Search results

1 – 10 of over 14000
Article
Publication date: 4 September 2019

Konstantina Vemou and Maria Karyda

This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and…

Abstract

Purpose

This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and privacy research.

Design/methodology/approach

This paper critically reviews and assesses generic PIA methods proposed by related research, data protection authorities and standard’s organizations, to identify best practices and practically support PIA practitioners. To address identified gaps, best practices from privacy literature are proposed.

Findings

This paper proposes a PIA process based on best practices, as well as an evaluation framework for existing PIA guidelines, focusing on practical support to PIA practitioners.

Practical implications

The proposed PIA process facilitates PIA practitioners in organizing and implementing PIA projects. This paper also provides an evaluation framework, comprising a comprehensive set of 17 criteria, for PIA practitioners to assess whether PIA methods/guidelines can adequately support requirements of their PIA projects (e.g. special legal framework and needs for PIA project organization guidance).

Originality/value

This research extends PIA guidelines (e.g. ISO 29134) by providing comprehensive and practical guidance to PIA practitioners. The proposed PIA process is based on best practices identified from evaluation of nine commonly used PIA methods, enriched with guidelines from privacy literature, to accommodate gaps and support tasks that were found to be inadequately described or lacking practical guidance.

Details

Information & Computer Security, vol. 28 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 18 May 2020

Eleni-Laskarina Makri, Zafeiroula Georgiopoulou and Costas Lambrinoudakis

This study aims to assist organizations to protect the privacy of their users and the security of the data that they store and process. Users may be the customers of the…

Abstract

Purpose

This study aims to assist organizations to protect the privacy of their users and the security of the data that they store and process. Users may be the customers of the organization (people using the offered services) or the employees (users who operate the systems of the organization). To be more specific, this paper proposes a privacy impact assessment (PIA) method that explicitly takes into account the organizational characteristics and employs a list of well-defined metrics as input, demonstrating its applicability to two hospital information systems with different characteristics.

Design/methodology/approach

This paper presents a PIA method that employs metrics and takes into account the peculiarities and other characteristics of the organization. The applicability of the method has been demonstrated on two Hospital Information Systems with different characteristics. The aim is to assist the organizations to estimate the criticality of potential privacy breaches and, thus, to select the appropriate security measures for the protection of the data that they collect, process and store.

Findings

The results of the proposed PIA method highlight the criticality of each privacy principle for every data set maintained by the organization. The method employed for the calculation of the criticality level, takes into account the consequences that the organization may experience in case of a security or privacy violation incident on a specific data set, the weighting of each privacy principle and the unique characteristics of each organization. So, the results of the proposed PIA method offer a strong indication of the security measures and privacy enforcement mechanisms that the organization should adopt to effectively protect its data.

Originality/value

The novelty of the method is that it handles security and privacy requirements simultaneously, as it uses the results of risk analysis together with those of a PIA. A further novelty of the method is that it introduces metrics for the quantification of the requirements and also that it takes into account the specific characteristics of the organization.

Details

Information & Computer Security, vol. 28 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 19 June 2017

Chitra Sharma and Anjali Kaushik

Offshoring is a common practice to operationalize global business strategies. Data protection and privacy assurance are major concerns in such international arrangements. This…

Abstract

Purpose

Offshoring is a common practice to operationalize global business strategies. Data protection and privacy assurance are major concerns in such international arrangements. This paper aims to examine the strategy adopted to ensure privacy assurance in offshoring arrangements.

Design/methodology/approach

This is a literature review to understand privacy assurance strategies adopted in offshoring arrangements and an exploratory case study of captive offshoring arrangement with onshore location in Canada and offshoring locations in India and Philippines. A comparative analysis of the privacy laws and privacy principles of Canada, Philippines and India has been done.

Findings

It was found that at the time of migration of process or work to the offshore location, organizations follow a conformist privacy strategy; however, once in business as usual mode, they follow entrepreneur privacy strategy. Privacy impact assessment (PIA) was found to be an important element in resolving the “administrative problem” of an offshoring organization’s privacy assurance strategy.

Research limitations/implications

The core privacy principles are outlined in the PIA templates; however, the current templates are designed to meet the conformist strategy and may need to be revised to include the cultural aspects, training, audit and information security requirements to plan and deliver on the entrepreneur strategy.

Practical implications

Offshoring organizations can benefit by planning for entrepreneur privacy assurance strategy at the inception stage. Enhancements to PIA templates to facilitate the same have been suggested.

Originality/value

Privacy assurance strategy followed by organizations while offshoring has been examined. This paper suggests extending the PIA process so that it covers privacy assurance requirements in offshoring arrangements. The learnings can be used in managing privacy assurance requirements in similar multi-country offshore arrangements.

Details

Journal of Global Operations and Strategic Sourcing, vol. 10 no. 2
Type: Research Article
ISSN: 2398-5364

Keywords

Article
Publication date: 4 May 2012

Kush Wadhwa

Privacy impact assessments (PIAs) are an important tool for managing risk in both public and private sector projects. The best evidence of how PIAs are being conducted is the PIA

849

Abstract

Purpose

Privacy impact assessments (PIAs) are an important tool for managing risk in both public and private sector projects. The best evidence of how PIAs are being conducted is the PIA reports published at the conclusion of the process. This paper aims to consider PIA reports from five countries and assesses their strengths, weaknesses and impacts.

Design/methodology/approach

The paper also identifies key trends and makes recommendations for improving the PIA process and enabling access to lessons learned by PIA practitioners.

Findings

The paper calls for further study of PIA case studies to determine how closely practitioners and assessors follow the PIA methodologies promulgated in their countries, to seek good practice in the preparation of PIAs and for the creation of a central repository for PIAs.

Originality/value

The author believes this is the first such paper to review actual PIA reports.

Details

info, vol. 14 no. 3
Type: Research Article
ISSN: 1463-6697

Keywords

Article
Publication date: 4 November 2019

Peter Bates and Brendan McLoughlin

In care homes concerns about abuse have established a culture where all information pertaining to a person must be shared, and little attention is paid to privacy in its broader…

Abstract

Purpose

In care homes concerns about abuse have established a culture where all information pertaining to a person must be shared, and little attention is paid to privacy in its broader sense. The purpose of this paper is to take a human rights perspective and consider how information governance may impact on the health, well-being and quality of life of residents. It proposes a proactive approach and presents a template for a privacy impact assessment which services could use to improve their approach to privacy, protecting the human rights of those in their care, contributing to their independence and improving outcomes.

Design/methodology/approach

A review of historical and current thinking about the value of privacy in human services and wider society leads to a series of challenges to the way in which privacy is upheld in residential care services.

Findings

Recent preoccupations with data privacy have led to a myopic neglect of broader considerations of privacy. Whilst it continues to be important to protect the confidentiality of personal data and to ensure that residents are protected from abuse, human services that provide 24 hour care in congregated settings must not neglect broader components of privacy.

Research limitations/implications

Privacy impact assessments have been widely used to check whether data privacy is being upheld. The broader concept that might be termed “Big Privacy” is introduced within which data privacy is but one section. It is suggested that big privacy is severely compromised in residential care settings, thus denying residents their human right to privacy. The extent of such violation of rights should be investigated.

Practical implications

Having set out the potential reach of the human right to privacy, important work needs to be done to find out how privacy might be upheld in the real world of congregate residential care. Some service providers may have solutions to the organisational challenges, have addressed staff training needs and revised risk assessment strategies so that privacy is upheld alongside other rights.

Social implications

Nearly half a million people live in congregate residential care settings in England, and deprivation of privacy is argued to be a significant deprivation of human rights. Occasional tragedies and scandals in congregate settings create pressure for increasing the level of surveillance, and the right to privacy is sacrificed. This paper offers a challenge to this process, arguing that competing rights need to be balanced and privacy is an essential component of a decent quality of life.

Originality/value

Personal growth and development depends to some extent on choice and control over access to privacy. Recent changes in the law regarding data protection have narrowed our thinking about privacy until it is a small concept, largely concerned with data handling. This paper invites consideration of big privacy, and invites congregate residential care settings to consider how a deep and broad definition of privacy could transform these services.

Details

The Journal of Adult Protection, vol. 21 no. 6
Type: Research Article
ISSN: 1466-8203

Keywords

Article
Publication date: 24 April 2019

Alan Toy, David Lau, David Hay and Gehan Gunasekara

This paper aims to uncover the practices of different privacy auditors to reveal the extent of any similarities in such practices. The purpose is to investigate the drivers of…

Abstract

Purpose

This paper aims to uncover the practices of different privacy auditors to reveal the extent of any similarities in such practices. The purpose is to investigate the drivers of practices used by privacy auditors and to identify potential for improvements in the practice of privacy auditing so that privacy audits may better serve stakeholders.

Design/methodology/approach

Six semi-structured interviews with seven privacy auditors and regulators and an analyst across Australia, Canada, New Zealand and the USA are used as the basis for our analysis.

Findings

The study shows that some privacy auditors view privacy as an organizational issue, which means that all staff within an organization should understand the privacy issues that are relevant to the organization and to its customers. Because this practice goes beyond a mere compliance approach to privacy auditing, it indicates that there is a way to avoid the approach of merely applying standards from national data privacy laws which is an approach that has been subject to criticism because it is not applicable to the current situation of global applications and cross-border data. The interview themes demonstrate that privacy audits face significant challenges, such as the lack of a privacy auditing profession and the difficulty of raising the awareness of organizations and individuals regarding information privacy rights and duties.

Originality/value

Privacy auditing is mostly unexplored by academic research and little is known about the drivers behind the practice of privacy auditing. This study is the first to document the views of privacy auditors regarding the practices that they use. It also presents novel results regarding the drivers of the practice of privacy auditing and the interests of the beneficiaries of privacy audits. It builds on research that argues for the existence of best practices for privacy (Toy, 2013; Toy and Hay, 2015) and it extends this argument by providing reasons why privacy auditors may benefit from the use of best practices for privacy.

Details

Meditari Accountancy Research, vol. 27 no. 3
Type: Research Article
ISSN: 2049-372X

Keywords

Article
Publication date: 27 September 2011

Marc van Lieshout, Linda Kool, Bas van Schoonhoven and Marjan de Jonge

The purpose of this paper is to develop/elaborate the concept Privacy by Design (PbD) and to explore the validity of the PbD framework.

1951

Abstract

Purpose

The purpose of this paper is to develop/elaborate the concept Privacy by Design (PbD) and to explore the validity of the PbD framework.

Design/methodology/approach

Attention for alternative concepts, such as PbD, which might offer surplus value in safeguarding privacy, is growing. Using PbD to design for privacy in ICT systems is still rather underexplored and requires substantial conceptual and empirical work to be done. The methodology includes conceptual analysis, empirical validation (focus groups and interviews) and technological testing (a technical demonstrator was build).

Findings

A holistic PbD approach can offer surplus value in better safeguarding of privacy without losing functional requirements. However, the implementation is not easily realised and confronted with several difficulties such as: potential lack of economic incentives, legacy systems, lack of adoption of trust of end‐users and consumers in PbD.

Originality/value

The article brings together/incorporates several contemporary insights on privacy protection and privacy by design and develops/presents a holistic framework for Privacy by Design framework consisting of five building blocks.

Article
Publication date: 18 May 2021

Paulus Swartz, Adele Da Veiga and Nico Martins

This study aims to conduct a survey in a bank to measure the perception of employees towards the effective governance of information privacy and at the same time validating the…

Abstract

Purpose

This study aims to conduct a survey in a bank to measure the perception of employees towards the effective governance of information privacy and at the same time validating the information privacy governance questionnaire (IPGQ) used in this study.

Design/methodology/approach

A quantitative research approach was followed using an online survey questionnaire to collect data in a bank in South Africa.

Findings

The survey results showed that employees perceived the governance of privacy in the organisation in a positive way. Three significant differences were identified, namely, Generation-Y being significantly more positive than Generation-X regarding privacy control assessment. Also, that the contractor/vendor group was significantly more positive than permanent employees regarding organisational commitment and privacy control assessment. Exploratory factor analysis was used to validate the IPGQ and four factors were identified: privacy control assessment, personal information awareness assessment, privacy governance reporting and organisational commitment towards privacy. Cronbach’s alpha was used to establish the internal reliability of the factors and indicated good internal consistency.

Research limitations/implications

One of the potential empirical research limitations for this study is that the study was conducted in a single organisation; therefore, when generalising the results, caution must be taken.

Practical implications

Organisations, academics and the industry may find the questionnaire useful to determine employee perception towards privacy governance and to identify recommendations that could be used to improve their privacy policies, privacy programme controls and organisational commitment towards privacy. In this study, it was identified that for Generation-X employees to be more accepting towards the privacy controls, the organisation needs to implement focussed awareness training for them. To ensure permanent employees’ commitment and accountability, internal audits, monitoring and risk assessment measures need to be implemented. These can be directed through the outcomes of the survey.

Originality/value

The IPGQ can aid organisations in determining if they are governing privacy effectively, and thus assist them in meeting the accountability condition of data protection regulation.

Article
Publication date: 18 May 2020

Aggeliki Tsohou, Emmanouil Magkos, Haralambos Mouratidis, George Chrysoloras, Luca Piras, Michalis Pavlidis, Julien Debussche, Marco Rotoloni and Beatriz Gallego-Nicasio Crespo

General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data…

1005

Abstract

Purpose

General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform.

Design/methodology/approach

The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors.

Findings

The findings provide the process for the DEFeND platform requirements’ elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements.

Practical implications

The proposed software engineering methodology and data collection tools (i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry.

Social implications

It is reported repeatedly that data controllers face difficulties in complying with the GDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR, thus, offering a significant boost toward the European personal data protection objectives.

Originality/value

This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.

Details

Information & Computer Security, vol. 28 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 6 May 2014

Rachel L. Finn and Kush Wadhwa

This paper aims to study the ethics of “smart” advertising and regulatory initiatives in the consumer intelligence industry. Increasingly, online behavioural advertising…

3997

Abstract

Purpose

This paper aims to study the ethics of “smart” advertising and regulatory initiatives in the consumer intelligence industry. Increasingly, online behavioural advertising strategies, especially in the mobile media environment, are being integrated with other existing and emerging technologies to create new techniques based on “smart” surveillance practices. These “smart” surveillance practices have ethical impacts including identifiability, inequality, a chilling effect, the objectification, exploitation and manipulation of consumers as well as information asymmetries. This article examines three regulatory initiatives – privacy-by-design considerations, the proposed General Data Protection Regulation of the EU and the US Do-Not-Track Online Act of 2013 – that have sought to address the privacy and data protection issues associated with these practices.

Design/methodology/approach

The authors performed a critical literature review of academic, grey and journalistic publications surrounding behavioural advertising to identify the capabilities of existing and emerging advertising practices and their potential ethical impacts. This information was used to explore how well-proposed regulatory mechanisms might address current and emerging ethical and privacy issues in the emerging mobile media environment.

Findings

The article concludes that all three regulatory initiatives fall short of providing adequate consumer and citizen protection in relation to online behavioural advertising as well as “smart” advertising.

Originality/value

The article demonstrates that existing and proposed regulatory initiatives need to be amended to provide adequate citizen protection and describes how a focus on privacy and data protection does not address all of the ethical issues raised.

Details

info, vol. 16 no. 3
Type: Research Article
ISSN: 1463-6697

Keywords

1 – 10 of over 14000