No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Privacy by Design to Comply with GDPR: A Review on Third-Party Data Processors
Abstract
As the General Data Protection Regulation (GDPR) within the European Union comes into effect, organizations need to cope with novel legal requirements regarding the processing of user data and particularly how other, in the service integrated, organizations can process these. Information systems (IS) and their design as mashing up services of various providers (ecosystems) is state of practice. The GDPR raises for companies the question of how they can ensure that operations conform with external data processors according to the regulation. The approach of Privacy by Design (PbD), which is also included in the GDPR, offers for organizations a way to operationalize these legal requirements. Therefore, we conduct the first, rigorous, and systematic literature review of PbD. Specifically, we focus on works that seek implementation of PbD in organizations, located in ecosystems. The results show a surprising dearth of research in this field, although GDPR explicitly emphasizes this critical issue.
... For example, in 2019, Teixeira, Silva and Pereira [41] carried out a study to identify the critical success factors for implementing the GDPR. In 2018, Kutz, Semmann and Böhmann [20] reviewed Privacy by Design (PbD), focusing on studies that seek to implement PbD in organizations located in ecosystems. ...
... The study contributes to identifying affected areas and solutions that organizations could apply to achieve GDPR compliance. In 2018, Kutz, Semmann and Böhmann [20] conducted an RSL on Privacy by Design (PbD), focusing on publications that sought the implementation of PbD in Organizations located in ecosystems. The results showed a surprising lack of research in this field, even with the law's emphasis on this critical issue. ...
... Write clear consensus communications [1], [10], [13], [14], [20] 5 D4 ...
... Privacy by design is an approach that states that privacy must be incorporated into networked data systems and technologies, by default [21,45,60]. It approaches privacy from the design-thinking perspective, stating that the data controller of a system must implement technical measures for data regulation by default, within the applicable context. ...
... Other principles focus on visibility and transparency, privacy as the default setting, proactive instead of reactive measures, avoiding unnecessary privacy-related trade-offs, and end-to-end security through the lifecycle of the data. Privacy by design is a key principle of the General Data Protection Regulation (GDPR) of the European Union [45]. ...
... The query filters observations on the defined stream data window :win of a certain sensor ?sensor with a value for the observed property ?prop_o that is higher than a certain threshold ?threshold (WHERE clause in lines [52][53][54][55][56][57][58]. For every match of this pattern, output triples are constructed that represent an ongoing activity of type ?activityType in the routine of a patient ?patient, predicted by the activity recognition model ?model (CONSTRUCT clause in lines [44][45][46][47][48][49]. These six variables are exactly the six input variables as defined in lines 30-32: their values will be instantiated during the query derivation. ...
Integrating Internet of Things (IoT) sensor data from heterogeneous sources with domain knowledge and context information in real-time is a challenging task in IoT healthcare data management applications that can be solved with semantics. Existing IoT platforms often have issues with preserving the privacy of patient data. Moreover, configuring and managing context-aware stream processing queries in semantic IoT platforms requires much manual, labor-intensive effort. Generic queries can deal with context changes but often lead to performance issues caused by the need for expressive real-time semantic reasoning. In addition, query window parameters are part of the manual configuration and cannot be made context-dependent. To tackle these problems, this paper presents DIVIDE, a component for a semantic IoT platform that adaptively derives and manages the queries of the platform’s stream processing components in a context-aware and scalable manner, and that enables privacy by design. By performing semantic reasoning to derive the queries when context changes are observed, their real-time evaluation does require any reasoning. The results of an evaluation on a homecare monitoring use case demonstrate how activity detection queries derived with DIVIDE can be evaluated in on average less than 3.7 seconds and can therefore successfully run on low-end IoT devices.
... Lifecycle protection means that intense action is taken throughout the entire e-services process cycle to protect privacy. Essentially, it is the process of ensuring the destruction of personal information after use [41]. Privacy must be protected from start to finish in the e-services lifecycle and ensure that all data has been destroyed adequately upon finishing the process [42]. ...
... Destroy the requested information at the end of the integration. [41,42] ...
... Govern policies and rules to protect privacy. [37,41] ...
Trust is one of the most critical factors that determine willingness to use e-government services. Despite its significance, most previous studies investigated the factors that lead to trusting such services in theoretical aspects without examining the technical solutions. Therefore, more effort is needed to preserve privacy in the current debate on trust within integrated e-government services. Specifically, this study aims to develop a model that examines instruments extracted from privacy by design principles that could protect personal information from misuse by the e-government employee, influencing the trust to use e-government services. This study was conducted with 420 respondents from Oman who were familiar with using e-government services. The results show that different factors influencing service trust, including the need for privacy lifecycle protection, privacy controls, impact assessments, and personal information monitors. The findings reveal that the impeding factors of trust are organizational barriers and lack of support. Finally, this study assists e-government initiatives and decision-makers to increase the use of services by facilitating privacy preservation instruments in the design of e-government services.
... The need for methodologies tailored to the design of privacy-aware high-tech systems has been increasingly recognized as a main concern by both academia and industry and several research efforts have been devoted to their definition over the last years. The resulting literature is summarized in a number of literature reviews [7,18,28,32,38], which we briefly discuss here. Table 1 provides a comparative analysis of our work with those studies. ...
... For instance, an analysis of how privacy principles have been used to guide the development of privacy-aware systems is only provided in [18]. 1 Other studies are limited to the analysis of PbD principles. Morales et al. [32] perform a systematic mapping study to investigate how Privacy-by-Design has been accounted for in software engineering, whereas Kurtz et al. [28] limit their analysis to only one PdD principle, namely, visibility and transparency. Moreover, existing surveys do not cover the entire spectrum of system design concerns, focusing either on the design phase and the architectural layer like [7] or on the requirement engineering phase like [18,38]. ...
... For instance, no study investigates the suitability of methodologies for continuous assessment, which is necessary to integrate risk-based approaches into the system development process in order to identify and tackle possible privacy threats and, thus, to support Data Protection Impact Assessment (DPIA). Moreover, only a few studies [7,28] consider domain specificity of methodologies by identifying the application domains in which such methodologies have been applied and whether a validation was performed. In contrast, our literature review provides a more comprehensive overview of existing research efforts on methodologies tailored to the design of privacy-aware high-tech systems. ...
The processing of personal data is becoming a key business factor, especially for high-tech system industries such as automotive and healthcare service providers. To protect such data, the European Union (EU) has introduced the General Data Protection Regulation (GDPR), with the aim to standardize and strengthen data protection policies across EU countries. The GDPR defines stringent requirements on the collection and processing of personal data and imposes severe fines and penalties on data controllers and processors for non-compliance. Although the GDPR is enforce since 2018, many public and private organizations are still struggling to fully comply with the regulation. A main reason for this is the lack of usable methodologies that can support developers in designing of GDPR-complaint high-tech systems. This paper examines the growing literature on methodologies for the design of privacy-aware systems , and identifies the main challenges to be addressed in order to facilitate developers in the design of such systems. In particular, we investigate to what extent existing methodologies (i) cover GDPR and privacy-by-design principles, (ii) address different levels of system design concerns, and (iii) have demonstrated their suitability for the purpose. Our literature study shows that the domain landscape appears to be heterogeneous and disconnected, as existing method-ologies often focus only on subsets of the GDPR principles and/or on specific angles of system design. Based on our findings, we provide recommendations on the definition of comprehensive methodologies tailored to designing GDPR-compliant high-tech systems.
CCS CONCEPTS • Software and its engineering → Software design engineering ; • Security and privacy → Software security engineering; Privacy protections.
... The new regulation aims to protect data in order to protect privacy. Since organizations exchange data with each other via several interfaces and services, an increased need for data protection is necessary (Kurtz et al. 2018). For these reasons, a new GDPR (European Parliament 2018) was established at European level. ...
... It became effective on 25 th May 2018 (Labadie and Legner 2019). The EU-GDPR aims to improve data protection (protection against data misuse) by forcing new regulations such as privacy by default and privacy by design to proactively design data protection-friendly IT-Systems (Kurtz et al. 2018). However, it is often misunderstood as the protection of data in general and in some cases considered as obstacle to technological advancement. ...
... Fox et al. concentrates on the principle of transparency by proposing guidelines for compliant privacy notices (Fox et al. 2018). Only Huth and Kurtz consider all GDPRs (Huth 2018;Kurtz et al. 2018). Whereby Kurtz summarizes practical solutions in the context of privacy by design. ...
The exchange of sensitive information has become an important part of our daily lives. This does effect business and personal data. Data exchange is subject to legal regulations. Since May 2018, the European Data Protection Regulation (EU-GDPR) has specifically regulated the protection of personal data. The regulations and possible penalties for non-compliance still lead to uncertainty in many companies. This article exposes techniques in which day-today work can be designed in conformity with EU-GDPR. Therefore, we define privacy control patterns that transfer existing GDPR requirements into technical solution templates for compliant services. These patterns contain generally applicable guidelines in the sense of data protection and privacy. The catalogue of patterns serves as a book of reference for providers and users of ICT-services to reduce and overcome uncertainties associated with GDPR implementation and compliance. To demonstrate the implementation of our patterns, we introduce the application system EDV.
... 1. Overall regulation (19 studies; for details, see Table 1): These studies analyze the regulation as a Paul et al. (2020) E Impact Impact of EU-GDPR on user privacy perceptions for wearable IoT devices Scope: accountability requirements Karyda and Mitrou (2016) C Practices Information security/incident management Petkov and Helfert (2017) E Practices Applying data breach notification to past infringements Kurtz et al. (2018) E Practices Review of third-party data processors Vemou and Karyda (2018) C Practices Evaluation of privacy impact assessment methods Kurtz et al. (2019) E Practices Analysis of third-party data processing in service ecosystems (continued) whole. Most popular contributions relate to the EU-GDPR's impact and mapping of the regulation to existing domain-specific frameworks. ...
... We have identified two software solutions that assist organizations in maintaining an inventory of all the vendors they use. In research, two studies have been published on the matter and focus on the issues of third-party data processing (Kurtz et al., 2018), as well as an investigation of third-party data dissemination in digital service ecosystems (Kurtz et al., 2019). The latter illustrates the challenges from both legal and technical perspectives in the seemingly straightforward use case of a weather app on a smartphone, which transmits data to the operating system provider, the app developer, and an underlying API provider. ...
The European Union’s General Data Protection Regulation (EU-GDPR) has initiated a paradigm shift in data protection toward greater choice and sovereignty for individuals and more accountability for organizations. Its strict rules have inspired data protection regulations in other parts of the world. However, many organizations are facing difficulty complying with the EU-GDPR: these new types of data protection regulations cannot be addressed by an adaptation of contractual frameworks, but require a fundamental reconceptualization of how companies store and process personal data on an enterprise-wide level. In this paper, we introduce the resource-based view as a theoretical lens to explain the lengthy trajectories towards compliance and argue that these regulations require companies to build dedicated, enterprise-wide data management capabilities. Following a design science research approach, we propose a theoretically and empirically grounded capability model for the EU-GDPR that integrates the interpretation of legal texts, findings from EU-GDPR-related publications, and practical insights from focus groups with experts from 22 companies and four EU-GDPR projects. Our study advances interdisciplinary research at the intersection between IS and law: First, the proposed capability model adds to the regulatory compliance management literature by connecting abstract compliance requirements to three groups of capabilities and the resources required for their implementation, and second, it provides an enterprise-wide perspective that integrates and extends the fragmented body of research on EU-GDPR. Practitioners may use the capability model to assess their current status and set up systematic approaches toward compliance with an increasing number of data protection regulations.
... Data should be protected by design and by default (Ar. 25, GDPR), in the sense that privacy should be proactively adopted, be embedded into the design phase of new systems and services and also be enforced as a default setting (Cavoukian, 2011;Kurtz and Semmann, 2018;Bednar et al., 2019). While a number of methodologies for PbD have been proposed during the past decade [e.g. ...
... While a number of methodologies for PbD have been proposed during the past decade [e.g. (Kalloniatis et al., 2011;Deng et al., 2011;Faßbender et al., 2014;Notario et al., 2015), recent surveys (Danezis et al., 2015;Kurtz and Semmann, 2018)] exhibit a lack of technologies and/or tools to implement the PbD principle in a holistic way. Indeed, except for a small number of paradigms, where the articles of the GDPR are integrated early in the development steps (Vanezi et al., 2019), PbD principles have not yet gained adoption in the engineering practice, mainly because of a mismatch between the legal and technological mindsets (Martin and Kung, 2018;Horák et al., 2019) with the result being that engineers mostly rely on privacy policies for compliance. ...
Purpose
General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform.
Design/methodology/approach
The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors.
Findings
The findings provide the process for the DEFeND platform requirements’ elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements.
Practical implications
The proposed software engineering methodology and data collection tools (i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry.
Social implications
It is reported repeatedly that data controllers face difficulties in complying with the GDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR, thus, offering a significant boost toward the European personal data protection objectives.
Originality/value
This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.
... From Table 1, we see that existing EU-GDPR studies fall in the domains of information privacy practices (5 studies) and information privacy technologies and tools (2 studies), in [4]'s taxonomy of topic areas. However, with the exception of [8], all studies exclusively focus on one of EU-GDPR's requirements. There are two shortcomings in this approach: First, none of them is aimed at analyzing the entire regulation and its implication from an enterprise-wide perspective. ...
... Hence, we are still lacking a broader understanding of the challenges faced by companies in implementing EU-GDPR. [8] addresses this topic by proposing a Digital-Privacy Transformation "Gap-Map" that measures the organization's propensity for change. However, it exclusively takes a change management perspective, without investigating the compliance requirements and their implications on enterprise-wide data management practices. ...
The European General Data Protection Regulation (EU-GDPR) has entered into force in May 2018. Its emphasis on individual control and organizational accountability constitutes a new paradigm that requires changes in the way organizations manage personal data. However, organizations face difficulties when implementing EU-GDPR due to a lack of common ground between legal and data management domains. Anchored in the resource-based view theory (RBV), this paper argues that the regulation requires companies to build a dedicated data management capability. It presents a capability model that was developed in an iterative design science process, integrating both interpretation of legal texts and practical insights from focus groups with more than 30 experts and from 3 EU-GDPR projects. The paper advances the regulatory compliance management literature by translating legal data protection concepts for the IS community. It also contributes to practice by enabling organization to set-up systematic approaches towards EU-GDPR compliance.
... Ann Cavoukian proposed the 7 Foundational Principles of PbD [11] which are listed in Table 3. The GDPR integrates the concept "Data protection by design and by default" [22]. The LGPD has not expressly adopted PbD principles, but it brings some similar concepts when describing measures that organizations should take to protect data, establishing the need to document the way in which personal data is handled and the protective measures used. ...
... Platform providers represent intermediary groups in the structural arrangement of multi-group data processing Kurtz, Vogel and Semmann, 2022. Typically, a platform ecosystem also includes third parties embedded by service providers, which have been addressed to a lesser extent in previous studies on platform ecosystems but are often involved in digital interactions Kurtz, Semmann and Böhmann, 2018. ...
Billions of people interact within platform-based ecosystems containing the personal data of their daily lives, which have become rigorously creatable, processable, and shareable. Platform providers facilitate interactions between users, service providers, and third parties in these socio-technical ecosystems. Platform providers influence their platform ecosystems to promote the contributions of the service providers and exercise control by utilizing boundary resources investigated in the information systems field. In a socio-techno-legal analysis of two high-profile cases and consideration of the General Data Protection Regulation (GDPR), we show that the boundary resource design, arrangement, and interplay can influence whether and to what extent platform providers are accountable for platform providers unlawful personal data processing in platform ecosystems. The findings can have a huge impact to account actors for personal data misusage in platform ecosystems and, thus, the protection of personal liberty and rights in such socio-technical systems.
... Privacy by Design (PbD). PbD is an important principle of GDPR (referred to as Data Protection by Design and by Default), but it is widely accepted that only few efforts exist to support practical implementation of PbD [6,15,17,33]. The Data Scope Management service facilitates the structured implementation of PbD principles using methods and techniques from privacy requirements engineering, and privacy design. ...
In order to empower user data protection and user rights, the European General Data Protection Regulation (GDPR) has been enforced. On the positive side, the user is obtaining advantages from GDPR. However, organisations are facing many difficulties in interpreting GDPR, and to properly applying it, and, in the meanwhile, due to their lack of compliance, many organisations are receiving huge fines from authorities. An important challenge is compliance with the Privacy by Design and by default (PbD) principles, which require that data protection is integrated into processing activities and business practices from the design stage. Recently, the European Data Protection Board (EDPB) released an official document with PbD guidelines, and there are various efforts to provide approaches to support these. However, organizations are still facing difficulties in identifying a flow for executing, in a coherent, linear and effective way, these activities, and a complete toolkit for supporting this. In this paper, we propose the design of such flow, and our comprehensive supporting toolkit, as part of the DEFeND EU Project platform. Within DEFeND, we identified candidate tools, fulfilling specific GDPR aspects, and integrated them in a comprehensive toolkit: the DEFeND Data Scope Management service (DSM). The aim of DSM is to support organizations for continuous GDPR compliance through model-based Privacy by Design analysis. Here, we present DSM, its design, flow, and a preliminary case study and evaluation performed with pilots from the healthcare, banking, public administration and energy sectors.
... Type Papers [38], [39], [40], [41], [42], [43], [44], [45], [46], [47], [48], [49], [50] Evaluation 14 [51], [52], [27], [53], [54], [55], [56], [57], [58], [59], [60], [61], [62], [63], [3], [64], [65], [66], [67], [68], [69], [70] Solution Proposal 21 [71] , [72], [73], [74], [75], [76], [77] Validation 7 [78], [13], [79], [80], [81], [82], [83], [84], [85], [86], [87], [2], [4], [12] Philosophical 14 Fig. 2. Privacy Engineering Methodologies taxonomy methodologies, with SQUARE as a prime example. The motivation behind this separation between the two categories is stemmed from the perceived overlapping between security, data protection, and privacy between researchers. ...
... The GDPR poses the question for businesses on how to ensure their activities are based on foreign data processors their compliance with regulations. (Kurtz et al. ,2018) Patterns in third party numbers and types are specific for the groups of websites and countries. Analyzing the number of third parties over time, although we see a reduction in the number of third-party sites in some categories, we are wary of believing that GDPR will result in fewer external activities (Sørensen et al.,2019). ...
There is a huge growth of start-ups in India, and they have tried to diversify themselves in different businesses. Because of its flat structure, it is difficult for them to enforce the GDPR, and the data processed by it is not covered as mandated by the regulation either due to the high cost of compliance or due to changes in the governance of the company. This research focusses on what are the various challenges Indian IT start-ups face when implementing GDPR on their governance, the reasons Indian start-ups are investing in compliances for these data regulations, information security standard which act as a backbone for the implementation of GDPR and the various aspects of governance in which the IT start-up needs to reform itself. The data gathered for research was through interviews, surveys, and companies' reports. The main findings of the research have shown that Employee awareness training is the most critical obstacle for the start-up and have identified certain information security standards that allow the organization to comply with GDPR.
... It does not recommend privacy-preserving methods or other technical frameworks for implementing its requirements (Politou et al. 2018). The question of GDPR compliance in general has begun to receive considerable attention by now (Basin et al. 2018;Freitas and Mira da Silva 2018;Duncan 2018;Garber 2018;Ferrara and Spoto 2018;Beckett 2017;Drake 2017;Hellwig et al. 2018;Palmirani et al. 2018;Kurtz et al. 2018;Wirth and Kolain 2018). So has the principle of notice and choice (Sloan and Warner 2014;Reidenberg et al. 2015;Cranor 2012;McDonald and Cranor 2008), which forms the basis of informed consent, since long. ...
The EU General Data Protection Regulation (GDPR) recognizes the data subject’s consent as one of the legal grounds for data processing. Targeted advertising, based on personal data processing, is a central source of revenue for data controllers such as Google and Facebook. At present, the implementation of consent mechanisms for such advertisements are often not well developed in practice and their compliance with the GDPR requirements can be questioned. The absence of consent may mean an unlawful data processing and a lack of control of the user (data subject) on his personal data. However, consent mechanisms that do not fully satisfy GDPR requirements can give users a false sense of control, encouraging them to allow the processing of more personal data than they would have otherwise. In this paper, we identify the features, originating from GDPR requirements, of consent mechanisms. For example, the GDPR specifies that a consent must be informed and freely given, among other requirements. We then examine the Ad Consent Mechanism of Facebook that is based on processing of user activity data off Facebook Company Products provided by third parties with respect to these features. We discuss to what extent this consent mechanism respects these features. To the best of our knowledge, our evaluation of Facebook’s Ad Consent Mechanism is the first of its kind.
... They presented examples of how the data protection principles can be concretely implemented, thus explicitly tackling privacy by design in systems development. Driven by the introduction of the GDPR, Kurtz et al. [4] conducted a systematic literature review of Privacy by Design approach. The results have shown a surprising lack of research in this field, although GDPR explicitly emphasizes this approach. ...
... The announcement of the General Data Protection Regulation has led to another wave of interest in and publications on the topic in domains such as law [18,19,20] and management [3,21,22]. Particularly for the information systems domain, aspects of Privacyby-Design [23], the communication of compliance [24], and the management of data privacy breaches [25] have been subjects of interest. With the purpose to identify literature which guides organizations in the implementation of the General Data Protection Regulation, a review according to established guidelines [26,27,28] was performed. ...
This research study sets out to explore the General Data Protection Regulation in financial services industries grounded on the pivotal question: "How do companies approach to General Data Protection Regulation and what can we learn from their approaches?". Regarding the former, a three-stage iterative and risk-based implementation approach was unveiled, regarding the latter, good practices for implementation at a strategy-, organization-, management-, process-, and technology-related level were identified. Notwithstanding the inherent limitations by the applied case study research at leading companies in finance and insurance business, it can be concluded that companies strive with the utmost effort to ensure compliance with the General Data Protection Regulation, yet there exists a gap between strategy and implementation.
... Aspects of the technical implementation of Privacy by Design are well researched, while other steps of the Design Science Research Methodology Process Model, such as Design and Development or Demonstration, have hardly been covered in recent literature [16]. ...
To increase user engagement is an important goal and major business model for many web applications and online publishers. An established tool for this purpose is online polling, where user opinions, preferences, attitudes and possibly personal information are collected to help publishers to a better understanding of their target audiences. These polls are often provided as supplements to online newspaper articles, the topics of which are typically also reflected in the content of the polls. We analyzed and categorized this content, and related it with the user engagement rate given as the proportion of people who voluntarily disclose personal information. Recently, public privacy awareness has increased, especially since the introduction of the European Union’s General Data Protection Regulation (GDPR). Extensive media coverage has led to public discussions about data protection and privacy. This study additionally investigated the effect of increased public privacy awareness on individual privacy awareness and subsequently user engagement. The results are based on live data of more than 60,000 polls and more than 22 million user votes, mainly collected in German-speaking countries, and give insights into user behavior when confronted with requests for personal information in various settings and over time.
... According to the GDPR, the frontend service provider may be held responsible for implemented backend services in the future. As digital services comprise modules of different backend services, issues regarding users privacy as well as regarding frontend service providers responsibility arise ( Kurtz et al. 2018). We have developed a framework to specify the problems of multi-actor information-processing that are related to service ecosystems. ...
Information Privacy gained visibility and rising awareness in society as well as media coverage due to the case of Cambridge Analytica and Facebook. This case demonstrates the extent of complex service ecosystems with a multitude of actors involved in actions that impact information privacy. As such ecosystems are nowadays ubiquitous the implementation of the General Data Protection Regulation (GDPR) seeks to establish responsibility regarding actions taken by data processors. With this paper, propose an analytical framework that builds on an analysis of privacy-invasive critical cases in complex service ecosystems. We applied a cross impact matrix to systematically identify critical issues. Additionally, by visualizing data flows between actors, privacy-critical issues in service ecosystems become apparent. Building on these insights privacy-related problem propositions are derived that lead to future design-oriented research directions. Thus, we propose a framework that helps scholars and practitioners to identify blind spots and privacy-critical issues in service ecosystems.
This chapter examines the implications of blockchain technology on the processing of personal data and its compliance with the general data protection regulation (GDPR) within the European Union. While the internet has revolutionized communication and database systems, it has also posed challenges to legally process personal data. However, the introduction of blockchain technology, with its cryptographic features and decentralized peer-to-peer ledger system, raises questions about the applicability of the GDPR. This chapter analyzes personal data processed in public blockchains, including the right to erasure. Additionally, the chapter explores the complexities of establishing accountability within distributed ledger technology, considering the innovative nature of blockchain and the traditional database framework upon which the GDPR was constructed. By examining the relationship between blockchain participants and fundamental data protection rights, this research aims to shed light on the intersection of blockchain technology and personal data protection.
The introduction of the European General Data Protection Regulation (GDPR) has brought significant benefits to citizens, but it has also created challenges for organisations, which are facing with difficulties interpreting it and properly applying it. An important challenge is compliance with the Privacy by Design and by default (PbD) principles, which require that data protection is integrated into processing activities and business practices from the design stage. Recently, the European Data Protection Board (EDPB) released an official document with PbD guidelines, and there are various efforts to provide approaches to support these. However, organizations are still facing difficulties in identifying a flow for executing, in a coherent, linear and effective way, these activities, and a complete toolkit for supporting this. In this paper, we: (i) identify the most important PbD activities and strategies, (ii) design a coherent, linear and effective flow for them, and (iii) describe our comprehensive supporting toolkit, as part of the DEFeND EU Project platform. Specifically, within DEFeND, we identified candidate tools, fulfilling specific GDPR aspects, and integrated them in a comprehensive toolkit: the DEFeND Data Scope Management service (DSM). The aim of DSM is to support organizations for continuous GDPR compliance through Model-Based Privacy by Design analysis. Here, we present important PbD activities and strategies individuated, then describe DSM, its design, flow, and a preliminary case study and evaluation performed with pilots from the healthcare, banking, public administration and energy sectors.
Check: I accept the terms and conditions and privacy policy statements associated with this technological artefact! The informed consent process is becoming more of a challenge with the emergence of Internet of Things (IoT) as data may be collected without the digital health citizen being aware. It is argued in this paper that the first phase for universal usability of IoT within the smart health domain is to ensure that digital health citizens (i.e. user of technology) are fully aware of what they are consenting to when they register an account with such technological artefacts. This point is further reinforced by the proposed ‘Privacy by Design’ requirements associated with the forthcoming General Data Protection Regulation (GDPR). This paper proposes some practical approaches which should be considered when designing and developing IoT for data collection and data sharing within the health domain.
Nowadays, problems of congestion in urban areas due to the massive usage of cars, last-minute travel needs and progress in information and communication technologies have fostered the rise of new transportation modes such as ridesharing. In a ridesharing service, a car owner shares empty seats of his car with other travelers. Recent ridesharing approaches help to identify interesting meeting points to improve the efficiency of the ridesharing service (i.e., the best pick-up and drop-off points so that the travel cost is competitive for both driver and rider). In particular, ridesharing services, such as Blablacar or Carma, have become a good mobility alternative for users in their daily life. However, this success has come at the cost of user privacy. Indeed in current’s ridesharing services, users are not in control of their own data and have to trust the ridesharing operators with the management of their data.
Science is a cumulative endeavour as new knowledge is often created in the process of interpreting and combining existing knowledge. This is why literature reviews have long played a decisive role in scholarship. The quality of literature reviews is particularly determined by the literature search process. As Sir Isaac Newton eminently put it: “If I can see further, it is because I am standing on the shoulders of giants.” Drawing on this metaphor, the goal of writing a literature review is to reconstruct the giant of accumulated knowledge in a specific domain. And in doing so, a literature search represents the fundamental first step that makes up the giant’s skeleton and largely determines its reconstruction in the subsequent literature analysis. In this paper, we argue that the process of searching the literature must be comprehensibly described. Only then can readers assess the exhaustiveness of the review and other scholars in the field can more confidently (re)use the results in their own research. We set out to explore the methodological rigour of literature review articles published in ten major information systems (IS) journals and show that many of these reviews do not thoroughly document the process of literature search. The results drawn from our analysis lead us to call for more rigour in documenting the literature search process and to present guidelines for crafting a literature review and search in the IS domain.
The Internet of Things (IoT) systems are designed and developed either as standalone applications from the ground-up or with the help of IoT middleware platforms. They are designed to support different kinds of scenarios, such as smart homes and smart cities. Thus far, privacy concerns have not been explicitly considered by IoT applications and middleware platforms. This is partly due to the lack of systematic methods for designing privacy that can guide the software development process in IoT. In this paper, we propose a set of guidelines, a privacy-by-design framework, that can be used to assess privacy capabilities and gaps of existing IoT applications as well as middleware platforms. We have evaluated two open source IoT middleware platforms, namely OpenIoT and Eclipse SmartHome, to demonstrate how our framework can be used in this way.
The ever more pervasive 'informationalization' of crisis management and response brings both unprecedented opportunities and challenges. Recent years have seen the emergence of attention to ethical, legal and social issues (ELSI) in the field of Information and Communication Technology. However, disclosing (and addressing) ELSI issues in design is still a challenge because they are inherently relational, arising from interactions between people, the material and design of the artifact, and the context. In this article, we discuss approaches for addressing such 'deeper' and 'wider' political implications, values and ethical, legal and social implications that arise between practices, people and technology. Based on a case study from the BRIDGE project, which has provided the opportunity for deep engagement with these issues through the concrete exploration and experimentation with technologically augmented practices of emergency response, we present insights from our interdisciplinary work aiming to make design and innovation projects ELSI-aware. Crucially, we have seen in our study a need for a shift from privacy by design towards designing for privacy, collaboration, trust, accessibility, ownership, transparency etc., acknowledging that these are emergent practices that we cannot control by design, but rather that we can help to design for-calling for approaches that allow to make ELSI issues explicit and addressable in design-time.
In 2004, Robert F. Lusch and Stephen L. Vargo published their groundbreaking article on the evolution of marketing theory and practice toward "service-dominant (S-D) logic", describing the shift from a product-centred view of markets to a service-led model. Now, in this keenly anticipated book, the authors present a thorough primer on the principles and applications of S-D logic. They describe a clear alternative to the dominant worldview of the heavily planned, production-oriented, profit-maximizing firm, presenting a coherent, organizing framework based on ten foundational premises. The foundational premises of S-D logic have much wider implications beyond marketing for the future of the firm, transcending different industries and contexts, and will provide readers with a deeper sense of why the exchange of service is the fundamental basis of all social and economic exchange. This accessible book will appeal to students, as well as to researchers and practitioners.
The paper motivates, presents, demonstrates in use, and evaluates a methodology for conducting design science (DS) research in information systems (IS). DS is of importance in a discipline oriented to the creation of successful artifacts. Several researchers have pioneered DS research in IS, yet over the past 15 years, little DS research has been done within the discipline. The lack of a methodology to serve as a commonly accepted framework for DS research and of a template for its presentation may have contributed to its slow adoption. The design science research methodology (DSRM) presented here incorporates principles, practices, and procedures required to carry out such research and meets three objectives: it is consistent with prior literature, it provides a nominal process model for doing DS research, and it provides a mental model for presenting and evaluating DS research in IS. The DS process includes six steps: problem identification and motivation, definition of the objectives for a solution, design and development, demonstration, evaluation, and communication. We demonstrate and evaluate the methodology by presenting four case studies in terms of the DSRM, including cases that present the design of a database to support health assessment methods, a software reuse measure, an Internet video telephony application, and an IS planning method. The designed methodology effectively satisfies the three objectives and has the potential to help aid the acceptance of DS research in the IS discipline.
Service systems engineering (SSE) focuses on the systematic design and development of service systems. Guided by a value proposition, service systems enable value co-creation through a configuration of actors and resources (often including a service architecture, technology, information, and physical artifacts), therefore constituting complex socio-technical systems. IS research can play a leading role in understanding and developing service systems. SSE calls for research leading to actionable design theories, methods and approaches for systematically designing, developing and piloting service systems, based upon understanding the underlying principles of service systems. Three major challenges have been identified: engineering service architectures, engineering service systems interactions, and engineering resource mobilization, i.e. extending the access to and use of resources by means of IT. Researching SSE is challenging. Assessing the models, methods, or artifacts of SSE often requires embedded research within existing or even novel service systems. Consequently, approaches such as piloting IT-based innovations, design research or action research are the most promising for SSE research. As an integrative discipline, IS is in a unique position to spearhead the efforts in advancing the architecture, interaction, and resource base of service systems with evidence-based design.
Privacy and data protection constitute core values of individuals and of
democratic societies. There have been decades of debate on how those values
-and legal obligations- can be embedded into systems, preferably from the very
beginning of the design process.
One important element in this endeavour are technical mechanisms, known as
privacy-enhancing technologies (PETs). Their effectiveness has been
demonstrated by researchers and in pilot implementations. However, apart from a
few exceptions, e.g., encryption became widely used, PETs have not become a
standard and widely used component in system design. Furthermore, for unfolding
their full benefit for privacy and data protection, PETs need to be rooted in a
data governance strategy to be applied in practice.
This report contributes to bridging the gap between the legal framework and
the available technological implementation measures by providing an inventory
of existing approaches, privacy design strategies, and technical building
blocks of various degrees of maturity from research and development. Starting
from the privacy principles of the legislation, important elements are
presented as a first step towards a design process for privacy-friendly systems
and services. The report sketches a method to map legal obligations to design
strategies, which allow the system designer to select appropriate techniques
for implementing the identified privacy requirements. Furthermore, the report
reflects limitations of the approach. It concludes with recommendations on how
to overcome and mitigate these limits.
The proposed framework sheds light on the fundamental role that value propositions play in service systems. Building on service-dominant logic from marketing and structuration theory from sociology, the authors theoretically link three service constructs: value propositions as invitations from actors to one another to engage in service, engagement as alignment of connections and dispositions, and service experience as many-to-many engagement. The proposed framework generates future research directions and theory development regarding the crucial role of value propositions in service systems; ultimately, it contributes to a deeper understanding of markets that is different than that which is guided by the standard neoclassical economics view of markets.
Wearable devices such as Google Glass are receiving increasing attention and look set to become part of our technical landscape over the next few years. At the same time, lifelogging is a topic that is growing in popularity with a host of new devices on the market that visually capture life experience in an automated manner. In this paper, we describe a visual lifelogging solution for Google Glass that is designed to capture life experience in rich visual detail, yet maintain the privacy of unknown bystanders.
We present the approach called negative face blurring and evaluate it on a collection of lifelogging data of around nine thousand pictures from Google Glass.
Privacy research has not helped practitioners -- who struggle to reconcile users' demands for information privacy with information security, legislation, information management and use -- to improve privacy practice. Beginning with the principle that information security is necessary but not sufficient for privacy, we present an innovative layered framework - the Privacy Security Trust (PST) Framework - which integrates, in one model, the different activities practitioners must undertake for effective privacy practice. The PST Framework considers information security, information management and data protection legislation as privacy hygiene factors, representing the minimum processes for effective privacy practice. The framework also includes privacy influencers - developed from previous research in information security culture, information ethics and information culture - and privacy by design principles. The framework helps to deliver good privacy practice by providing: 1) a clear hierarchy of the activities needed for effective privacy practice; 2) delineation of information security and privacy; and 3) justification for placing data protection at the heart of those activities involved in maintaining information privacy. We present a proof-of-concept application of the PST Framework to an example technology -- electricity smart meters.
‘Privacy by design’ is an increasingly popular paradigm. It is the principle or concept that privacy should be promoted as a default setting of every new ICT system and should be built into systems from the design stage. The draft General Data Protection Regulation embraces ‘privacy by design’ without detailing how it can or should be applied. This paper discusses what the proposed legal obligation for ‘privacy by design’ implies in practice for online businesses. In particular, does it entail hard-coding privacy requirements in system design? First, the ‘privacy by design’ provision in the proposed Regulation is analysed and interpreted. Next, we discuss an extreme interpretation – embedding data protection requirements in system software – and identify five complicating issues. On the basis of these complications, we conclude that ‘privacy by design’ should not be interpreted as trying to achieve rule compliance by techno-regulation. Instead, fostering the right mindset of those responsible for developing and running data processing systems may prove to be more productive. Therefore, in terms of the regulatory tool-box, privacy by design should be approached less from a ‘code’ perspective, but rather from the perspective of ‘communication’ strategies.
We use the legal framework of captive audience to examine the Federal Trade Commission’s 2012 privacy guidelines as applied to mobile marketing. We define captive audiences as audiences without functional opt-out mechanisms to avoid situations of coercive communication. By analyzing the current mobile marketing ecosystem, we show that the Federal Trade Commission’s privacy guidelines inspired by the Canadian “privacy by design” paradigm fall short of protecting consumers against invasive mobile marketing in at least three respects: (a) the guidelines overlook how, in the context of data monopolies, the combination of location and personal history data threatens autonomy of choice; (b) the guidelines focus exclusively on user control over data sharing, while ignoring control over communicative interaction; (c) the reliance on market mechanisms to produce improved privacy policies may actually increase opt-out costs for consumers. We conclude by discussing two concrete proposals for improvement: a “home mode” for mobile privacy and target-specific privacy contract negotiation.
With the increasing spread of accurate and robust video surveillance, applications such as crowd monitoring, people counting and abnormal behavior recognition become ubiquitous.This leads to needs of interactive systems taking into account a high degree of interoperability as well as privacy protection concerns. In this paper we propose a framework based on the ONVIF specification to support the work of video operators while implementing a privacy-by-design concept.We use an OpenGL-based 3D model of the CCTV site where we display the results of the video analytics in an avatar-based manner and give an example application on mugging detection.To place the automatically detected scene information, such as people detections and event, a automatic camera calibration is used which effective reduces the deployment effort.
There has recently been an upsurge of legislative, technical and organizational frameworks in the field of privacy which recommend, and even mandate the need to consider privacy issues in the design of information systems. Privacy design patterns have been acknowledged as a useful tool to support engineers in this complex task, as they leverage best-practices which are already available in the engineering community. There are currently different privacy pattern catalogs coexisting, however, an ongoing effort is being made to unify these scattered contributions into one comprehensive system of patterns. To this end, the relationships between the privacy patterns must be expressed consistently. However, the catalogs available describe pattern relationships at different, incompatible levels of detail, or do not describe them at all. To solve this problem, this paper presents a taxonomy of types of relationships that can be used to describe the relationships between privacy patterns. This taxonomy has been validated against each individual catalog to ensure its applicability in the unified privacy pattern system.
HydroMorph is an interactive display based on shapes formed by a stream of water. Inspired by the membrane formed when a water stream hits a smooth surface (e.g. a spoon), we developed a system that dynamically controls the shape of a water membrane. This paper describes the design and implementation of our system, explores a design space of interactions around water shapes, and proposes a set of user scenarios in applications across scales, from the faucet to the fountain. Through this work, we look to to enrich our interaction with water, an everyday material, with the added dimension of transformation.
This article examines the extent to which Privacy by Design can safeguard privacy and personal data within a rapidly evolving society. This paper will first briefly explain the theoretical concept and the general principles of Privacy by Design, as laid down in the General Data Protection Regulation. Then, by indicating specific examples of the implementation of the Privacy by Design approach, it will be demonstrated why the implementation of Privacy by Design is a necessity in a number of sectors where specific data protection concerns arise (biometrics, e-health and video-surveillance) and how it can be implemented.
Building on the growing literature in algorithmic accountability, this paper investigates the use of a process visualisation technique known as the Petri net to achieve the aims of Privacy by Design. The strength of the approach is that it can help to bridge the knowledge gap that often exists between those in the legal and technical domains. Intuitive visual representations of the status of a system and the flow of information within and between legal and system models mean developers can embody the aims of the legislation from the very beginning of the software design process, while lawyers can gain an understanding of the inner workings of the software without needing to understand code. The approach can also facilitate automated formal verification of the models’ interactions, paving the way for machine-assisted privacy by design and, potentially, more general ‘compliance by design’. Opening up the ‘black box’ in this way could be a step towards achieving better algorithmic accountability.
This paper describes two privacy patterns for creating privacy transparency: the Personal Data Table pattern and the Privacy Policy Icons pattern, as well as a full overview of privacy transparency patterns. It is a first step in creating a full set of privacy design patterns, which will aid software developers with the realization of privacy by design. Privacy design patterns are design solutions to recurring privacy problems; as such they can facilitate the development of privacy-by-design solutions. Privacy design patterns as such exist, but a complete, uniform and readily applicable overview does not exist. This paper presents such an overview for privacy transparency patterns: they focus on solutions on how to create privacy transparency. Two privacy transparency patterns are fully described: the Personal Data Table pattern and the Privacy Policy Icons pattern.
Lately the European data protection directive has increased the attention for privacy by design (PbD). The idea behind this system and software design approach is to not consider privacy as an add-on or legal requirement but to foster the development of privacy friendly technology right from the beginning. Current PbD approaches however mainly focus on technological aspects of privacy. They rarely consider the context in which software systems are build and used. The context however plays a vital role especially with respect to the future usage of a system in an organizational environment. We propose to use established socio-technical design approaches, in which multiple stakeholders collaborate on process models, as a basis for privacy by design. We adapt them to incorporate aspects relevant for privacy aware design and introduce a tool that can support question-based evaluation and collaborative work on processes that make use of personally identifiable information.
Online participations have increased in recent years and various tools emerged to support participatory processes. However, often they support only one level of participation such as information, consultation or co-operation and definite security and privacy considerations seem to be not a priority. What is missing so far is a secure and flexible tool that can be used for multiple purposes and integrates security and privacy considerations from the beginning. In this paper, we propose a tool for online participation that supports multiple levels of participation, provides authentication with different electronic identities (eIDs), incorporates security and privacy by design and ensures interoperability to existing identity solutions. For example, with the use of different eIDs (if adequate to the level of participation), we expect to enable a low threshold for participation. Based on the aforementioned requirements, we expect to increase the trust between operators and participants in online participations in the long run.
This paper examines emerging digital frontiers for service innovation that a panel discussed at a workshop on this topic held at the 48th Annual Hawaii International Conference on System Sciences (HICSS). The speakers and participants agreed that that service systems are fundamental for service innovation and value creation. In this context, service systems are related to cognitive systems, smart service systems, and cyber-physical systems and depend on the interconnectedness among system components. The speakers and participants regarded humans as the central entity in all service systems. In addition, data, they saw personal data in particular as key to service systems. They also identified several challenges in the areas of cognitive systems, smart service systems, cyberphysical systems, and human-centered service systems. We hope this workshop report helps in some small way to cultivate the emerging service science discipline and to nurture fruitful discussions on service innovation.
Autonomous vehicles are on the cusp of disrupting the entire transportation industry and current privacy legislation is not yet equipped to deal with the changes being spurred by this innovation. This paper enumerates and elucidates on the various privacy concerns that are specific autonomous vehicles. It also proposes the principles of “Privacy-by-Design”, an industry trend pertaining to other arenas of privacy, be adapted and used for regulating privacy around autonomous vehicles. It calls for the NHTSA (National Highway Transportation Safety Administration), with guidance from the FCC, and the FTC, to use their expertise in creating administrative rules that will protect the privacy of the public. Having learned valuable lessons from recent privacy concerns in the mobile device industry, the Privacy-by-Design approach would help ease the transition into this useful, but potentially intrusive technology. Currently, privacy is receiving significant attention in publications, but with autonomous vehicles being a nascent industry, there is very little being said about the privacy concerns specifically pertaining to these technology autonomous vehicles. Recent strides in the technology and the legislative acceptance of these vehicles have made them a widely discussed topic, and thus makes a thorough discussion of privacy related specifically to this technology both timely and relevant. This paper provides an early assessment of an area of concern that is growing as rapidly as are autonomous vehicles. The technology is being proven effective and safe, so the real focus will shift to use concerns, like privacy. The autonomous vehicle industry is still early in its development, and there is imminent opportunity to anchor privacy into the fundamentals of autonomous vehicles, preempting numerous potential infringements.
Purpose
– The medical advances and historical fluctuations in the demographics are contributing to the rise of the average age. These changes are increasing the pressure to organize adequate care to a growing number of individuals. As a way to provide efficient and cost-effective care, eHealth systems are gaining importance. However, this trend is creating new ethical concerns. Major issues are privacy and patients’ control over their data. To deploy these systems on a large scale, they need to offer strict privacy protection. Even though many research proposals focus on eHealth systems and related ethical requirements, there is an evident lack of practical solutions for protecting users’ personal information. The purpose of this study is to explore the ethical considerations related to these systems and extract the privacy requirements. This paper also aims to put forth a system design which ensures appropriate privacy protection.
Design/methodology/approach
– This paper investigates the existing work in the area of eHealth systems and the related ethical considerations, which establish privacy as one of the main requirements. It lists the ethical requirements and data protection standards that a system needs to fulfil and uses them as a guideline for creating the proposed design.
Findings
– Even though privacy is considered to be a paramount aspect of the eHealth systems, the existing proposals do not tackle this issue from the outset of the design. Consequently, introducing privacy at the final stages of the system deployment imposes significant limitations and the provided data protection is not always to the standards expected by the users.
Originality/value
– This paper motivates the need for addressing ethical concerns in the eHealth domain with special focus on establishing strict privacy protection. It lists the privacy requirements and offers practical solutions for developing a privacy-friendly system and takes the approach of privacy-by-design. Additionally, the proposed design is evaluated against ethical principles as proposed in the existing literature. The aim is to show that technological advances can be used to improve quality and efficiency of care, while the usually raised concerns can be avoided.
There are a number of designs for an online advertising system that allow for behavioral targeting without revealing user online behavior or user interest profiles to the ad network. However, none of the proposed designs have been deployed in real-life settings. We present an effort to fill this gap by building and evaluating a fully functional prototype of a practical privacy-preserving ad system at a reasonably large scale. With more than 13K opted-in users, our system was in operation for over two months serving an average of 4800 active users daily. During the last month alone, we registered 790K ad views, 417 clicks, and even a small number of product purchases. In addition, our proto-type is equipped with a differentially private data collection mechanism, which we used as the primary means for gathering experimental data. The data we collected show, for example, that our system obtained click-through rates comparable with those for Google display ads. In this paper, we describe our first-hand experience and lessons learned in running the first fully operational\private-by-design"behavioral advertising and analytics system.
Design-based solutions to confront technological privacy threats are becoming popular with regulators. However, these promising solutions have left the full potential of design untapped. With respect to online communication technologies, design-based solutions for privacy remain incomplete because they have yet to successfully address the trickiest aspect of the Internet-social interaction. This Article posits that privacy-protection strategies such as "Privacy by Design" face unique challenges with regard to social software and social technology due to their interactional nature. This Article proposes that design-based solutions for social technologies benefit from increased attention to user interaction, with a focus on the principles of "obscurity" rather than the expansive and vague concept of "privacy." The main thesis of this Article is that obscurity is the optimal protection for most online social interactions and, as such, is a natural locus for design-based privacy solutions for social technologies. To that end, this Article develops a model of "obscurity by design" as a means to address the privacy problems inherent in social technologies and the Internet.
This paper elaborates on the need to take into account the different views of the stakeholders involved in the development of surveillance systems and civil society, during the design process. It first provides an overview on privacy-by-design approaches. It then identifies three principles essential to integrate privacy concerns into the design of surveillance systems. It consequently proposes a design process based on socialcontextual, ethical, legal and technical frameworks (SALT) and the challenges for its creation and use. It finally provides a specification of a resulting SALT framework management tool based on modelling techniques.
This paper presents a sample surveillance use-case based on a video archive search scenario. Privacy and accountability concerns related to video surveillance systems are identified and described here, thus assessing the impact on privacy of this type of systems. Then, after a description of the scenario, we produce the design for this particular context using the SALT methodology developed by the Paris project. This methodology follows the privacy-by-design approach and ensures that privacy and accountability concerns are properly taken into account for the system under development. This kind of development entails a series of advantages, not only from the point of view of the subject under surveillance, but also for the other system stakeholders.
The context in which service is delivered and experienced has, in many respects, fundamentally changed. For instance, advances in technology, especially information technology, are leading to a proliferation of revolutionary services and changing how customers serve themselves before, during, and after purchase. To understand this changing landscape, the authors engaged in an international and interdisciplinary research effort to identify research priorities that have the potential to advance the service field and benefit customers, organizations, and society. The priority-setting process was informed by roundtable discussions with researchers affiliated with service research centers and networks located around the world and resulted in the following 12 service research priorities:
Recent controversies surrounding privacy have sparked a move by regulators toward the idea of privacy by design (PbD), a concept pioneered by Ontario Information and Privacy Commissioner Ann Cavoukian. Industry has also started to recognize the importance of taking privacy seriously, with various PbD corporate initiatives currently underway. However, some commentators have criticized PbD for being too vague. Using three case studies and a range of best practice examples of PbD, privacy impact assessments (PIAs), and privacy-enhancing technologies (PETs), this article addresses the gap between the abstract principles of PbD and their operationalization into more concrete implementation guidelines for software engineers.
The Privacy by Design approach to systems engineering introduces privacy requirements in the early stages of development, instead of patching up a built system afterwards. However, 'vague', 'disconnected from technology', or 'aspirational' are some terms employed nowadays to refer to the privacy principles which must lead the development process. Although privacy has become a first-class citizen in the realm of non-functional requirements and some methodological frameworks help developers by providing design guidance, software engineers often miss a solid reference detailing which specific, technical requirements they must abide by, and a systematic methodology to follow. In this position paper, we look into a domain that has already successfully tackled these problems -web accessibility-, and propose translating their findings into the realm of privacy requirements engineering, analyzing as well the gaps not yet covered by current privacy initiatives.
This research presents a model of personal information privacy (PIP) that includes not only transactional data gathering, but also interorganisational data sharing. Emerging technologies are used as a lens through which the discussion of PIP management is extended. Research directions are developed for aspects of privacy, privacy‐preserving technologies, interorganisational data sharing and policy development.
The privacy by design approach has already been applied in different areas. We believe that the next challenge in this area today is to go beyond individual cases and to provide methodologies to explore the design space in a systematic way. As a first step in this direction, we focus in this paper on the data minimization principle and consider different options using decentralized architectures in which actors do not necessarily trust each other. We propose a framework to express the parameters to be taken into account (the service to be performed, the actors involved, their respective requirements, etc.) and an inference system to derive properties such as the possibility for an actor to detect potential errors (or frauds) in the computation of a variable. This inference system can be used in the design phase to check if an architecture meets the requirements of the parties or to point out conflicting requirements.
This paper describes proposed privacy extensions to UML to help software engineers to quickly visualize privacy requirements, and design privacy into big data applications. To adhere to legal requirements and/or best practices, big data applications will need to apply Privacy by Design principles and use privacy services, such as, and not limited to, anonymization, pseudonymization, security, notice on usage, and consent for usage. We extend UML with ribbon icons representing needed big data privacy services. We further illustrate how privacy services can be usefully embedded in use case diagrams using containers. These extensions to UML help software engineers to visually and quickly model privacy requirements in the analysis phase, this phase is the longest in any software development effort. As proof of concept, a prototype based on our privacy extensions to Microsoft Visio's UML is created and the utility of our UML privacy extensions to the Use Case Diagram artifact is illustrated employing an IBM Watson-like commercial use case on big data in a health sector application.
The issue of incorporating privacy into complex information systems has grown substantially over the past few years. At the same time, the design of converging IT-systems still lacks a structural approach respecting privacy. Similar to software and security engineering, a useful toolkit for system developers would be a set of privacy design patterns. This work evaluates established privacy approaches in video surveillance and smart energy. Common patterns in these two real world scenarios are identified. Based on that, a general structure for a privacy pattern language is proposed.
The principles of Privacy by Design are gaining increasing support by policymakers and regulators and have been put forth as guidelines for smart meter deployments both in Europe and North America. For concrete implementations, however, it can be daunting as to what an electricity network operator should do to design privacy principles into their system. In the following paper, we outline the case of smart meter implementations, and propose aggregation protocols and cryptographic technologies that can be used to concretely implement Privacy by Design at the level of meter data, leading to not only privacy protection but at the same time, achieving a positive business impact.
As new information and communications systems are being equipped with more aggressive capabilities to enable smart surveillance, individuals' private and ethical data is more exposed to potential threats. Consequently, the attention of researchers and policy makers has become increasingly focused on controlling the emerging threats to privacy. In order to ensure that a surveillance system framework complies with the legal, ethical and privacy requirements of the law, in this paper we present a Surveillance Ontology extending the SKOS foundational ontology. The fundamental principles of privacy-by-design (PbD) demand that the surveillance framework consider data minimization, user control, accountability and data separation. Hence, the objective of this ontology is to translate the high-level linguistic rules into the information that can be processed and used to assess the compliance of the video analysis module with the rules defined.
This paper introduces a new information technology: ma3tch (autonomous anonymous analysis). Ma3tch enables virtual information integration to build a 'dynamic networked collective intelligence' without infringing upon security, confidentiality, privacy and/or data protection regulations. It provides organizations with information and knowledge advantages. The ma3tch technology is empowered by a decentralized information oriented architecture: a 'privacy by design' framework that uses distributed agents to facilitate decentralized but integrated information access, processing and analysis. It shapes a 'virtual information cloud' between autonomous organizations that enables secure, integral and intelligent real time information analysis. Relevant information and knowledge distributed between autonomous organizations is automatically detected and applied throughout the network as soon as it emerges. The dynamic design principles allow practically any type of (cross domain) information to be virtually integrated: government, commercial, intelligence, law enforcement, financial, telecom, biomedical, compliance, etc., without infringing privacy, confidentiality, security or data protection rules and regulations. It advances both privacy AND knowledge beyond conventional limitations.
As demonstrated by other papers on this issue, open-source intelligence (OSINT) by state authorities poses challenges for privacy protection and intellectual-property enforcement. A possible strategy to address these challenges is to adapt the design of OSINT tools to embed normative requirements, in particular legal requirements. The experience of the VIRTUOSO platform will be used to illustrate this strategy. Ideally, the technical development process of OSINT tools is combined with legal and ethical safeguards in such a way that the resulting products have a legally compliant design, are acceptable within society (social embedding), and at the same time meet in a sufficiently flexible way the varying requirements of different end-user groups. This paper uses the analytic framework of privacy design strategies (minimise, separate, aggregate, hide, inform, control, enforce, and demonstrate), arguing that two approaches for embedding legal compliance seem promising to explore in particular. One approach is the concept of revocable privacy with spread responsibility. The other approach uses a policy mark-up language to define Enterprise Privacy Policies, which determine appropriate data handling.
With the ubiquitous nature of mobile sensing technologies, privacy issues are becoming increasingly important, and need to be carefully addressed. Data needs for transportation modeling and privacy protection should be deliberately balanced for different applications. This paper focuses on developing privacy mechanisms that would simultaneously satisfy privacy protection and data needs for fine-grained urban traffic modeling applications using mobile sensors. To accomplish this, a virtual trip lines (VTLs) zone-based system and related filtering approaches are developed. Traffic-knowledge-based adversary models are proposed and tested to evaluate the effectiveness of such a privacy protection system by making privacy attacks. The results show that in addition to ensuring an acceptable level of privacy, the released datasets from the privacy-enhancing system can also be applied to urban traffic modeling with satisfactory results. Albeit application-specific, such a “Privacy-by-Design” approach would hopefully shed some light on other transportation applications using mobile sensors.
The concept of privacy by design is becoming increasingly popular among regulators of information and communications technologies. This paper aims at analysing and discussing the ethical implications of this concept for personal health monitoring. I assume a privacy theory of restricted access and limited control. On the basis of this theory, I suggest a version of the concept of privacy by design that constitutes a middle road between what I call broad privacy by design and narrow privacy by design. The key feature of this approach is that it attempts to balance automated privacy protection and autonomously chosen privacy protection in a way that is context-sensitive. In personal health monitoring, this approach implies that in some contexts like medication assistance and monitoring of specific health parameters one single automatic option is legitimate, while in some other contexts, for example monitoring in which relatives are receivers of health-relevant information rather than health care professionals, a multi-choice approach stressing autonomy is warranted.