Search results
1 – 10 of over 14000Konstantina Vemou and Maria Karyda
This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and…
Abstract
Purpose
This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and privacy research.
Design/methodology/approach
This paper critically reviews and assesses generic PIA methods proposed by related research, data protection authorities and standard’s organizations, to identify best practices and practically support PIA practitioners. To address identified gaps, best practices from privacy literature are proposed.
Findings
This paper proposes a PIA process based on best practices, as well as an evaluation framework for existing PIA guidelines, focusing on practical support to PIA practitioners.
Practical implications
The proposed PIA process facilitates PIA practitioners in organizing and implementing PIA projects. This paper also provides an evaluation framework, comprising a comprehensive set of 17 criteria, for PIA practitioners to assess whether PIA methods/guidelines can adequately support requirements of their PIA projects (e.g. special legal framework and needs for PIA project organization guidance).
Originality/value
This research extends PIA guidelines (e.g. ISO 29134) by providing comprehensive and practical guidance to PIA practitioners. The proposed PIA process is based on best practices identified from evaluation of nine commonly used PIA methods, enriched with guidelines from privacy literature, to accommodate gaps and support tasks that were found to be inadequately described or lacking practical guidance.
Details
Keywords
Eleni-Laskarina Makri, Zafeiroula Georgiopoulou and Costas Lambrinoudakis
This study aims to assist organizations to protect the privacy of their users and the security of the data that they store and process. Users may be the customers of the…
Abstract
Purpose
This study aims to assist organizations to protect the privacy of their users and the security of the data that they store and process. Users may be the customers of the organization (people using the offered services) or the employees (users who operate the systems of the organization). To be more specific, this paper proposes a privacy impact assessment (PIA) method that explicitly takes into account the organizational characteristics and employs a list of well-defined metrics as input, demonstrating its applicability to two hospital information systems with different characteristics.
Design/methodology/approach
This paper presents a PIA method that employs metrics and takes into account the peculiarities and other characteristics of the organization. The applicability of the method has been demonstrated on two Hospital Information Systems with different characteristics. The aim is to assist the organizations to estimate the criticality of potential privacy breaches and, thus, to select the appropriate security measures for the protection of the data that they collect, process and store.
Findings
The results of the proposed PIA method highlight the criticality of each privacy principle for every data set maintained by the organization. The method employed for the calculation of the criticality level, takes into account the consequences that the organization may experience in case of a security or privacy violation incident on a specific data set, the weighting of each privacy principle and the unique characteristics of each organization. So, the results of the proposed PIA method offer a strong indication of the security measures and privacy enforcement mechanisms that the organization should adopt to effectively protect its data.
Originality/value
The novelty of the method is that it handles security and privacy requirements simultaneously, as it uses the results of risk analysis together with those of a PIA. A further novelty of the method is that it introduces metrics for the quantification of the requirements and also that it takes into account the specific characteristics of the organization.
Details
Keywords
Chitra Sharma and Anjali Kaushik
Offshoring is a common practice to operationalize global business strategies. Data protection and privacy assurance are major concerns in such international arrangements. This…
Abstract
Purpose
Offshoring is a common practice to operationalize global business strategies. Data protection and privacy assurance are major concerns in such international arrangements. This paper aims to examine the strategy adopted to ensure privacy assurance in offshoring arrangements.
Design/methodology/approach
This is a literature review to understand privacy assurance strategies adopted in offshoring arrangements and an exploratory case study of captive offshoring arrangement with onshore location in Canada and offshoring locations in India and Philippines. A comparative analysis of the privacy laws and privacy principles of Canada, Philippines and India has been done.
Findings
It was found that at the time of migration of process or work to the offshore location, organizations follow a conformist privacy strategy; however, once in business as usual mode, they follow entrepreneur privacy strategy. Privacy impact assessment (PIA) was found to be an important element in resolving the “administrative problem” of an offshoring organization’s privacy assurance strategy.
Research limitations/implications
The core privacy principles are outlined in the PIA templates; however, the current templates are designed to meet the conformist strategy and may need to be revised to include the cultural aspects, training, audit and information security requirements to plan and deliver on the entrepreneur strategy.
Practical implications
Offshoring organizations can benefit by planning for entrepreneur privacy assurance strategy at the inception stage. Enhancements to PIA templates to facilitate the same have been suggested.
Originality/value
Privacy assurance strategy followed by organizations while offshoring has been examined. This paper suggests extending the PIA process so that it covers privacy assurance requirements in offshoring arrangements. The learnings can be used in managing privacy assurance requirements in similar multi-country offshore arrangements.
Details
Keywords
Privacy impact assessments (PIAs) are an important tool for managing risk in both public and private sector projects. The best evidence of how PIAs are being conducted is the PIA…
Abstract
Purpose
Privacy impact assessments (PIAs) are an important tool for managing risk in both public and private sector projects. The best evidence of how PIAs are being conducted is the PIA reports published at the conclusion of the process. This paper aims to consider PIA reports from five countries and assesses their strengths, weaknesses and impacts.
Design/methodology/approach
The paper also identifies key trends and makes recommendations for improving the PIA process and enabling access to lessons learned by PIA practitioners.
Findings
The paper calls for further study of PIA case studies to determine how closely practitioners and assessors follow the PIA methodologies promulgated in their countries, to seek good practice in the preparation of PIAs and for the creation of a central repository for PIAs.
Originality/value
The author believes this is the first such paper to review actual PIA reports.
Details
Keywords
Peter Bates and Brendan McLoughlin
In care homes concerns about abuse have established a culture where all information pertaining to a person must be shared, and little attention is paid to privacy in its broader…
Abstract
Purpose
In care homes concerns about abuse have established a culture where all information pertaining to a person must be shared, and little attention is paid to privacy in its broader sense. The purpose of this paper is to take a human rights perspective and consider how information governance may impact on the health, well-being and quality of life of residents. It proposes a proactive approach and presents a template for a privacy impact assessment which services could use to improve their approach to privacy, protecting the human rights of those in their care, contributing to their independence and improving outcomes.
Design/methodology/approach
A review of historical and current thinking about the value of privacy in human services and wider society leads to a series of challenges to the way in which privacy is upheld in residential care services.
Findings
Recent preoccupations with data privacy have led to a myopic neglect of broader considerations of privacy. Whilst it continues to be important to protect the confidentiality of personal data and to ensure that residents are protected from abuse, human services that provide 24 hour care in congregated settings must not neglect broader components of privacy.
Research limitations/implications
Privacy impact assessments have been widely used to check whether data privacy is being upheld. The broader concept that might be termed “Big Privacy” is introduced within which data privacy is but one section. It is suggested that big privacy is severely compromised in residential care settings, thus denying residents their human right to privacy. The extent of such violation of rights should be investigated.
Practical implications
Having set out the potential reach of the human right to privacy, important work needs to be done to find out how privacy might be upheld in the real world of congregate residential care. Some service providers may have solutions to the organisational challenges, have addressed staff training needs and revised risk assessment strategies so that privacy is upheld alongside other rights.
Social implications
Nearly half a million people live in congregate residential care settings in England, and deprivation of privacy is argued to be a significant deprivation of human rights. Occasional tragedies and scandals in congregate settings create pressure for increasing the level of surveillance, and the right to privacy is sacrificed. This paper offers a challenge to this process, arguing that competing rights need to be balanced and privacy is an essential component of a decent quality of life.
Originality/value
Personal growth and development depends to some extent on choice and control over access to privacy. Recent changes in the law regarding data protection have narrowed our thinking about privacy until it is a small concept, largely concerned with data handling. This paper invites consideration of big privacy, and invites congregate residential care settings to consider how a deep and broad definition of privacy could transform these services.
Details
Keywords
Alan Toy, David Lau, David Hay and Gehan Gunasekara
This paper aims to uncover the practices of different privacy auditors to reveal the extent of any similarities in such practices. The purpose is to investigate the drivers of…
Abstract
Purpose
This paper aims to uncover the practices of different privacy auditors to reveal the extent of any similarities in such practices. The purpose is to investigate the drivers of practices used by privacy auditors and to identify potential for improvements in the practice of privacy auditing so that privacy audits may better serve stakeholders.
Design/methodology/approach
Six semi-structured interviews with seven privacy auditors and regulators and an analyst across Australia, Canada, New Zealand and the USA are used as the basis for our analysis.
Findings
The study shows that some privacy auditors view privacy as an organizational issue, which means that all staff within an organization should understand the privacy issues that are relevant to the organization and to its customers. Because this practice goes beyond a mere compliance approach to privacy auditing, it indicates that there is a way to avoid the approach of merely applying standards from national data privacy laws which is an approach that has been subject to criticism because it is not applicable to the current situation of global applications and cross-border data. The interview themes demonstrate that privacy audits face significant challenges, such as the lack of a privacy auditing profession and the difficulty of raising the awareness of organizations and individuals regarding information privacy rights and duties.
Originality/value
Privacy auditing is mostly unexplored by academic research and little is known about the drivers behind the practice of privacy auditing. This study is the first to document the views of privacy auditors regarding the practices that they use. It also presents novel results regarding the drivers of the practice of privacy auditing and the interests of the beneficiaries of privacy audits. It builds on research that argues for the existence of best practices for privacy (Toy, 2013; Toy and Hay, 2015) and it extends this argument by providing reasons why privacy auditors may benefit from the use of best practices for privacy.
Details
Keywords
Marc van Lieshout, Linda Kool, Bas van Schoonhoven and Marjan de Jonge
The purpose of this paper is to develop/elaborate the concept Privacy by Design (PbD) and to explore the validity of the PbD framework.
Abstract
Purpose
The purpose of this paper is to develop/elaborate the concept Privacy by Design (PbD) and to explore the validity of the PbD framework.
Design/methodology/approach
Attention for alternative concepts, such as PbD, which might offer surplus value in safeguarding privacy, is growing. Using PbD to design for privacy in ICT systems is still rather underexplored and requires substantial conceptual and empirical work to be done. The methodology includes conceptual analysis, empirical validation (focus groups and interviews) and technological testing (a technical demonstrator was build).
Findings
A holistic PbD approach can offer surplus value in better safeguarding of privacy without losing functional requirements. However, the implementation is not easily realised and confronted with several difficulties such as: potential lack of economic incentives, legacy systems, lack of adoption of trust of end‐users and consumers in PbD.
Originality/value
The article brings together/incorporates several contemporary insights on privacy protection and privacy by design and develops/presents a holistic framework for Privacy by Design framework consisting of five building blocks.
Details
Keywords
Paulus Swartz, Adele Da Veiga and Nico Martins
This study aims to conduct a survey in a bank to measure the perception of employees towards the effective governance of information privacy and at the same time validating the…
Abstract
Purpose
This study aims to conduct a survey in a bank to measure the perception of employees towards the effective governance of information privacy and at the same time validating the information privacy governance questionnaire (IPGQ) used in this study.
Design/methodology/approach
A quantitative research approach was followed using an online survey questionnaire to collect data in a bank in South Africa.
Findings
The survey results showed that employees perceived the governance of privacy in the organisation in a positive way. Three significant differences were identified, namely, Generation-Y being significantly more positive than Generation-X regarding privacy control assessment. Also, that the contractor/vendor group was significantly more positive than permanent employees regarding organisational commitment and privacy control assessment. Exploratory factor analysis was used to validate the IPGQ and four factors were identified: privacy control assessment, personal information awareness assessment, privacy governance reporting and organisational commitment towards privacy. Cronbach’s alpha was used to establish the internal reliability of the factors and indicated good internal consistency.
Research limitations/implications
One of the potential empirical research limitations for this study is that the study was conducted in a single organisation; therefore, when generalising the results, caution must be taken.
Practical implications
Organisations, academics and the industry may find the questionnaire useful to determine employee perception towards privacy governance and to identify recommendations that could be used to improve their privacy policies, privacy programme controls and organisational commitment towards privacy. In this study, it was identified that for Generation-X employees to be more accepting towards the privacy controls, the organisation needs to implement focussed awareness training for them. To ensure permanent employees’ commitment and accountability, internal audits, monitoring and risk assessment measures need to be implemented. These can be directed through the outcomes of the survey.
Originality/value
The IPGQ can aid organisations in determining if they are governing privacy effectively, and thus assist them in meeting the accountability condition of data protection regulation.
Details
Keywords
Aggeliki Tsohou, Emmanouil Magkos, Haralambos Mouratidis, George Chrysoloras, Luca Piras, Michalis Pavlidis, Julien Debussche, Marco Rotoloni and Beatriz Gallego-Nicasio Crespo
General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data…
Abstract
Purpose
General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform.
Design/methodology/approach
The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors.
Findings
The findings provide the process for the DEFeND platform requirements’ elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements.
Practical implications
The proposed software engineering methodology and data collection tools (i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry.
Social implications
It is reported repeatedly that data controllers face difficulties in complying with the GDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR, thus, offering a significant boost toward the European personal data protection objectives.
Originality/value
This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.
Details
Keywords
Rachel L. Finn and Kush Wadhwa
This paper aims to study the ethics of “smart” advertising and regulatory initiatives in the consumer intelligence industry. Increasingly, online behavioural advertising…
Abstract
Purpose
This paper aims to study the ethics of “smart” advertising and regulatory initiatives in the consumer intelligence industry. Increasingly, online behavioural advertising strategies, especially in the mobile media environment, are being integrated with other existing and emerging technologies to create new techniques based on “smart” surveillance practices. These “smart” surveillance practices have ethical impacts including identifiability, inequality, a chilling effect, the objectification, exploitation and manipulation of consumers as well as information asymmetries. This article examines three regulatory initiatives – privacy-by-design considerations, the proposed General Data Protection Regulation of the EU and the US Do-Not-Track Online Act of 2013 – that have sought to address the privacy and data protection issues associated with these practices.
Design/methodology/approach
The authors performed a critical literature review of academic, grey and journalistic publications surrounding behavioural advertising to identify the capabilities of existing and emerging advertising practices and their potential ethical impacts. This information was used to explore how well-proposed regulatory mechanisms might address current and emerging ethical and privacy issues in the emerging mobile media environment.
Findings
The article concludes that all three regulatory initiatives fall short of providing adequate consumer and citizen protection in relation to online behavioural advertising as well as “smart” advertising.
Originality/value
The article demonstrates that existing and proposed regulatory initiatives need to be amended to provide adequate citizen protection and describes how a focus on privacy and data protection does not address all of the ethical issues raised.
Details