Re: Feeback Privacy Assesment App
Hello,
At 07:50 03-05-2015, fluxy wrote:
>There is no real definition out there as to what
>*really* constitutes an app. Many websites run
>some form of Javascript but where do we draw the
>line between web app and website?
I would look at it in terms of web service and
web application. It is common for web sites to
use Javascript nowadays; are those web sites
Webapps? As you mentioned, there isn't any real definition.
>I think richness of functionality, how data is
>treated and to which extent it integrates native ui has a lot to do with that.
Yes. There is, for example, a local storage API nowadays.
>UI-wise I think the app works pretty well other
>than the small improvements suggested by Sun.
>Only may I add that the page is quite long and
>somehow tedious to fill. Multi-page form with
>progress bar and different icons per page
>anyone? Also instead of simply mentioning the «
>Definitions as per Data Protection Act 2004 »,
>why not underline the technical terms on the
>forms with an icon and a tooltip (the information is there when it is needed).
Nadim, Nirvan and I actually discussed about
whether to use a multi-page format. The decision
was to show the questions in one screen so that
the user is aware of what questions will be asked.
I did not suggest having more hyperlinks or using
tooltips as we were running out of time. There
was a backend to generate the
questionaire. Those features would require changes to the backend.
>As far as richness of functionality is
>concerned, I do believe there is room for improvement.
Yes.
>0. I got a wrong answer for question ¸, fair
>enough. What impact could it have on my
>organisation? What does the law (which section)
>say about it exactly (a reference at least)?
Please see the data protection principles in the
First Schedule of the Act. There is also some
information about the principles in the FAQ
section. The impact is that your organisation
would not be in compliance with the Data
Protection Act (2004). Some of the questions are
not written as such in the law. The application
advises you to seek advice from a data protection
practitioner for the incorrect answers.
>1. After submitting the form, I am given 3
>pieces of advice in red. These are too generic
>(like someone goes to the doctor, tells him/her
>a list of symptoms, and the doctor says, you
>need some rest, try to have some medicine and if
>you are unsure, please see a specialist). What
>would be better is a list of actions recommended (checklist) for the
Yes.
> person as per the answers given. This provides
> a more pragmatic approach to the whole affair,
> the person is more aware as to what exactly needs to be done.
The problem is that it is not possible to
recommend a list of actions without knowing the
details of the case. There would also have to be
a lot of disclaimers for recommendations in an application.
>2. Also, after submitting the form, the person
>is given a green and red box, but no indication
>as to the scale of how good and how bad things
>are. Ok, I missed a couple of points, but is it
>serious doc? (A scale perhaps? A percentage? A grade?)
There isn't a scale, a grade or a
percentage. Either the organisation is compliant
or it isn't. The "red box" is to highlight that
the organisation might not be compliant.
>3. The person is required to print the form. I
>tried printing it (to a pdf format admittedly),
>but where did the green and red go? The printed
>version is black and white and there is no
>indication as to whether each answer is correct
>or not. Even if the person were to choose to
>print black and white (many offices have laser
>b&w printers), why are there no indication
>(other than color) to make it evident?
I don't recall whether that functionality has
been tested. I'll see what can be done about this problem.
>4. Assume an employee performs this test, and
>wants to discuss the results with his/her
>manager. The manager sees the form and tells the
>employee, « no you made a mistake for the
>question ¸, we actually do cater for this thing,
>please correct this and come again». What
>happens? The employee has to start all over
>again? There are means to resolve this, e.g.
>save on server side (ok privacy issues), provide
>a url to prefill the form, allow the data to be
>saved client side (html5 ftw), export the form
>state to a format (json, password encrypted json ... ).
I understand what you are asking for. I'll say
no because of the privacy issues. I'll comment
about the employee doing the test below.
>5. Seriously why no email? Warn the user of
>potential risks associated but why limit the
>choice? An email can be sent for consideration
>to a manager, who will read it according to
>his/her availability instead of waiting in line
>to meet the manager face to face to show a piece
>of paper. Pragmatism and choice.
Email will cause a privacy issue. It is better
for us to limit the choice so that the
application does not collect any personal data.
>6. Web app (if it is one) to mobile app is a
>short leap with the availability of tools such as Cordova, PhoneGap etc.
>
>7. Who is your audience? Could it be wise to
>define different sets of questions based on the
>audience? Debatable, but point to ponder.
>Different people in an organisation have
>different roles and visibilities, and as such
>may have different applicable questions.
The audience is "those who have responsibilities
for data protection, and should be answered (i.e.
by the nominated person who is responsible for
data protection in your organisation)".
>I am sorry if I do seem harsh, this is far from
>my intention. My opinion was asked, and here it
>is. The design looks good, and it is fluid. I
>guess this is a decent v1, but if the
>application were to be as useful as its
>usefulness has been lauded by the nice lady who
>did the presentation, and were it to be more
>than just an electronic version of a paper
>questionnaire (and more of a web app), I do
>believe there are avenues that need to be further explored.
It is good feedback. This is the type of feedback I find useful.
The project took four months. It required a lot
of effort to go beyond an electronic version of a
paper questionnaire. Near the end of the project
I asked for features to be removed or not be
added as the developers were putting in too much
free time into the application. There was also
some project management issues as we haven't done
an open source software in Mauritius
previously. The plan for the presentation was
for developers to be able to ask some of the
questions which you asked above. I cut off that
part of the presentation as there wasn't any time
left for that. It was unfortunate as one of the
developers in the audience mentioned that he came
to the presentation to discuss about the application.
At 09:09 03-05-2015, Sruti Jughdharree wrote:
>Some points I want to point out are that:
>I do agree that the logo hides some contents.
Yes, that has to be fixed.
>I do not understand why in the Compliance
>Assessment section, for some questions, there is
>only the choice between yes or no. What if the
>user does not know or is not sure about what to answer.
A "no" answer will be used for assessing the
choices of the user if the user does not know or
not sure what to answer. I'll use an
example: do you have a policy on data protection
in your organisation? If a person responsible
for data protection answers "not sure", how could
the person even be given the responsiblity for data protection?
>Also, I submitted the form without answering any
>question. Consequently, the result was full of answers I did not even answer.
The default answer will be used if you do not answer any question.
>It would be nice if there was some sort of error
>message in case any question is missed.
>Hope that this will help.
It may be possible to catch the above case.
Regards,
S. Moonesamy
Received on Sun May 03 2015 - 17:14:34 PST
This archive was generated by hypermail 2.3.0
: Sun May 03 2015 - 17:18:00 PST