Search results

This study aims to report on an automatic deidentification system for labeling and obfuscating personally identifiable information (PII) in student-generated text.

The authors evaluate the performance of their deidentification system on two data sets of student-generated text. Each data set was human-annotated for PII. The authors evaluate using two approaches: per-token PII classification accuracy and a simulated reidentification attack design. In the reidentification attack, two reviewers attempted to recover student identities from the data after PII was obfuscated by the authors’ system. In both cases, results are reported in terms of recall and precision.

The authors’ deidentification system recalled 84% of student name tokens in their first data set (96% of full names). On the second data set, it achieved a recall of 74% for student name tokens (91% of full names) and 75% for all direct identifiers. After the second data set was obfuscated by the authors’ system, two reviewers attempted to recover the identities of students from the obfuscated data. They performed below chance, indicating that the obfuscated data presents a low identity disclosure risk.

The two data sets used in this study are not representative of all forms of student-generated text, so further work is needed to evaluate performance on more data.

This paper presents an open-source and automatic deidentification system appropriate for student-generated text with technical explanations and evaluations of performance.

Previous study on text deidentification has shown success in the medical domain. This paper develops on these approaches and applies them to text in the educational domain.

The present study investigates the antecedents of sharenting, underlying strategies to mitigate the privacy risks of sharing children's personally identifiable information (PII) and majorly explores the relationship between sharenting activities of the parents and their buying behaviour. The study corroborates the previous studies in an advanced manner and adds a new construct “sherub marketing” as an effective marketing tool to impact the buying decisions of the parents.

Following interpretative phenomenological analysis, semi-structured personal interviews were conducted towards actively engaged parents on social media. For inferential analysis, responses of 23 parents were analysed with the help of theoretical thematic analysis

The findings uncover the multifaceted reasons persisting behind sharenting activities of the parents and observe a strong relationship between sharenting and buying behaviour of parents. The study results into exploration of sherub marketing as an effective marketing tool to influence the actions of the sharenters.

The study will be of use to both the practitioners and the society as a whole as it indicates the ramification of parental sharing and the role of marketers in influencing the purchasing decisions of the sharenters.

The present study is a novice and untapped area in the literature of interactive marketing and sheds light on sherub marketing as an effective marketing strategy.

The purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient.

Two types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails.

Nineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient’s years of service within the organisation is taken into account.

This research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect.

The innovative aspect relates to explaining spear phishing using four socio-demographic variables.

The purpose of this paper is to develop a model to estimate the value of information generated by and stored within vehicles to help people, businesses and researchers.

The authors provide a taxonomy for data within connected vehicles, as well as for actors that value such data. The authors create a monetary value model for different data generation scenarios from the perspective of multiple actors.

Actors value data differently depending on whether the information is kept within the vehicle or on peripheral devices. The model shows the US connected vehicle data market is worth between US$11.6bn and US$92.6bn.

This model estimates the value of vehicle data, but a lack of academic references for individual inputs makes finding reliable inputs difficult. The model performance is limited by the accuracy of the authors’ assumptions.

The proposed model demonstrates that connected vehicle data has higher value than people and companies are aware of, and therefore we must secure these data and establish comprehensive rules pertaining to data ownership and stewardship.

Estimating the value of data of vehicle data will help companies understand the importance of responsible data stewardship, as well as drive individuals to become more responsible digital citizens.

This is the first paper to propose a model for computing the monetary value of connected vehicle data, as well as the first paper to provide an estimate of this value.

Offshoring is a common practice to operationalize global business strategies. Data protection and privacy assurance are major concerns in such international arrangements. This paper aims to examine the strategy adopted to ensure privacy assurance in offshoring arrangements.

This is a literature review to understand privacy assurance strategies adopted in offshoring arrangements and an exploratory case study of captive offshoring arrangement with onshore location in Canada and offshoring locations in India and Philippines. A comparative analysis of the privacy laws and privacy principles of Canada, Philippines and India has been done.

It was found that at the time of migration of process or work to the offshore location, organizations follow a conformist privacy strategy; however, once in business as usual mode, they follow entrepreneur privacy strategy. Privacy impact assessment (PIA) was found to be an important element in resolving the “administrative problem” of an offshoring organization’s privacy assurance strategy.

The core privacy principles are outlined in the PIA templates; however, the current templates are designed to meet the conformist strategy and may need to be revised to include the cultural aspects, training, audit and information security requirements to plan and deliver on the entrepreneur strategy.

Offshoring organizations can benefit by planning for entrepreneur privacy assurance strategy at the inception stage. Enhancements to PIA templates to facilitate the same have been suggested.

Privacy assurance strategy followed by organizations while offshoring has been examined. This paper suggests extending the PIA process so that it covers privacy assurance requirements in offshoring arrangements. The learnings can be used in managing privacy assurance requirements in similar multi-country offshore arrangements.

This paper aims to explore a paradoxical situation, asking whether it is possible to reconcile the immutable ledger known as blockchain with the requirements of the General Data Protection Regulations (GDPR), and more broadly privacy and data protection.

This paper combines doctrinal legal research examining the GDPR’s application and scope with case studies examining blockchain solutions from an archival theoretic perspective to answer several questions, including: What risks are blockchain solutions said to impose (or mitigate) for organizations dealing with data that is subject to the GDPR? What are the relationships between the GDPR principles and the principles of archival theory? How can these two sets of principles be aligned within a particular blockchain solution? How can archival principles be applied to blockchain solutions so that they support GDPR compliance?

This work will offer an initial exploration of the strengths and weaknesses of blockchain solutions for GDPR compliant information governance. It will present the disjunctures between GDPR requirements and some current blockchain solution designs and implementations, as well as discussing how solutions may be designed and implemented to support compliance. Immutability of information recorded on a blockchain is a differentiating positive feature of blockchain technology from the perspective of trusted exchanges of value (e.g. cryptocurrencies) but potentially places organizations at risk of non-compliance with GDPR if personally identifiable information cannot be removed. This work will aid understanding of how blockchain solutions should be designed to ensure compliance with GDPR, which could have significant practical implications for organizations looking to leverage the strengths of blockchain technology to meet their needs and strategic goals.

Some aspects of the social layer of blockchain solutions, such as law and business procedures, are also well understood. Much less well understood is the data layer, and how it serves as an interface between the social and the technical in a sociotechnical system like blockchain. In addition to a need for more research about the data/records layer of blockchains and compliance, there is a need for more information governance professionals who can provide input on this layer, both to their organizations and other stakeholders.

Managing personal data will continue to be one of the most challenging, fraught issues for information governance moving forward; given the fairly broad scope of the GDPR, many organizations, including those outside of the EU, will have to manage personal data in compliance with the GDPR. Blockchain technology could play an important role in ensuring organizations have easily auditable, tamper-resistant, tamper-evident records to meet broader organizational needs and to comply with the GDPR.

Because the GDPR professes to be technology-neutral, understanding its application to novel technologies such as blockchain provides an important window into the broader context of compliance in evolving information governance spaces.

The specific question of how GDPR will apply to blockchain information governance solutions is almost entirely novel. It has significance to the design and implementation of blockchain solutions for recordkeeping. It also provides insight into how well “technology-neutral” laws and regulations actually work when confronted with novel technologies and applications. This research will build upon significant bodies of work in both law and archival science to further understand information governance and compliance as we are shifting into the new GDPR world.

Building on past studies of library privacy policies, this review looks at how privacy information is shared at universities and colleges in the state of Florida. Beyond the question of whether a library-specific privacy policy exists, this review evaluates what is covered in the policies – whether topics such as how student data is stored, retained, de-identified and disposed of are broached in the statements, and whether specific data sets covering instruction, reference and surveillance are mentioned. The purpose of this study is to open the door to directed exploration into student awareness of privacy policies and spark conversation about positionality of libraries regarding privacy.

This review was done using a cross-sectional study design through observation of public-facing library privacy policies of higher education institutions in Florida.

Findings include that the majority of Florida academic libraries do not have a public-facing privacy policy. Only 15 out of the 70 schools reviewed had one. A large portion of those came from doctoral universities with associate’s colleges having none, and baccalaureate/associate’s colleges having only two. The policies that were in place tended to be institution-centered rather than patron-centered. Most categories of listed data collected were in the area of collections, website or computer usage.

The value of this review is that it adds to the literature studying privacy policies in academic libraries. Going forward, this research could address statewide practice in privacy policies as well as helping to lay pathways for working with students and other library patrons to gauge their interests and concerns about privacy.

With the increasing use of the Internet and social media, governments worldwide are adopting digital technologies and innovative strategies to communicate and engage with their citizens. Public sector agencies, especially at the local level, have been adopting emerging technologies such as the Internet of Things, artificial Intelligence, and blockchain and they are increasingly leveraging big data analytics to improve their decision-making and organizational performance. These rapid innovations pose important questions about, and concerns for, the privacy and security of the citizens accessing government information and services online. This chapter explores these issues, discusses the role of privacy policies in addressing such concerns, and highlights the need for ethical privacy policies to restore the trust and confidence of citizen users of government websites.

Distributed trust technologies, such as blockchain, propose to permit peer-to-peer transactions without trusted third parties. Yet not all implementations of such technologies fully decentralize. Information professionals make strategic choices about the level of decentralization when implementing such solutions, and many organizations are taking a hybrid (i.e. partially decentralized) approach to the implementation of distributed trust technologies. This paper conjectures that while hybrid approaches may resolve some challenges of decentralizing information governance, they also introduce others. To better understand these challenges, this paper aims first to elaborate a framework that conceptualizes a centralized–decentralized information governance continuum along three distinct dimensions: custody, ownership and right to access data. This paper then applies this framework to two illustrative blockchain case studies – a pilot Brazilian land transfer recording solution and a Canadian health data consent sharing project – to exemplify how the current transition state of blockchain pilots straddles both the old (centralized) and new (decentralized) worlds. Finally, this paper outlines the novel challenges that hybrid approaches introduce for information governance and what information professionals should do to navigate this thorny transition period. Counterintuitively, it may be much better for information professionals to embrace decentralization when implementing distributed trust technologies, as hybrid models could offer the worst of both the centralized and future decentralized worlds when consideration is given to the balance between information governance risks and new strategic business opportunities.

This paper illustrates how blockchain is transforming organizations and societies by highlighting new strategic information governance challenges using our original analytic framework in two detailed blockchain case studies – a pilot solution in Brazil to record land transfers (Flores et al., 2018) and another in Canada to handle health data sharing consent (Hofman et al., 2018). The two case studies represent research output of the first phase of an ongoing multidisciplinary research project focused on gaining an understanding of how blockchain technology generates organizational, societal and data transformations and challenges. The analytic framework was developed inductively from a thematic synthesis of the findings of the case studies conducted under the auspices of this research project. Each case discussed in detail in this paper was chosen from among the project's case studies, as it represents a desire to move away from the old centralized world of information governance to a new decentralized one. However, each case study also represents and embodies a transition state between the old and new worlds and highlights many of the associated strategic information governance challenges.

Decentralization continues to disrupt organizations and societies. New emerging distributed trust technologies such as blockchain break the old rules with respect to the trust and authority structures of organizations and how records and data are created, managed and used. While governments and businesses around the world clearly see value in this technology to drive business efficiency, open up new market opportunities and create new forms of value, these advantages will not come without challenges. For information executives then, the question is not if they will be disrupted, but how. Understanding the how as will be discussed in this paper provides the business know how to leverage the incredible innovation and transformation that decentralized trust technology enables before being leapfrogged by another organization. It requires a change of mindset to consider an organization as one part of a broader ecosystem, and for those who successfully do so, this paper views this as a strategic opportunity for those responsible for strategic information governance to design the future instead of being disrupted by it.

This paper presents a novel analytic framework for strategic information governance challenges as we transition from a traditional world of centralized records and information management to a new decentralized world. This paper analyzes these transitions and their implications for strategic information governance along three trajectories: custody, ownership and right to access records and data, illustrating with reference to our case studies.

This paper predicts a large number of organizations will miss the opportunities of the new decentralized trust world, resulting in a rather major churning of organizations, as those who successfully participate in building the new model will outcompete those stuck in the old world or the extremely problematic hybrid transition state. Counterintuitively, this paper argues that it may be much less complex for information executives to embrace decentralization as fast as they can, as in some ways the hybrid model seems to offer the worst of both the centralized and future decentralized worlds with respect to information governance risks.

This paper anticipates broader societal consequences of the predicted organization churn, in particular with respect to uncertainty about the evidence that records provide for public accountability and contractual rights and entitlements.

Decentralized trust technologies, such as blockchain, permit peer-to-peer transactions without trusted third parties. Of course, such radical shifts do not happen overnight. The current transition state of blockchain pilots straddles both the old and new worlds. This paper presents a theoretical framework categorizing strategic information governance challenges on a spectrum of centralized to decentralized in three primary areas: custody, ownership and right to access records and data. To illustrate how decentralized trust is transforming organizations and societies, this paper presents these strategic information governance challenges in two blockchain case studies – a pilot Brazilian land transfer recording solution and a Canadian health data consent sharing project. Drawing on the theoretical framework and case studies, this paper outlines what information executives should do to navigate this thorny transition period.

Augmentation of an ISO 10001 code system for healthcare worker (HW) satisfaction with ISO/IEC 27701 and ISO/IEC 29184 privacy-related subsystems is shown. Four specific codes regarding the privacy of HWs using electronic devices for hand hygiene (HH) monitoring and the related activities are presented.

HWs’ concerns involving automated hand hygiene monitoring technologies were identified through a literature review and classified. Privacy codes (PCs) that deal with such concerns were developed. ISO/IEC 27701 requirements for privacy information were mapped to the elements of these codes, labelled as “Healthcare Workers’ Hand Hygiene Privacy Codes (HW-HH-PCs)”. Both ISO/IEC 27701 and ISO/IEC 29184 guidelines for Privacy Notices and consent were linked with the activities for preparing the code resources.

Components of an ISO/IEC 27701 system, the guidance of ISO/IEC 29184 and the definitions provided in ISO/IEC 29100 can assist the preparation of HW-HH-PCs and the required resources. An ISO/IEC 29184 Privacy Notice can be used as input for developing an Informed Consent Form, which can be implemented to suit two of the four developed HW-HH-PCs.

HW-HH-PCs and the supporting resources, which healthcare organizations could implement to potentially increase quality assurance of an automated HH monitoring service, are illustrated.

Integrative augmentation of ISO 10001:2018, ISO/IEC 27701:2019 and ISO/IEC 29184:2020 within an underlying framework from ISO/IEC 20000–1:2018 for information technology service, together with the related examples of privacy-related customer satisfaction codes and the corresponding resources, is introduced.