Context: Digital and physical trails of user activities are collected over the use of software applications and systems. As software becomes ubiquitous, protecting user privacy has become challenging. With the increase of user privacy awareness and advent of privacy regulations and policies, there is an emerging need to implement software systems that enhance the protection of personal data processing. However, existing data protection and privacy regulations provide key principles in high-level, making it difficult for software engineers to design and implement privacy-aware systems. Objective: In this paper, we develop a taxonomy that provides a comprehensive set of privacy requirements based on four well-established personal data protection regulations and privacy frameworks, the General Data Protection Regulation (GDPR), ISO/IEC 29100, Thailand Personal Data Protection Act (Thailand PDPA) and Asia-Pacific Economic Cooperation (APEC) privacy framework. Methods: These requirements are extracted, refined and classified (using the goal-based requirements analysis method) into a level that can be used to map with issue reports. We have also performed a study on how two large open-source software projects (Google Chrome and Moodle) address the privacy requirements in our taxonomy through mining their issue reports. Results: The paper discusses how the collected issues were classified, and presents the findings and insights generated from our study. Conclusion: Mining and classifying privacy requirements in issue reports can help organisations be aware of their state of compliance by identifying privacy requirements that have not been addressed in their software projects. The taxonomy can also trace back to regulations, standards and frameworks that the software projects have not complied with based on the identified privacy requirements.
翻译:由于软件变得无处不在,保护用户隐私已成为一项挑战。随着用户隐私意识的提高,随着隐私条例和政策的出现,人们日益需要实施加强保护个人数据处理的软件系统。然而,现有的数据保护和隐私条例提供了高级别的关键原则,使软件工程师难以设计和实施隐私意识系统。目标:我们在本文件中开发了一个分类,根据四项既定的个人数据保护条例和隐私框架、数据保护总条例、ISO/IEC 29100、泰国个人数据保护法和亚太经济合作隐私框架,提供一套全面的隐私要求。方法:这些要求(采用基于目标的要求分析方法)在高层次上提供了关键原则,使软件工程师难以设计和实施隐私意识系统。目标:我们还开展了一项研究,说明两个大型公开源软件项目(Google Chrome和Moodle)如何满足隐私要求。 通用数据保护条例总条例、一般数据保护条例、ISO/IEC 29100、泰国个人数据保护法(泰国PDPA)和亚太经济合作隐私框架的出现。方法:这些要求(采用基于目标的要求分析分析方法的系统分析方法)被抽取、改进和分类结果分析,从而了解其数据分析结果的《结果报告》的《结果报告》和《结果报告》中的组织如何根据《结果分析其报告》的《结果分析其报告》的《结果报告》中,如何检索要求被检索分析。