Add data-classification.md extension #1317
Conversation
|
Can you update the README in the "extensions" dir too? |
|
Not an expert in this space but it LGTM with the minor edits I just commented on. |
|
@rob-sessink while not 100% necessary, can you rebase this on the latest 'main' branch so that the tests will run successfully for you? |
Signed-off-by: Rob Sessink <rob.sessink@gmail.com>
…README.md and usage of MUST keyword in example use case - Signed-off-by: Rob Sessink <rob.sessink@gmail.com>
Signed-off-by: Rob Sessink <rob.sessink@gmail.com>
…bels, remove 'applicability constraints', extend usage section. - Signed-off-by: Rob Sessink <rob.sessink@gmail.com>
rob-sessink
force-pushed
the
feature/data-classification.md
branch
from
b891424 to
b22870d
Compare
…onventions - Signed-off-by: Rob Sessink <rob.sessink@gmail.com>
|
woo hoo - tests pass again! thanks for the rebase. Ping @jskeet for another look |
Signed-off-by: Rob Sessink <rob.sessink@gmail.com>
|
|
||
| - Type: `String` | ||
| - Description: A comma-delimited list of applicable data protection regulations. | ||
| For example: `GDPR`, `HIPAA`, `PCI-DSS`, `ISO-27001`, `NIST-800-53`, `CCPA`. |
There was a problem hiding this comment.
I realize this potentially goes down a rabbit-hole of trying to maintain catalogs but is there value is formalizing some of the regulation codes or referencing some well-known external catalog (if one exists).
In addition, does the applicability of some of these regulations vary by jurisdiction? if so, does that need to be represented in some fashion ?
There was a problem hiding this comment.
I have been searching for catalog of data protection regulations, but I could not find a definitive source which also standardizes regulation codes. The best open source (outside some commercial legal websites) is that of UNCTAD - Data Protection and Privacy Legislation Worldwide. Here an interactive overview and Excel dataset of cyber-laws (incl. data protection and privacy) across the world is provided. However, this does not define any (standardized) regulation codes.
I would not want to go that far of deriving and maintaining a catalog of data regulation codes. For often referenced regulations (or standards) of countries/regions, de facto abbreviations are available, so in my view that could suffice. Would a small appendix with commonly used regulation codes including a reference to UNCTAD website be useful?
Overall, I see this usage of this attribute like other context attributes like source and subject. The semantics of the values are based upon mutual understanding between producer and consumer and I feel this extension should not be to prescriptive.
Unsure about the applicability question. I think this can vary per regulation/country. For example, in the case of GDPR, this regulation is applicable for organizations within EU countries but also for organizations outside of EU countries when targeting EU citizens. I doubt if this must be represented in some attribute and what direct value this adds. In my view, it is an agreement between producers and consumers of CloudEvents on how a data-classification label and applicable regulation is interpreted and how this influences processing. I would not want to define this much to more detail in this extension.
There was a problem hiding this comment.
@JemDay any thoughts on Rob's reply? I'd like to see if we can close this one out by next week (our last call this year).
There was a problem hiding this comment.
@JemDay would this be helpful or too much?
Appendix Data Protection and Privacy Regulations
A catalog of common data protection and privacy regulation and abbreviations
based upon UNCTAD (United Nations Conference on Trade and Development)
information. As UNCTAD itself does not define any abbreviations, this
is a non-exhaustive derivative list of most common regulations. For more
information see UNCTAD Data Protection and Privacy Legislation Worldwide.
| Region | Abbreviation | Full Name | Country |
|---|---|---|---|
| Africa | POPIA | Protection of Personal Information Act | South Africa |
| Africa | NDPR | Nigeria Data Protection Regulation | Nigeria |
| Africa | DPA-KE | Data Protection Act | Kenya |
| Africa | PDPL | Personal Data Protection Law | Egypt |
| Africa | GDPL | General Data Protection Law | Tunisia |
| Americas | LGPD | Lei Geral de Proteção de Dados | Brazil |
| Americas | LPDP | Ley de Protección de Datos Personales | Mexico |
| Americas | LOCDI | Ley Orgánica de Datos Personales | Argentina |
| Americas | CCPA | California Consumer Privacy Act | United States |
| Americas | CPRA | California Privacy Rights Act | United States |
| Americas | PIPEDA | Personal Information Protection and Electronic Documents Act | Canada |
| Americas | VCDPA | Virginia Consumer Data Protection Act | United States |
| Americas | CPA | Colorado Privacy Act | United States |
| Americas | UCPA | Utah Consumer Privacy Act | United States |
| Asia-Pacific | PDPA | Personal Data Protection Act | Singapore |
| Asia-Pacific | PIPA | Personal Information Protection Act | South Korea |
| Asia-Pacific | APPI | Act on the Protection of Personal Information | Japan |
| Asia-Pacific | DPDP | Personal Data Protection Bill | India |
| Asia-Pacific | PDPO | Personal Data (Privacy) Ordinance | Hong Kong |
| Asia-Pacific | DPA-MY | Data Protection Act | Malaysia |
| Asia-Pacific | PIPL | Personal Information Protection Law | China |
| Asia-Pacific | DPA-ID | Draft Data Protection Act | Indonesia |
| Europe | GDPR | General Data Protection Regulation | European Union |
| Middle East | PDPL | Personal Data Protection Law | Saudi Arabia |
| Middle East | PDPO | Personal Data Protection Ordinance | United Arab Emirates |
| Middle East | PDPD | Personal Data Protection Draft | Bahrain |
| Global/Multi-Regional | APEC-CBPR | Asia-Pacific Economic Cooperation Cross Border Privacy Rules | International |
| Global/Multi-Regional | ISO-27001 | Information Security Management | International |
| Global/Multi-Regional | ISO-27701 | Privacy Information Management | International |
| Industry-Specific | HIPAA | Health Insurance Portability and Accountability Act | United States |
| Industry-Specific | PCI-DSS | Payment Card Industry Data Security Standard | United States |
| Industry-Specific | NIST-800-53 | National Institute of Standards and Technology Framework | United States |
…s when intermediaries/consumers encounter unknown attribute values. - Signed-off-by: Rob Sessink <rob.sessink@gmail.com>
Signed-off-by: Rob Sessink <rob.sessink@gmail.com>
…to 'report error'. Signed-off-by: Rob Sessink <rob.sessink@gmail.com>
|
Approved on the 12/12 call. |
See cloudevents#1317 Signed-off-by: Doug Davis <duglin@gmail.com>
|
See PR: #1322 |
|
@rob-sessink thanks for you work/patience on this one |
Provides an extension where an event source can annotate an event with
information around data classification of an event and its payload. CloudEvents
may contain payload which is subjected to data protection regulations like GDPR
or HIPAA. For intermediaries and consumers knowing how event payload is
classified enables compliant processing of an event.
Adds an extension with attributes:
payload within the context of a data protection regulation.
context of data classification and data protection regulation.