diff --git a/xCOMPASS/xCOMPASS.md b/xCOMPASS/xCOMPASS.md index 8b9b556..05ee5cc 100644 --- a/xCOMPASS/xCOMPASS.md +++ b/xCOMPASS/xCOMPASS.md @@ -1,20 +1,20 @@ | Scoping Questions | |---| -| Does the application code contain personal information? | -| Do any databases used by the application contain personal information? If the application has personal information, has it been de-deidentified? | -| Do any application logs contain personal information? | +| Does the application code contain personal information?
*Answer "Yes" if the source code of the app itself contains personal information. Additional information on what constitutes PI can be found [here](https://en.wikipedia.org/wiki/Personal_data).*| +| Do any databases used by the application contain personal information?
*Answer "Yes" if the app uses any databases that contain personal information. Additional information on what constitutes personal information can be found [here](https://en.wikipedia.org/wiki/Personal_data).*

If the application has personal information, has it been de-deidentified?
*Answer "Yes" if the PI in the app has not gone through de-identification process. Additional information on what constitutes personal information can be found [here](https://en.wikipedia.org/wiki/Personal_data).* | +| Do any application logs contain personal information?
*Answer "Yes" if the app creates any log files that contain personal information. Additional information on what constitutes personal information can be found [here](https://en.wikipedia.org/wiki/Personal_data).* | The following categories of information often come with special legislative protections. | Special categories of Personal Information | |---| -| **Biometric data**: Does the application collect biometric data? | -| **Children data**: Does the application collect data from youth under 16? | -| **CPNI**: Does the application contain CPNI data? _CPNI or Customer Proprietary Network Information, is the data collected by telecommunications companies about subscribers._ | -| **Voice and Video**: Does the application collect voice or video data? | +| **Biometric data**: Does the application collect biometric data?
*Answer "Yes" if the app collects biometric data. Generally, biometric data (e.g., fingerprints, retina scans, etc.) require explicit notice and written consent from customers before collection. Such data can also not be sent to third-parties, monetized, or retained without consent.* | +| **Children data**: Does the application collect data from youth under 16?
*Answer "Yes" if the app collects children data. Generally, data collected from children require explicit notice and written consent from parents/guardians (for users under 13 years) or children (for users between 13-16 years). Such data can also not be sent to third-parties, monetized, or retained without consent. Privacy settings should be easy to understand for children. If the child is being tracked by an adult through the app, the child should be notified (e.g., a green LED light can indicate that a camera is switched on).* | +| **CPNI**: Does the application contain CPNI data?
*Answer "Yes" if the app collects/contains CPNI (Customer Proprietary Network Information), e.g., IP/MAC address. Generally, the use of CPNI data is limited to specific purposes. It cannot be used for marketing that a customer has not opted into.* | +| **Voice and Video**: Does the application collect voice or video data?
*Answer "Yes" if the app collects voice/video data. Generally, voice data cannot be used for advertisement purposes, even if collected by or for a third-party partner. Organization must have an individual’s prior, written permission before collecting or recording any audio/visual or other sensor data from within their dwelling. For both video and voice data, specific consent obligations must be met. Please consult Privacy Legal for additional information.*|

COMPASS Questionnaire

-The threats are categorized by FIPPs (Fair Information Practice Principles), the principles which guide privacy regulation. This makes it easy to understand which threat category a question falls under. Each question has a persona linked - if you would like to see an example persona for each combination listed here, use this link. +The questions are categorized by FIPPs (Fair Information Practice Principles), the principles which guide privacy regulation. This makes it easy to understand which category a question falls under. Each question has a persona linked - if you would like to see an example persona for each combination listed here, use this link.

Accountability and Auditing

@@ -29,22 +29,22 @@ The threats are categorized by FI Inside Aggressive,
Non-compliance


- Are changes to application code attributed and logged? This code can be present on GitHub, AWS, Databricks, or any other platform. + Are changes to application code attributed and logged?
Answer "Yes" if the updates and changes to the source code of the app are attributed/logged. The source code can be stored on GitHub, AWS, Databricks, or any other platform. Privacy Logging and Reporting - Are changes to application components, like databases, servers, etc., attributed and logged? + Are changes to application components, like databases, servers, etc., attributed and logged?
Answer "Yes" if there are changes to at least one app component are attributed and logged (e.g., configuration changes on servers or databases). - Is access to any personal information across your application logged? + Is access to any personal information across your application logged?
Answer "Yes" if there is any logging for any access to personal information, e.g., developer's accessing the collected names of customers. Inside Neutral,
Non-compliance - Is there a way to download data out of the application? If yes, do we have logs to track the same? + Is there a way to download data out of the application?
Answer "Yes" if the app has a feature for the user to download data containing personal information, e.g., a feature to download the collected data locally to a laptop or mobile device.

If yes, do we have logs to track the same?
Answer "Yes" if the app logs and tracks the data download activity (e.g., every download attempt/occurence is recorded/logged). Outside Neutral,
Identifiability - Can we track who is viewing any personal information on your application's interface? + Can we track who is viewing any personal information on your application's interface?
Answer "Yes" if app tracks every time someone accesses and views any personal information on the app's UI (e.g., developer's viewing the collected names of customers through the UI). @@ -62,16 +62,16 @@ The threats are categorized by FI Inside Neutral,
Detectability - Does your application combine customer data across different platforms (mobile, television, laptop, etc.)? + Does your application combine customer data across different platforms (mobile, television, laptop, etc.)?
Answer "Yes" if the app collects and combines data across different platforms (e.g., data collected from the mobile app are stored together/combined with data collected from the PC app). Data Separation Inside Neutral,
Non-compliance - Do you check the quality of personal data used by your application (for errors, mistakes, incomplete information, etc.)? + Do you check the quality of personal data used by your application (for errors, mistakes, incomplete information, etc.)?
Answer "Yes" if the app checks the quality of personal information collected (e.g., checking the correctness through input validation and error checking). Transparency and Disclosure, Consumer Control, Data Separation - Does your application make inferences about a customer that can result in a negative impact, such as denial of service? + Does your application make inferences about a customer that can result in a negative impact, such as denial of service?
Answer "Yes" if the app makes inferences about a customer and it affects the customer negatively. For example, your application makes inferences that can deny a user access to a service or negatively impact their experience with a service. @@ -89,12 +89,12 @@ The threats are categorized by FI Outside Neutral,
Detectability - Does your application collect location data or other proxies for location that can be linked to a user/group in any way? + Does your application collect location data or other proxies for location that can be linked to a user/group in any way?
Answer "Yes" if your app collects location data/proxies. Such location data collected from a user can be used (or even misused) to identify the same user. Data De-identification Inside Neutral,
Detectability - Do you collect customer's behavioral data (like websites they visit, number of clicks, likes, engagement, etc.) that can reveal user patterns? + Do you collect customer's behavioral data (like websites they visit, number of clicks, likes, engagement, etc.) that can reveal user patterns?
Answer "Yes" if your app collects customer's behavioral data that can reveal their patterns (e.g., behavioral data like browsing history, number of clicks, likes, and engagement are self-identifying). Data Separation @@ -112,22 +112,22 @@ The threats are categorized by FI Outside Neutral,
Non-compliance - Is your application collecting only the minimum data necessary for the app to function? If not, have you documented the reason for collecting additional information? Is data disposal done for data that is no longer required by the application? + Is your application collecting only the minimum data necessary for the app to function?
Answer "Yes" if your app collects only the minimum amount of data necessary for app to deliver the core functionalities and services.

If not, have you documented the reason for collecting additional information?
Answer "Yes" if you have documented the reason for collection additional data (e.g., you should have a valid reason to collect additional data, and this has to be properly documented).

Is data disposal done for data that is no longer required by the application?
Answer "Yes" if data disposal is done for data no longer required by the app or the retention time has reached. Data Reduction Outside Neutral,
Identifiability - If the application is customer-facing, is the information that a customer can view provided on a need to know basis? + If the application is customer-facing, is the information that a customer can view provided on a need to know basis?
Answer "Yes" if your app is customer-facing and there is access control in place for customers when viewing personal information (e.g., a customer should not have access to other customers' data). Data Separation, Privacy Logging and Reporting Inside Neutral,
Non-compliance - Is the information that a developer/owner of the application can view provided on a need to know basis? Is access regularly updated if change in role occurs? + Is the information that a developer/owner of the application can view provided on a need to know basis?
Answer "Yes" if there is access control for app owner/developer when viewing personal information (e.g., a developer, depending on their role, may or may not view user/customer data).

Is access regularly updated if change in role occurs?
Answer "Yes" if policies for access control are updated accordingly for every role/organizational change (e.g., a developer that transitions to a different project/department should no longer have access). Privacy Logging and Reporting, (Encryption), (Access Control) Inside Neutral,
Identifiability - Does any component in your application contain links? Do these links redirect to any personal information without requiring authentication? + Does any component in your application contain links?
Answer "Yes" if your app or any of its components contains links (e.g., URL).

Do these links redirect to any personal information without requiring authentication?
Answer "Yes" if there is no authentication before the redirection occurs (e.g., user does not have to sign in before getting redirected). Data De-identification, (Access Control) @@ -145,17 +145,17 @@ The threats are categorized by FI Inside Neutral,
Unawareness - Can a user request a copy of their data for download? Are organizational retention policies followed for storing user data? + Can a user request a copy of their data for download?
Answer "Yes" if your app allows a user to download a copy of their data (e.g., user can download the data collected by the app locally to their laptop or mobile device).

Are organizational retention policies followed for storing user data?
Answer "Yes" if your app follows organization policies on data retention (e.g., data have to be deleted at the end of the retention period). Consumer Control Outside Neutral,
Unawareness - Do you provide markers/indicators when collecting user data? These can be in the form of LED lights, cookie banners, pop-ups, etc. that is relevant for your application. + Do you provide markers/indicators when collecting user data?
Answer "Yes" if your app provides indicators when collecting data. These can be in the form of LED lights, cookie banners, pop-ups, etc. that is relevant for your application. Transparency and Disclosure, Consumer Control Outside Neutral,
Unanticipated Revelation - Does the output of your application present one users information to another without notifying (even in an aggregate or de-identified form)? For example, a notification may be two beeps or a different beep for an event when their data is being shared. Note that organization cannot disclose consumers' electronic communications (e.g., phone calls, email, Internet transmissions) to anyone other than the intended recipient. + Does the output of your application present one users information to another without notifying (even in an aggregate or de-identified form)?
Answer "Yes" if your app shares personal information of a user to another user without notifying the first user that owns that PI. For example, a notification may be two beeps or a different beep for an event when their data is being shared. Note that organization cannot disclose consumers' electronic communications (e.g., phone calls, email, Internet transmissions) to anyone other than the intended recipient. Data De-identification, (Access Control) @@ -173,44 +173,44 @@ The threats are categorized by FI Inside Aggressive,
Non-compliance - Are personal information records backed up in case of accidental deletion? + Are personal information records backed up in case of accidental deletion?
Answer "Yes" if your app backs up personal information records. This can be in the form of a secondary backup database/storage. Privacy Logging and Reporting (Backup) Outside Neutral,
Identifiability - Can the customer add a second factor to allow for stronger authentication on their account? Internal systems that allow access to personal information must have multi-factor authentication in place by default to meet this condition. + Can the customer add a second factor to allow for stronger authentication on their account?
Answer "Yes" if your app allows users to configure multi-factor authentication. Internal systems that allow access to personal information must have multi-factor authentication in place by default to meet this condition. Data Separation, Privacy Logging and Reporting - Does you application have any defenses to prevent brute force attacks to retrieve personal information? For example, you may lock a customers' account after three incorrect attempts. + Does you application have any defenses to prevent brute force attacks to retrieve personal information?
Answer "Yes" if your app defends against brute force attacks to retrieve personal information (e.g., you may lock a customer's account after three incorrect attempts). - Does the customer need to provide additional authentication to change sensitive data on the account? + Does the customer need to provide additional authentication to change sensitive data on the account?
Answer "Yes" if your app authenticates users that want to change sensitive data on the account (e.g., users have to provide their credentials/sign in again before being allowed to change sensitive data). - Does the customer need to provide additional authentication to access sensitive data on the account? + Does the customer need to provide additional authentication to access sensitive data on the account?
Answer "Yes" if your app authenticates users that want to access sensitive data on the account (e.g., users have to provide their credentials/sign in again before being allowed to access sensitive data). - Does you application notify the customer if there is any unusual behavior (like after a certain number of incorrect logins, logging in from an unusual location,etc.)? For example, the customer may receive a text message when three or more unsuccessful login attempts are made. + Does you application notify the customer if there is any unusual behavior (like after a certain number of incorrect logins, logging in from an unusual location,etc.)?
Answer "Yes" if your app notifies users of suspicious behaviors (e.g., the customer may receive a text message when three or more unsuccessful login attempts are made). Inside Aggressive,
Identifiability - Would an unauthorized employee be able to access identifiable data of other users through your application? Unauthorized employee could be anyone who does not a have a job-related purpose for viewing user data. + Would an unauthorized employee be able to access identifiable data of other users through your application?
Answer "Yes" if the app allows an unauthorized employee to access collected data (e.g., anyone who does not a have a job-related purpose for viewing user data). (Access Control) Inside Neutral,
Non-compliance - Is personal information stored in plaintext in any part of your application? Do you employ the recommended encryption approaches throughout your application compliant with organization policy? This includes FIPS standards for both encryption at rest and in transit. Datastores containing Social Security Numbers must meet or exceed organization's encryption standards. + Is personal information stored in plaintext in any part of your application?
Answer "Yes" if your app stores personal information in plaintext. This includes FIPPS standards for both encryption at rest and in transit. Datastores containing Social Security Numbers must meet or exceed organization encryption standards. More information about encryption design patterns can be found here.

Do you employ the recommended encryption approaches throughout your application compliant with organization policy?
Answer "Yes" if your app employs the recommended encryption approaches and it is compliant with organization policy. This includes FIPPS standards for both encryption at rest and in transit. Datastores containing Social Security Numbers must meet or exceed organization encryption standards. More information about encryption design patterns can be found here. (Encryption) Inside Neutral,
Identifiability - Do you share the data over a secure channel? If yes, is there authentication in place for who can access this information? + Do you share the data over a secure channel?
Answer "Yes" if your app shares data over a secure channel (e.g., encrypted channel).

If yes, is there authentication in place for who can access this information?
Answer "Yes" if your app authenticates users/developers that access the shared data (e.g., users/developers have to sign in before they can access the data). Data Reduction Outside Neutral,
Unanticipated Revelation - If the application is customer-facing, can it be authenticated using information that is publicly available? For example, a homeowner's home address information in USA is often publicly available on a county's website. + If the application is customer-facing, can it be authenticated using information that is publicly available?
Answer "Yes" if the app is customer-facing and it authenticates using publicly available information (e.g., social media, public records, etc.). Data Separation @@ -228,17 +228,17 @@ The threats are categorized by FI Outside Neutral,
Non-compliance - Is personal information provided used for a secondary purpose by the application? Have customers consented to this secondary usage? Can they opt-out of secondary usage of their data? If a customer has opted out, do you ensure that such customer data is filtered out from secondary usage? For example, data might have been collected to provide services, but is now also used to provide ads. + Is personal information provided used for a secondary purpose by the application?
Answer "Yes" if collected personal information is used for a secondary purpose (e.g., data might have been collected to provide services, but is now also used for advertising purposes).

Have customers consented to this secondary usage?
Answer "Yes" if your app asks for user consent and they indicate consent before the app uses the PI for secondary usage (i.e., the app asks for consent twice, namely before collecting the data and when it is going to use the data for secondary usage).

Can they opt-out of secondary usage of their data?
Answer "Yes" if your app allows users to opt out of secondary usage (i.e., user can refuse to consent when asked about the secondary usage for their data).

If a customer has opted out, do you ensure that such customer data is filtered out from secondary usage?
Answer "Yes" if your app filters user data from secondary usage if they have opted out (i.e., user data are excluded completely from secondary usage). Data Reduction, Transparency and Disclosure Outside Neutral,
Unanticipated Revelation - Would the data from your application be otherwise made available publicly? + Would the data from your application be otherwise made available publicly?
Answer "Yes" if your app makes the collected data available publicly. Data Separation Outside Neutral,
Unawareness - Do individuals who have provided personal information know about its usage by this application? Applications which process user data should provide information to users about this usage and purpose. + Do individuals who have provided personal information know about its usage by this application?
Answer "Yes" if your app collects data from users and they are informed about the purpose. Apps that process user data should provide information to users about this usage and purpose. Transparency and Disclosure @@ -257,19 +257,19 @@ The threats are categorized by FI Outside Neutral,
Unawareness - Is there a way for individuals to opt out of the collection/processing of their data? This requirement is fully satisfied only if the language to opt out must be easy to understand and the opt out request is fully implemented by restricting processing of the specified data. Opt out should not be harder than opt in. If this is out of scope for your application, please indicate the dataset and the team responsible in the comments. + Is there a way for individuals to opt out of the collection/processing of their data?
Answer "Yes" if your app allows users to opt out of data collection/processing. This requirement is fully satisfied only if the language to opt out must be easy to understand and the opt out request is fully implemented by restricting processing of the specified data. Opt out should not be harder than opt in. If this is out of scope for your application, please indicate the dataset and the team responsible in the comments. Consumer Control - Can the application potentially collect information from users who are not the primary customer without consent? For example, a video app could collect viewing history from multiple users using the same television. + Can the application potentially collect information from users who are not the primary customer without consent?
Answer "Yes" if your app does not get consent from users that are not primary users (e.g., a video app could collect viewing history from multiple users using the same television). Inside Neutral,
Unawareness - If there is a personal data deletion or modification request, would it be possible to implement it across the application? For example, when there is deletion request, the application can automatically remove records from all databases, servers, and other containers, including third party transfers. There should be clear description of how to request a deletion or modification. + If there is a personal data deletion or modification request, would it be possible to implement it across the application?
Answer "Yes" if your app accomodates deletion/modification request for collected data. For example, when there is deletion request, the application can automatically remove records from all databases, servers, and other containers, including third party transfers. There should be clear description of how to request a deletion or modification. Outside Neutral,
Non-compliance - Does your application automatically pull information from the user or their device without consent? is it possible that this automatic collection may include data that is not needed for the functionality of your application? Note that for "full informed consent", it should be (a) clearly indicated by a user by performing an action, like checking a box or clicking a button, (b) have specific details on what is being collected and who will be receiving the information, and (b) be freely given without coercion. + Does your application automatically pull information from the user or their device without consent?
Answer "Yes" if your app automatically collects data from users without asking for consent. Note that for "full informed consent", it should be (a) clearly indicated by a user by performing an action, like checking a box or clicking a button, (b) have specific details on what is being collected and who will be receiving the information, and (b) be freely given without coercion.

Is it possible that this automatic collection may include data that is not needed for the functionality of your application?
Answer "Yes" if your app also automatically collect data other than for functionality. Note that for "full informed consent", it should be (a) clearly indicated by a user by performing an action, like checking a box or clicking a button, (b) have specific details on what is being collected and who will be receiving the information, and (b) be freely given without coercion. Data Reduction, Transparency and Disclosure @@ -287,28 +287,28 @@ The threats are categorized by FI Inside Neutral,
Non-compliance - If the application sends data to third parties, do you have a data loss prevention (DLP) control mechanism in place? A DLP mechanism, like an email filter for example, prevents unexpected and uncontrolled loss of internal data. + If the application sends data to third parties, do you have a data loss prevention (DLP) control mechanism in place?
Answer "Yes" if your app sends data to third parties and it deploys a DLP mechanism. A DLP mechanism, like an email filter for example, prevents unexpected and uncontrolled loss of internal data. Privacy Logging and Reporting Inside Neutral,
Unawareness - If the application sends data to third parties, do customers know about this in their privacy policy? Have they consented to this extended use? To satisfy "customer knowledge", clarify the (a) type of third-party (which industry category), (b) clear purpose of transfer, and (c) frequency of transfer, (d) all personal information categories transferred either to or from a third-party, and (e) general source of the personal information obtained. Privacy Policy must be presented as a conspicuous link. For additional details on how to implement, please refer to 2.2 (18) of the Global Privacy Tool. + If the application sends data to third parties, do customers know about this in their privacy policy?
Answer "Yes" if your app collects data from users and sends them to third parties, and its privacy policy informs the users appropriately. To satisfy "customer knowledge", clarify the (a) type of third-party (which industry category), (b) clear purpose of transfer, and (c) frequency of transfer, (d) all personal information categories transferred either to or from a third-party, and (e) general source of the personal information obtained. Privacy Policy must be presented as a conspicuous link.

Have they consented to this extended use?
Answer "Yes" if your app asks for user consent for the extended use. To satisfy "customer knowledge", clarify the (a) type of third-party (which industry category), (b) clear purpose of transfer, and (c) frequency of transfer, (d) all personal information categories transferred either to or from a third-party, and (e) general source of the personal information obtained. Privacy Policy must be presented as a conspicuous link. Transparency and Disclosure, Consumer Control - Can customers limit their data from being shared by vendors to other applications? + Can customers limit their data from being shared by vendors to other applications?
Answer "Yes" if your app allows users to limit the sharing of their collected data (e.g., the app has a feature that allows users to refuse data sharing). - Are customers able to access/modify their data that is sent to vendors? There should be clear description of how to request a deletion or modification. + Are customers able to access/modify their data that is sent to vendors?
Answer "Yes" if your app allows users to access/modify their collected data that are sent to vendors. There should be a clear description of how to request a deletion or modification. - Does your application share data with third parties? Have they been approved through a third party security assessment? Have they gone through the de-identification process? If not, do they have measures in place to handle PI according to stipulated retention policies? Customers cannot be refused service by organization if they restrict names and addresses from being used by third-parties for mailing list subscriptions. + Does your application share data with third parties?
Answer "Yes" if your app shares data with third parties. Customers cannot be refused service by organization if they restrict names and addresses from being used by third-parties for mailing list subscriptions.

Have they been approved through a third party security assessment?
Answer "Yes" if your app shares data with third parties that have gone through a third-party security assessment.

Have they gone through the de-identification process?
Answer "Yes" if your app shares data with third parties that have gone through de-identification process (i.e., you have consulted with a de-identification expert and completed the de-identification process).

If not, do they have measures in place to handle PI according to stipulated retention policies?
Answer "Yes" if your app shares data with third parties that have measures to handle personal information based on organization retention policies (e.g., PI-related data are deleted at the end of the retention period, also by the third parties). - Is all of the shared data required for the third party to provide the required functionality? If not, do you remove unnecessary data elements before sending them to the third-party? Unnecessary data can also include user data who are no longer customers. Such data should not be collected. + Is all of the shared data required for the third party to provide the required functionality?
Answer "Yes" if your app shares data with third parties and the data are used to provide the required functionality. Unnecessary data can also include user data who are no longer customers. Such data should not be collected.

If not, do you remove unnecessary data elements before sending them to the third-party?
Answer "Yes" if your app shares data (to provide other functionality) with third parties and unnecessary data elements have been removed prior to sending the data. Unnecessary data can also include user data who are no longer customers. Such data should not be collected. - Does this application use personal data from third parties? Do owners of the personal data (all users, including employees) know about the source of the data? Do you validate the correctness of the data received from the third party? + Does this application use personal data from third parties?
Answer "Yes" if your app uses personal information from third parties (e.g., you obtain users' PI from a third party).

Do owners of the personal data (all users, including employees) know about the source of the data?
Answer "Yes" if your app informs users of the source of the data (i.e., the third party involved).

Do you validate the correctness of the data received from the third party?
Answer "Yes" if your app validates the correctness of the data (i.e., specifically checks for errors/mistakes in the data) received from the third party.