Chapter 14 Privacy, Security & Compliance
I. Chapter Purpose & Scope
specifications: data minimization & de-identification, encryption & key management, access control & network isolation, regional compliance & data residency, incident response & audit, compliance module & export manifest; ensure alignment with data contracts, Dataset/Model Cards, monitoring, and the Metrology chapter.compliance, and security, privacyFix pipelineII. Terminology & Dependencies
- Terms: PII, PHI, data_minimization, deidentification, k_anon, ε_dp, lawful_basis, data_residency, DLP, KMS, RBAC, ABAC, mTLS, SSE-KMS, BYOK, IRP (incident response plan).
- Dependencies: contracts/exports (Core.DataSpec v1.0); units/dimensions (Core.Metrology v1.0); privacy/ethics & regional compliance (DatasetCards v1.0 Ch.13; ModelCards v1.0 Ch.14).
- Math & symbols: wrap inline symbols (e.g., k_anon, ε_dp, T_inf) in backticks; any division/integral/composite operator must use parentheses; no Chinese in formulas/symbols/definitions.
III. Fields & Structure (Normative)
privacy:
policy: "no-PII|limited-PII|special-category"
lawful_basis: ["consent","contract","legitimate_interest","research"]
data_minimization: true
pii_inventory: ["<fieldA>","<fieldB>"]
deidentification:
methods: ["hash-id","mask","truncate","generalize","noise"]
k_anon: 10
l_diversity: 2
ε_dp: null
retention:
policy: "min-necessary"
delete_after_days: 365
data_residency: ["EU","US"]
dlp:
enabled: true
rules: ["creditcard","ssn","email"]
notes: "<non-normative>"
security:
encryption:
at_rest: "SSE-KMS|AES-256"
in_transit: "TLS1.2+"
kms: {provider:"cloud-kms|hsm", byok:true}
access_control:
model: "RBAC|ABAC"
roles: ["owner","maintainer","reader"]
enforcement: ["signed-url","token","ip-allowlist","mTLS"]
audit_log: true
network:
segmentation: ["private-subnet","sg-allowlist"]
egress_policy: "deny-by-default"
secrets:
manager: "vault|cloud-secrets"
rotation_days: 90
hardening:
container: ["non-root","readonly-rootfs","seccomp","no-new-privs"]
artifact_signing: true
compliance:
regions: ["EU-GDPR","US-CCPA","CN-DSL"]
data_transfer:
mechanisms: ["SCCs","intra-region-only"]
third_parties:
processors: ["<vendorA>@v1.0"]
dpas_signed: true
incident_response:
contact: "security@org.example"
sla_hours: 72
runbook_ref: "security/irp.md"
audits:
schedule: "annual|quarterly"
artifacts: ["privacy/pii-scan.txt","security/pen-test.md","compliance/dpia.md"]
IV. Data Minimization & De-identification
- Minimization: collect/process only fields strictly necessary; maintain pii_inventory and cross-check with contract schema_ref.
- De-identification: use hash-id|mask|truncate|generalize|noise; if using DP, record ε_dp and scope; include parameters & validation evidence for k_anon≥k and l_diversity≥l in exports.
- Re-identification risk: enable DLP and sampled attacker/linkage testing; archive evidence.
V. Encryption, Keys & Access Control
- Encryption: at rest SSE-KMS|AES-256, in transit TLS1.2+; keys in KMS/HSM, support BYOK; record rotations to audit.
- Access: RBAC|ABAC plus signed-url|token|ip-allowlist|mTLS; least privilege and just-in-time access; audit sensitive operations.
- Network: private segmentation and security-group allowlists; egress deny-by-default with domain/tag-based exceptions.
VI. Regional Compliance & Data Residency
- Residency: declare allowed storage/processing regions in data_residency; cross-border transfers use SCCs or equivalent and are cited in exports.
- Third parties/processors: register processors and DPA status; tag flows in lineage for traceability.
VII. Incident Response & Vulnerability Management
- IR: fix incident_response.sla_hours, contacts, and runbook; severity levels and disclosure windows defined; run drills and archive outcomes.
- Vuln mgmt: SBOMs for images/deps, CVE scans, and patch SLAs; block release on critical defects.
VIII. Logging, Audit & Retention
- Logs: structured jsonl, pii_redaction enabled; retention period enforced; security events routed to a dedicated audit stream.
- Audit: access logs, key ops, policy changes, exception handling—all traceable; generate verifiable reports and register sha256 in export_manifest.
IX. Metrology & Units (SI)
- Security/privacy perf & cost metrics (e.g., crypto overhead, de-id latency, audit storage) must use SI: T_inf(ms), QPS(1/s), size_bytes; metrology:{units:"SI", check_dim:true} is mandatory.
- If compliance modules involve path quantities (e.g., T_arr handling), register delta_form, path="gamma(ell)", measure="d ell", use one equivalence below and pass check_dim:
- T_arr = ( 1 / c_ref ) * ( ∫ n_eff d ell )
- T_arr = ( ∫ ( n_eff / c_ref ) d ell ).
X. Machine-Readable Fragment (Drop-in)
privacy:
policy: "limited-PII"
lawful_basis: ["consent","research"]
data_minimization: true
pii_inventory: ["user_id","email_hash"]
deidentification: {methods:["hash-id","mask"], k_anon:20, l_diversity:2, ε_dp:null}
retention: {policy:"min-necessary", delete_after_days:180}
data_residency: ["EU"]
dlp: {enabled:true, rules:["email","creditcard"]}
security:
encryption: {at_rest:"SSE-KMS", in_transit:"TLS1.2+", kms:{provider:"cloud-kms", byok:true}}
access_control: {model:"RBAC", roles:["owner","maintainer","reader"], enforcement:["token","ip-allowlist","mTLS"], audit_log:true}
network: {segmentation:["private-subnet"], egress_policy:"deny-by-default"}
secrets: {manager:"vault", rotation_days:90}
hardening: {container:["non-root","readonly-rootfs","seccomp","no-new-privs"], artifact_signing:true}
compliance:
regions: ["EU-GDPR"]
data_transfer: {mechanisms:["SCCs"]}
third_parties: {processors:["processorA@v1.0"], dpas_signed:true}
incident_response: {contact:"security@org.example", sla_hours:72, runbook_ref:"security/irp.md"}
audits: {schedule:"annual", artifacts:["privacy/pii-scan.txt","security/pen-test.md","compliance/dpia.md"]}
XI. Lint Rules (Excerpt, Normative)
lint_rules:
- id: PRIV.POLICY_ALLOWED
when: "$.privacy.policy"
assert: "value in ['no-PII','limited-PII','special-category']"
level: error
- id: PRIV.MINIMIZATION_ON
when: "$.privacy.data_minimization"
assert: "value == true"
level: error
- id: PRIV.DPI_PARAMS
when: "$.privacy.deidentification"
assert: "has_key('methods') and (has_key('k_anon') or has_key('ε_dp'))"
level: error
- id: SEC.ENCRYPTION_REQUIRED
when: "$.security.encryption"
assert: "value.at_rest in ['SSE-KMS','AES-256'] and value.in_transit >= 'TLS1.2+'"
level: error
- id: SEC.CREDENTIALS_MANAGER
when: "$.security.secrets.manager"
assert: "value in ['vault','cloud-secrets']"
level: error
- id: COMP.REGIONS_ALLOWED
when: "$.compliance.regions[*]"
assert: "value in ['EU-GDPR','US-CCPA','CN-DSL']"
level: error
- id: IR.SLA_DEFINED
when: "$.compliance.incident_response.sla_hours"
assert: "is_number(value) and value > 0"
level: error
- id: METROLOGY.SI_AND_CHECKDIM
when: "$.metrology"
assert: "units == 'SI' and check_dim == true"
level: error
XII. Export Manifest & Audit
export_manifest:
version: "v1.0"
artifacts:
- {path:"privacy/pii-inventory.csv", sha256:"..."}
- {path:"privacy/deid_report.md", sha256:"..."}
- {path:"security/audit.log", sha256:"..."}
- {path:"security/sbom.json", sha256:"..."}
- {path:"compliance/dpia.md", sha256:"..."}
- {path:"compliance/data_transfer.md",sha256:"..."}
references:
- "EFT.WP.Core.DataSpec v1.0:EXPORT"
- "EFT.WP.Core.Metrology v1.0:check_dim"
- "EFT.WP.Data.DatasetCards v1.0:Ch.13"
- "EFT.WP.Data.ModelCards v1.0:Ch.14"
XIII. Chapter Compliance Checklist
- Data minimization & de-identification enabled; pii_inventory/k_anon/ε_dp with evidence present.
- Encryption at rest/in transit active; keys managed by KMS/HSM with rotation; RBAC|ABAC and network isolation in place; sensitive ops auditable.
- Regional compliance & residency declared; cross-border mechanisms and third-party processors recorded with DPAs.
- Incident response SLA/contacts/runbook fixed; SBOM/CVE scanning and patch SLAs active.
- SI metrology with check_dim=true; for T_arr, delta_form/path/measure registered and validated.
- Export manifest lists privacy/security/compliance artifacts and anchors with sha256, satisfying release gates.