A Method for Identifying Software Requirements Based on Policy Commitments

Online policy documents-such as privacy policies, notices of privacy practices, and terms of use-describe organizations´ information practices for collecting, storing, and using consumers´ personal information. Organizations need to ensure that the commitments they express in their policy documents reflect their actual business practices. This compliance is significant in the United States where the Federal Trade Commission regulates fair business practices. Therefore, the requirements engineers developing systems for organizations need to understand the policy documents in order to know the information practices with which the software must comply. The requirements engineers also must ensure that the commitments expressed in these policy documents are incorporated into the software requirements. In this paper, we present a summative case study of a commitment analysis approach. The approach was developed during a formative case study of four healthcare organizations´ policy documents. Within this approach, we obtain requirements from policy documents based on our theory of commitments, privileges, and rights. During our summative case study we applied our commitment analysis approach to eight healthcare organizations´ policy documents in order to validate the methodology. We discuss the results of the summative study, in which we found that most of the statements express organizational practices or procedures. The top seen classification conveys pledges made by the organization based on organizational practices. The second most seen classification expresses actions that the user is entitled to perform based on organizational practices.