Zum Inhalt springen
storywi.se documentation storywi.se documentation storywi.se Dokumentation

Quality Assurance

Dieser Inhalt ist noch nicht in deiner Sprache verfügbar.

The quality assurance page provides tools to verify and validate different aspects of your user stories. Currently, it offers a privacy check functionality, with more quality checks planned for future releases.

Future quality checks will include:

  • Accessibility requirements validation
  • Documentation completeness checks
  • Quality checks for the requirements (INVEST, INCOSE, etc.)

These upcoming features will help ensure comprehensive quality across multiple dimensions of your project requirements.

Current functionality

The quality assurance page offers a privacy check for your user stories. This check helps ensure your stories are aligned with privacy principles, specifically focusing on GDPR compliance. You can select epics to be included in the check and choose to analyze only new and changed stories or all stories.

The privacy check utilizes a method developed by Guntur Budi Herwanto during his time working with our company. As part of his PhD research, Guntur created these mechanisms and documented them in his paper “Automated User Story Analysis and GDPR Compliance”. The mechanisms were then implemented by our development team. Let’s explore how this privacy check works, based on Guntur’s approach.

How the Privacy Check Works

The privacy check, as outlined by Gunthur, is an automated pipeline that leverages Large Language Models (LLMs) to analyze user stories in three stages:

  1. User Story Analysis:

    • Input: Your user story.
    • Process: The system uses an LLM to analyze the user story. It identifies and extracts key information, focusing on:
      • Actors/Stakeholders: Who are the involved parties in the user story?
      • Personal Data: What personal data is mentioned or implied in the story?
      • Processing Activities: What actions are being performed on the personal data?
    • Output: The analysis is structured as a JSON object containing the extracted information under the keys for actors, personal data, and processing.

  2. GDPR Compliance Check:

    • Input:
      • The analysis results from Stage 1 (actors, personal data, processing).
      • A set of GDPR epics that you select for the check.
    • Process: For each selected GDPR epic, the system uses another prompt to determine if the epic is applicable to the user story, based on the analysis from Stage 1.
    • Output: For each checked epic, the output indicates whether the epic applies and provides an explanation.

  3. GDPR-Compliant User Story Generation:

    • Input:
      • The original user story.
      • The analysis results from Stage 1.
      • Relevant GDPR requirements (derived from applicable epics from Stage 2, or predefined requirements).
    • Process: Using a final prompt the system generates a new user story that aims to be GDPR compliant. This generation is based on the original story, the analysis, and the identified GDPR requirements.
    • Output: A revised user story intended to be more privacy-conscious and GDPR compliant.

Privacy Check Categories

The privacy check evaluates user stories across several key privacy and data protection categories:

Anonymity and Unlinkability

  • Protect Personal Data for Anonymity Ensure personal data is protected to maintain privacy, preventing association with specific individuals.

  • Prevent Indirect Identification (Unlinkability) Avoid indirect identification of individuals through data, enabling services without linking back to a person.

  • Data Minimization Collect only the minimum necessary personal data, reducing the risk of identifying individuals.

Integrity

  • Maintain Data Accuracy (Integrity) Keep personal data accurate and up-to-date to ensure its reliability and correctness.

Confidentiality

  • Protect Sensitive Data Safeguard sensitive personal data to uphold individual privacy and safety.

  • Secure Access Control Ensure only authorized and verified users can access personal data.

  • Implement Security Measures Apply appropriate security measures to maintain data confidentiality during processing and storage.

Transparency

  • Access Consent Documentation Provide access to consent records to verify GDPR compliance and understand processing activities.

  • Obtain and Withdraw Consent Enable users to easily give or withdraw consent for their personal data processing.

  • Parental Consent for Children Allow parents or guardians to manage consent for processing children’s personal data.

Clear Communication

  • Provide Processing Information Offer accessible information about data processing activities, purposes, and safeguards in clear and plain language.

  • Notify Users of Processing Activities Inform users about how their data is being processed during system operation.

Purpose Specification and Limitation

  • Define Processing Purposes Clearly identify specific reasons for processing personal data and collect only data necessary for those purposes.

Compliance Documentation

  • Access Legal Grounds for Processing Maintain documentation on the legal basis for data processing, including for sensitive data, legitimate interests, legal obligations, and secondary purposes with anonymized data.

  • Determine GDPR Scope Compliance Provide documents to ascertain if processing activities fall within GDPR’s jurisdiction.

User Rights and Data Access

  • Access to Personal Data Information Allow users to access information about their personal data processing to make informed decisions about system use.

  • Data Portability Enable users to export their processed personal data in a machine-readable format.

Accountability and Record-Keeping

  • Maintain Processing Records Keep detailed records of data processing activities and user interactions for accountability, accessible to compliance officers like CISO/DPO.

Data Breach Notification

  • Notify Authorities and Users Immediately inform supervisory authorities and affected users about data breaches and their potential consequences.

Profiling Transparency

  • Inform and Manage Profiling Activities Provide users with information about profiling processes, allowing them to access profiling data and manage consent. Evaluate profiling activities to ensure legal compliance.

Child-Friendly Information

  • Simplify Information for Children Present processing information in plain language suitable for children to understand.

Data Archiving

  • Lawful Archiving with Safeguards Archive personal data in compliance with legal requirements, ensuring appropriate safeguards are in place.

Intervenability

User Control over Personal Data

  • Edit and Update Data Allow users to correct or update their personal information held by the system.

  • Data Removal (Right to Erasure) Enable users to request the deletion of their personal data from the system.

  • Restrict Processing Provide options for users to limit how their personal data is processed.

Secure Data Transfers

  • Protect Data During Transfers Implement security measures to safeguard personal data during transfer processes.

  • Transparency in Data Transfers Inform users about personal data transfer activities to ensure compliance and transparency.

Manageability

Risk Management

  • Security Risk Reports Generate reports on security risks to develop and implement mitigation strategies.

  • Privacy Risk Reports Create reports addressing privacy risks to identify issues and plan appropriate responses.

Citation:

The privacy check mechanism is based on the methodology described by:

Gunthur Budi Herwanto. (2024). Automated User Story Analysis and GDPR Compliance.

Note: The quality assurance page utilizes both the privacy check (Stages 1 and 2) to provide feedback on your user stories related to privacy concerns, as well as user story generation (Stage 3) to help create privacy-compliant user stories.