%d bloggers like this: