Appendix M: SDL Privacy Bug Bar (Sample)
Note: This sample document is for illustration purposes only. The content presented below outlines basic criteria to consider when creating privacy processes. It is not an exhaustive list of activities or criteria and should not be treated as such.
Please refer to the definitions of terms in this section.
On This Page
End-User ScenariosUsage notes: These scenarios apply to consumers, enterprise clients, and enterprise administrators acting as end users. For enterprise administrators acting in their administrative role, see the Enterprise Administrators Scenarios.
Enterprise Administration Scenarios
Definition of Terms
Non-personal data that has no connection to an individual. By itself, it has no intrinsic link to an individual user. For example, hair color or height (in the absence of other correlating information) does not identify a user.
child or children
Under 14 years of age in Korea and under 13 years of age in the United States.
A discoverable notice is one the user has to find (for example, by locating and reading a privacy statement of a website or by selecting a privacy statement link from a Help menu).
Data transfer is discrete when it is an isolated data capture event that is not ongoing.
Metadata that is necessary to the application for supporting the file (for example, file extension).
Explicit consent requires that the user take—or have the ability to take—an explicit action before data is collected or transferred.
Hidden metadata is information that is stored with a file but is not visible to the user in all views. Hidden data may include personal information or information that the user would likely not want to distribute publicly. If such information is included, the user must be made aware that this information exists and must be given appropriate control over sharing it.
Implicit consent does not require an explicit action indicating consent from the user; the consent is implicit in the operation the user initiates.
Metadata that is not necessary to the application for supporting the file (for example, key words).
Persistent storage of data means that the data continues to be available after the user exits the application.
personally identifiable information (PII)
Personally identifiable information is any information (i) that identifies or can be used to identify, contact, or locate the person to whom such information pertains, or (ii) from which identification or contact information of an individual person can be derived. Personally Identifiable Information includes, but is not limited to, name, address, phone number, fax number, e-mail address, financial profiles, medical profile, social security number, and credit card information. Additionally, to the extent that unique information (which by itself is not PII, such as a unique identifier or IP address) is associated with PII, such unique information will also be considered PII.
A prominent notice is one that is designed to catch the user’s attention. Prominent notices should contain a high-level, substantive summary of the privacy-impacting aspects of the feature, such as what data is being collected and how that data will be used. The summary should be fully visible to a user without additional action on the part of the user, such as having to scroll down the page. Prominent notices should also include clear instructions for where the user can get additional information (such as in a privacy statement).
Sensitive personally identifiable information includes any data that could (i) be used to discriminate (ethnic heritage, religious preference, physical or mental health, for example), (ii) facilitate identity theft (like mother’s maiden name), or (iii) permit access to a user’s account (like passwords or PINs). Note that if the data described in this paragraph is not commingled with PII during storage or transfer, and it is not correlated with PII, then the data can be treated as Anonymous Data. If there is any doubt, however, the data should be treated as Sensitive PII. While not technically Sensitive PII, user data that makes users nervous (such as real-time location) should be handled in accordance with the rules for Sensitive PII.
Critical. Release may create legal or regulatory liability for the organization.
Important. Release may create high risk of negative reaction by privacy advocates or damage the organization’s image.
Moderate. Some user concerns may be raised, some privacy advocates may question, but repercussion will be limited.
Low. May cause some user queries. Scrutiny by privacy advocates unlikely.
Temporary storage of data means that the data is only available while the application is running.
This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.
This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.
This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2012 Microsoft Corporation. All rights reserved.