Secure Application Development
Adhere to Secure Coding Standards: Manual and Automated Code Reviews to ensure OWASP guidelines are followed for secure coding to prevent vulnerabilities.
Data Storage: Leverage Persister Service when storing data and Encryption Service to encrypt sensitive data before storage.
Data Anonymization: Anonymize PII before emitting data for analysis or reporting.
Third-Party Security Testing: Conduct 3rd security penetration testing and vulnerability assessments.
Data Minimization: Collect and process only the data necessary for the functionality of the product.
Data Collection: Design forms to capture only such data from users that have well-defined purposes.
User Privacy
Purpose Limitation: Ensure users are informed about what data is collected, who will access the data and for what purpose. This information should be updated in the Terms and Conditions.
User Access: Provide citizens with the ability to view and request changes to their personal data, e.g. corrections in spelling of names, updating address, etc.
Notice and Consent
Create a privacy policy, which details what information is collected, which roles have access to it, and the purpose of such access / usage.
Publish a notice, with a link to the privacy policy, on the login page. Users should indicate that they have read and accepted these terms before they are able to login.