Is the ownership of the project and everything that the project produces clearly defined and documented?

Yes

If yes - please link to the relevant copyright, trademarks, or ownership documentation for the project.

https://docs.openg2p.org/

Does this open project have mandatory dependencies (i.e. libraries, hardware) that create more restrictions than the original license?

No

If yes - are the open source components able to demonstrate independence from the closed component(s) and/or are there functional, open alternatives?

Not Applicable

If yes - please describe how the open source components are independent and/or list the open alternatives for the closed component:

Not Applicable

Does some documentation exist of the source code, use cases, and/or functional requirements. For software projects, this should be present as technical documentation that would allow a technical person unfamiliar with the project to launch and run the software. For datasets and data projects, this should be present as documentation that describes all the fields in the set, and provides context on how the data was collected and how it should be interpreted. For content collections, this should indicate any relevant compatible apps, software, hardware required to access the content and any instructions about how to use it.

Yes

If yes - please link to the relevant documentation:

• https://docs.openg2p.org/

Does this project collect or use non-personally identifiable information (non-PII) data and/or content?

Yes

If yes - is there a mechanism for extracting or importing non-personally identifiable information (non-PII) from the system in a non-proprietary format?

Yes

If yes - describe the mechanism for extracting or importing non-personally identifiable information from the system in a non-proprietary format:

OpenG2P use depends on how government agencies store, share, and treat PII data. OpenG2P advocates for and brings an approach that confers additional privacy, security and consent in systems that have historically lacked such features. The importance of this topic is highlighted in our first White Paper on the subject of Privacy and Security Design(attached). In terms of extracting non-personally identifiable data, the building blocks are designed to export data only relevant for a specific purpose. For example we provide an CSV export functionality as part of the data views, with field level controls available to hide specific details.
In the context of OpenG2P, we consider 'stateless building blocks' as ones not storing beneficiary associated data beyond the life of a request-response cycle. Such components tend to be adapters with external systems. An example of a stateless brick is the OpenG2P Verification Engine which enables lookup against external identity and data sources and does not store data beyond the request-response cycle.
An OpenG2P user will evaluate its data requirement and assess how critical it is to store beneficiary PII. Preference is not storing data and in making solutions stateless, however, if not a viable approach we advocate the following approaches, that prioritizes storing PII at a central location rather than having them fragmented across several projects. In theory, this reduces attack vectors:
a. Having projects store data to a central location, e.g. an existing database, and retrieving data needed to complete a request on-demand from that central locations.
b. Saving tokens and references to the beneficiary records stored at a central location with business data, rather than the entire PII of the beneficiary. Additionally, we advise that such a token should be project-specific, reducing its viability as a correlation handle.
c. If none of the above approaches can be taken, e.g as in the case of the OpenG2P search service which needs to maintain indexes, care, and data security measures should be instituted to protect against data breaches.
OpenG2P creates a framework for components to work together. The systems required by governments to register, verify, enumerate beneficiaries, send funds, verify funds received, and so on are often lacking in one or more areas and OpenG2P provides a framework for bounded components to share necessary information via secure tokens. Protecting privacy and securing data are key themes in the design of OpenG2P.

Has this project taken steps to ensure adherence with relevant privacy, domestic, and international laws? For example, the General Data Protection Regulation (GDPR) in the European Union or the Supplementary Act A/SA.1/01/10 on Personal Data Protection for the Economic Community of West African States (ECOWAS) (yes/no)

Yes

If yes, please list some of relevant laws that the project complies with:

• - OpenG2P components are flexible to be used within country specific privacy laws.
• - The OpenG2P framework confers privacy, security, and consent as an inalienable right of every person regardless of their gender and economic situation. A key concept in our privacy approach is the requirement to only use information for the intended purpose and to prevent transmission of data to systems that are non-compliant with policies.
• - The OpenG2P framework is conceptualized as supportive of Government transfer systems, and the organization of such transfer programs are at the behest of governmental agencies. We take approaches that are protective of security and privacy while remaining consistent with governmental policies.

If yes, please describe the steps this project has taken to ensure adherence (include links to terms of service, privacy policy, or other relevant documentation):

• For users needing to store PII, e.g. Beneficiary Database follow a minimum set of data-handling conventions and procedures as per the Guiding Principles of OpenG2P:
• a. Data should be encrypted at rest, advisably with a regularly rotating key scheme and these keys kept safely off system.
• c. All-access should via strong authentication mechanism and permissioned; this also includes access to other OpenG2P projects.
• d. Datastore should not be on a internet-facing network.
• e. Tamper resistant logging of system access should be implemented across all potential routes of attacks
• OpenG2P blocks by default not on externally-accessible networks. This default can be relaxed for the following situations:
• a. Needs to communicate with systems of external parties, in which case we advise the use of VPNs and other secure end-to-end/point-to-point secure communication strategies.
• b. Needs to be accessed by a wide variety of users, e.g. admin systems, in which case just interfaces should adopt industry-standard authentication strategies.
• c. User authentication, authorization, and roles; for interfaces that users log into, e.g. beneficiary administration system, we advocate the following the minimum.
• d. A system of authentication that factors, password strength, password expiration and rotation, and brute force protection. We also advocate for Two-factor authentication procedures where possible.
• e. System of roles and authorization that provides the exact amount of rights a user needs to perform their tasks and nothing more.
• f. Audited access with sessions and CRUD logs.

Does this project support standards? (i.e. Web Content Accessibility Guidelines (WCAG) 2.1 or other standards such as those listed on W3C)

Yes

Which standards does this project support (please list)

• w3c verifiable credentials and others under explorations especially around handling of PII

Can you point to evidence of your support? (i.e. please link to your validator, open test suite, etc.)

• Work in progress especially around compliance to open standards around handling and security of PII

Was this project built and developed according to or in adherence with any design, technical and/or sector best practices or principles? i.e. the Principles for Digital Development?

Yes

Which principles and best practices does this project support (please list)

• Principles for Digital Development; the Responsible Digital Payments Guidelines by the Better Than Cash Alliance

Has this project taken steps to anticipate, prevent and do no harm by design?

9.a. Data Privacy & Security

9.b. Inappropriate & Illegal Content

9.c. Protection from harassment

List of countries this project was developed in.

• Sierra Leone

List of countries this project is actively deployed in.

• Sierra Leone