DCAT Privacy And Security Questionnaire

From Dataset Exchange Working Group


Answers to the Self-Review Questionnaire: Security and Privacy for the Data Catalog Vocabulary specification, produced in parallel with PR https://github.com/w3c/dxwg/pull/836

Answers to the questionnaire

4.1. How does the specification deal with personal information allowing to single out the user?

This specification does not directly handle any personal information by the user of the catalog, but does support the association of participants such as authors and publishers with the datasets that they have made available. In addition it supports the association of rights and licence statements with datasets - such rights and licences may reference user or asset identities. Implementations using these properties should address any privacy and security concerns when creating, maintaining, publishing or using such properties.

4.2. How does this specification deal with high-value data?

This specification does not deal with high-value data directly. Access to any high-value data must be controlled by the access mechanisms provided by the implementation.

4.3. Might this specification introduce new state for an origin that persists across browsing sessions?

No. This specification does not introduce any state.

4.4. Does this specification expose persistent, cross-origin state to the web?

No. This specification does not store or expose any state.

4.5. Does this specification expose any other data to an origin that it doesn’t currently have access to?

No, though implementations could use the vocabulary to expose new metadata (including auther identities, for example) to an origin server.

4.6. Does this specification enable new script execution/loading mechanisms?

No. This specification describes a vocabulary for the cataloging of datasets and associated metadata.

4.7. Does this specification allow an origin access to a user’s location?


4.8. Does this specification allow an origin access to sensors on a user’s device?


4.9. Does this specification allow an origin access to aspects of a user’s local computing environment?


4.10. Does this specification allow an origin access to other devices?


4.11. Does this specification allow an origin some measure of control over a user agent’s native UI?


4.12. Does this specification expose temporary identifiers to the web?

No. URIs used within properties of the classes defined by this vocabulary should be considered persistent identifiers. No other identifiers are exposed through the use of this specification.

4.13. Does this specification distinguish between behavior in first-party and third-party contexts?


4.14. How does this specification work in the context of a user agent’s Private Browsing Modes mode?

The vocabulary implies no sopecific processing model, and so is independant of a user agents's Private Browsing mode

4.15. Does this specification persist data to a user’s local device?


4.16. Does this specification have a "Security Considerations" and "Privacy Considerations" section?

Yes. See https://w3c.github.io/dxwg/dcat/#security_and-privacy

4.17. Does this specification allow downgrading default security characteristics?

No. No part of this specification accesses security characteristics.

4.18. Does this specification allow the persistent monitoring of user behavior?