Suggested updates to the metadata schema to cover customer data (not just PII) and regulatory requirements such as EU Data Act

[LisaBobbitt]

In the metadata table

update * Dataset issuer to add "controller" as the data set should have a controller (person/company) assigned to it

Add
Environment : Production or Non-Production / Research
Planned deletion/termination date of dataset /method
Business Criticality
Data Type - Customer Event, Customer Configuration, Customer Telemetry

Add Values to Confidentially - Public, Confidential, Restricted

Expand Consent documentation to Legal Basis of Use Location
Expand Privacy enhancing technologies (PETs) or tools applied? to DATA TRANSFORMATIONS or Data Enhancing technologies with relevant transformations being PII De-identified ​, PII Anonymized​, Customer Identifying Data De-identified​, Customer Sensitive Data De-identified​, Bias Neutralization​, Synthetic Data from Source​, Enter specified 'Other' here​

Add Legal Hold (Yes, No)

Access Group Permissions/Restrictions (Permit/Deny)

Data Quality related information (testing results, date)
BackUp Location

Deletion Date (when the data was deleted) so lineage metadata can be kept as record

[LisaBobbitt]

Recommendations for updates to the metadata

[sthagen]

@LisaBobbitt I assume the proposal is on the metadata spec, right?

Question on phasing: Should we align the use cases document in the next edition with this extended information set?

[LisaBobbitt]

Yes, if these are accepted, I would like to update the use cases where it makes sense. Or add a new one that is company focused. Lisa Bobbitt (lbobbitt) Principal Engineer, Privacy Cisco From: Stefan Hagen ***@***.***> Date: Monday, August 25, 2025 at 3:08 PM To: oasis-tcs/dps ***@***.***> Cc: Lisa Bobbitt (lbobbitt) ***@***.***>, Mention ***@***.***> Subject: Re: [oasis-tcs/dps] Suggested updates to the metadata schema to cover customer data (not just PII) and regulatory requirements such as EU Data Act (Issue #79) [Image removed by sender.]sthagen left a comment (oasis-tcs/dps#79)<#79 (comment)> @LisaBobbitt<https://github.com/LisaBobbitt> I assume the proposal is on the metadata spec, right? Question on phasing: Should we align the use cases document in the next edition with this extended information set? — Reply to this email directly, view it on GitHub<#79 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BTRLVWFVEY76ACN5AQ43YVL3PNNGVAVCNFSM6AAAAACEYPHUGWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTEMRRGQYTONRZHE>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[sthagen]

I analyzed the types suggested in this ticket (as far as I understood them).

So, I suggest the following as starting point for a discussion on the values and semantiocs:

• type(alternate-locations) == StorageLocation ... but that may diffuse into regions / technologies ...
• type(confidentiality) == TLP?
• type(controller) == type(issuer)
• type(criticality) == Enumeration or ...?
• type(data-class) == Enumeration or ...?
• type(data-quality) == Enumeration or ...?
• type(deletion-date) == Date[RFC3339]
• type(environment) == Enumeration or ...?
• type(legal-hold) == Boolean
• type(planned-xyz-date) == Date[RFC3339]
• type(sharing-groups) == SharingGroup(sg-identity, sg-permissions, labels)
  • type(sg-identity) == UUID (example: CSAF-SG)
  • type(sg-permissions) == Enumeration(:Allow, :Deny)
  • type(labels) == TLP labels indicating the sharing boundaries to be applied by the recipients

Leaving out the proposed expansions for thios analysis and now, as they should not change the types.