Search results

This study aims to assist organizations to protect the privacy of their users and the security of the data that they store and process. Users may be the customers of the organization (people using the offered services) or the employees (users who operate the systems of the organization). To be more specific, this paper proposes a privacy impact assessment (PIA) method that explicitly takes into account the organizational characteristics and employs a list of well-defined metrics as input, demonstrating its applicability to two hospital information systems with different characteristics.

This paper presents a PIA method that employs metrics and takes into account the peculiarities and other characteristics of the organization. The applicability of the method has been demonstrated on two Hospital Information Systems with different characteristics. The aim is to assist the organizations to estimate the criticality of potential privacy breaches and, thus, to select the appropriate security measures for the protection of the data that they collect, process and store.

The results of the proposed PIA method highlight the criticality of each privacy principle for every data set maintained by the organization. The method employed for the calculation of the criticality level, takes into account the consequences that the organization may experience in case of a security or privacy violation incident on a specific data set, the weighting of each privacy principle and the unique characteristics of each organization. So, the results of the proposed PIA method offer a strong indication of the security measures and privacy enforcement mechanisms that the organization should adopt to effectively protect its data.

The novelty of the method is that it handles security and privacy requirements simultaneously, as it uses the results of risk analysis together with those of a PIA. A further novelty of the method is that it introduces metrics for the quantification of the requirements and also that it takes into account the specific characteristics of the organization.

The purpose of this paper is to advocate for and provide guidance for the development of a code of ethical conduct surrounding online privacy policies, including those concerning data mining. The hope is that this research generates thoughtful discussion on the issue of how to make data mining more effective for the business stakeholder while at the same time making it a process done in an ethical way that remains effective for the consumer. The recognition of the privacy rights of data mining subjects is paramount within this discussion.

The authors derive foundational principles for ethical data mining. First, philosophical literature on moral principles is used as the theoretical foundation. Then, using existing frameworks, including legislation and regulations from a range of jurisdictions, a compilation of foundational principles was derived. This compilation was then evaluated and honed through the integration of stakeholder perspective and the assimilation of moral and philosophical precepts. Evaluating a sample of privacy policies hints that current practice does not meet the proposed principles, indicating a need for changes in the way data mining is performed.

A comprehensive framework for the development a contemporary code of conduct and proposed ethical practices for online data mining was constructed.

This paper provides a configuration upon which a code of ethical conduct for performing data mining, tailored to meet the particular needs of any organization, can be designed.

The implications of data mining, and a code of ethical conduct regulating it, are far-reaching. Implementation of such principles serve to improve consumer and stakeholder confidence, ensure the enduring compliance of data providers and the integrity of its collectors, and foster confidence in the security of data mining.

Existing legal mandates alone are insufficient to properly regulate data mining, therefore supplemental reference to ethical considerations and stakeholder interest is required. The adoption of a functional code of general application is essential to address the increasing proliferation of apprehension regarding online privacy.

Concerns over data-processing activities that may lead to privacy violations or harms have motivated the development of legal frameworks and standards. Further, software engineers are increasingly expected to develop and maintain privacy-aware systems that both comply with such frameworks and standards and meet reasonable expectations of privacy. This paper aims to facilitate reasoning about privacy compliance, from legal frameworks and standards, with a view to providing necessary technical assurances.

The authors show how the standard extension mechanisms of the UML meta-model might be used to specify and represent data-processing activities in a way that is amenable to privacy compliance checking and assurance.

The authors demonstrate the usefulness and applicability of the extension mechanisms in specifying key aspects of privacy principles as assumptions and requirements, as well as in providing criteria for the evaluation of these aspects to assess whether the model meets these requirements.

First, the authors show how key aspects of abstract privacy principles can be modelled using stereotypes and tagged values as privacy assumptions and requirements. Second, the authors show how compliance with these principles can be assured via constraints that establish rules for the evaluation of these requirements.

The purpose of this general review is to address the evolution and development of the Fair Information Practice Principles (FIPPs).

This study presents FIPPs from several establishments, compare them and map them to the General Data Protection Regulation (GDPR). Additionally, this study presents and discuss similarities and differences among FIPP sets.

Although the subject matter of the FIPP sets is very similar, there are differences: their scope differs significantly. The comparison among FIPP sets is presented, and it provides relevant information related to the connectedness between privacy principles.

This study considers the GDPR to be the pinnacle of the efforts to improve personal data protection; it became a role model for other countries to implement similar regulations.

The purpose of this paper is to examine the extent to which New Zealand business web sites conform to the provisions of the New Zealand Privacy Act, 1993 as an articulation of the national values on the rights of individuals to information privacy. The secondary aim is to assess whether adherence to these values might be used as criteria that can reflect on the business integrity of the web site sponsor.

The privacy notices and information‐handling practices of New Zealand business web sites were analysed using a content analysis methodology. The analysis was carried out on a sample of 200 companies, selected at random from a published list of the top 800 companies in New Zealand in 2005. Government web sites were excluded.

The first research hypothesis – that New Zealand business web sites demonstrate awareness of the privacy concerns of customers by posting a privacy notice – was not supported. Similarly, the privacy notices on New Zealand business web sites did not reflect the principles of the New Zealand Privacy Act, 1993 as a basis for establishing “value congruence” with customers. Consequently the use of the principles of the Privacy Act to assess business integrity was not demonstrated sufficiently by the investigation.

The lack of a usable convention for evaluating privacy notices on New Zealand business web sites may lead to a loss of value congruence between businesses and their customers, leading to less‐than‐optimal commercial transactions. The principles of the New Zealand Privacy Act 1993 define the national values and privacy rights of online customers. The use of the Privacy Act to assess the information handling practices of New Zealand businesses online could ensure more ethical business practice, demonstrate business integrity and promote customer confidence.

The use of legislated privacy principles as a reflection of established national values on the rights of citizens could provide a useful measure of value congruence and possibly business integrity. The variety of privacy legislation worldwide reflects a global lack of agreement on acceptable principles. Nevertheless, businesses wishing to establish their integrity and value congruence would be advised to ensure that their web sites provide for the growing sensitivity to privacy issues and the way that personal information is gathered and used online.

This paper aims to contribute to the ongoing discourse about the nature of privacy and its role in ubiquitous environments and provide insights for future research.

The paper analyses the privacy implications of particular characteristics of ubiquitous applications and discusses the fundamental principles and information practices used in digital environments for protecting individuals' private data.

A significant trend towards shifting privacy protection responsibility from government to the individuals is identified. Also, specific directions for future research are provided with a focus on interdisciplinary research.

This paper identifies key research issues and provides directions for future research.

This study contributes by identifying major challenges that should be addressed, so that a set of “fair information principles” can be applied in the context of ubiquitous environments. It also discusses the limitations of these principles and provides recommendations for future research.

The purpose of this study is to investigate the various enablers of and constraints on employees' information sharing on an enterprise social media platform. It draws on two theoretical perspectives, communication privacy management theory and the technology affordance framework, as well as on empirical data in an attempt to paint a comprehensive picture of the factors shaping employees' decisions to share or not share information on enterprise social media.

This qualitative field study is based on semi-structured interviews and enterprise social media review data from a large Nordic media organization.

On an enterprise social media platform, privacy management principles shape employees' information-sharing decisions in relation to personal privacy boundaries, professional boundaries and assumed risks, online safety concerns and perceived audience. Additionally, the technological affordances of visibility, awareness, persistence and searchability shape employees' information sharing in varying and sometimes even contradictory ways. Finally, organizational factors, such as norms, tasks and media repertoires, are associated with employees' information-sharing decisions. Together, these three dimensions, personal, technological and organizational, form a model of the enablers of and constraints on employees' decisions to share information on enterprise social media.

This study extends the understanding of different factors shaping employees' decisions to share or not share information on enterprise social media. It extends the two applied theories by uniquely combining interpersonal privacy management principles with a technological affordance framework that focuses on the relationship between the user and the technology. This research also furthers the authors' knowledge of what privacy management principles mean in the organizational context. This study shows connections between the two theories and extends the understanding of technology affordances as not only action possibilities but also constraining factors. Additionally, by revealing what kinds of factors encourage and inhibit information sharing on enterprise social media, the results of this study support organizations in their efforts to manage information sharing on enterprise social media systems.

Cyber-enabled crimes are on the increase, and law enforcement has had to expand many of their detecting activities into the digital domain. As such, the field of digital forensics has become far more sophisticated over the years and is now able to uncover even more evidence that can be used to support prosecution of cyber criminals in a court of law. Governments, too, have embraced the ability to track suspicious individuals in the online world. Forensics investigators are driven to gather data exhaustively, being under pressure to provide law enforcement with sufficient evidence to secure a conviction.

Yet, there are concerns about the ethics and justice of untrammeled investigations on a number of levels. On an organizational level, unconstrained investigations could interfere with, and damage, the organization's right to control the disclosure of their intellectual capital. On an individual level, those being investigated could easily have their legal privacy rights violated by forensics investigations. On a societal level, there might be a sense of injustice at the perceived inequality of current practice in this domain.

This paper argues the need for a practical, ethically grounded approach to digital forensic investigations, one that acknowledges and respects the privacy rights of individuals and the intellectual capital disclosure rights of organizations, as well as acknowledging the needs of law enforcement. The paper derives a set of ethical guidelines, and then maps these onto a forensics investigation framework. The framework to expert review in two stages is subjected, refining the framework after each stage. The paper concludes by proposing the refined ethically grounded digital forensics investigation framework. The treatise is primarily UK based, but the concepts presented here have international relevance and applicability.

In this paper, the lens of justice theory is used to explore the tension that exists between the needs of digital forensic investigations into cybercrimes on the one hand, and, on the other, individuals' rights to privacy and organizations' rights to control intellectual capital disclosure.

The investigation revealed a potential inequality between the practices of digital forensics investigators and the rights of other stakeholders. That being so, the need for a more ethically informed approach to digital forensics investigations, as a remedy, is highlighted and a framework proposed to provide this.

The proposed ethically informed framework for guiding digital forensics investigations suggests a way of re-establishing the equality of the stakeholders in this arena, and ensuring that the potential for a sense of injustice is reduced.

Justice theory is used to highlight the difficulties in squaring the circle between the rights and expectations of all stakeholders in the digital forensics arena. The outcome is the forensics investigation guideline, PRECEpt: Privacy-Respecting EthiCal framEwork, which provides the basis for a re-aligning of the balance between the requirements and expectations of digital forensic investigators on the one hand, and individual and organizational expectations and rights, on the other.

This paper aims to uncover the practices of different privacy auditors to reveal the extent of any similarities in such practices. The purpose is to investigate the drivers of practices used by privacy auditors and to identify potential for improvements in the practice of privacy auditing so that privacy audits may better serve stakeholders.

Six semi-structured interviews with seven privacy auditors and regulators and an analyst across Australia, Canada, New Zealand and the USA are used as the basis for our analysis.

The study shows that some privacy auditors view privacy as an organizational issue, which means that all staff within an organization should understand the privacy issues that are relevant to the organization and to its customers. Because this practice goes beyond a mere compliance approach to privacy auditing, it indicates that there is a way to avoid the approach of merely applying standards from national data privacy laws which is an approach that has been subject to criticism because it is not applicable to the current situation of global applications and cross-border data. The interview themes demonstrate that privacy audits face significant challenges, such as the lack of a privacy auditing profession and the difficulty of raising the awareness of organizations and individuals regarding information privacy rights and duties.

Privacy auditing is mostly unexplored by academic research and little is known about the drivers behind the practice of privacy auditing. This study is the first to document the views of privacy auditors regarding the practices that they use. It also presents novel results regarding the drivers of the practice of privacy auditing and the interests of the beneficiaries of privacy audits. It builds on research that argues for the existence of best practices for privacy (Toy, 2013; Toy and Hay, 2015) and it extends this argument by providing reasons why privacy auditors may benefit from the use of best practices for privacy.

The medical advances and historical fluctuations in the demographics are contributing to the rise of the average age. These changes are increasing the pressure to organize adequate care to a growing number of individuals. As a way to provide efficient and cost-effective care, eHealth systems are gaining importance. However, this trend is creating new ethical concerns. Major issues are privacy and patients’ control over their data. To deploy these systems on a large scale, they need to offer strict privacy protection. Even though many research proposals focus on eHealth systems and related ethical requirements, there is an evident lack of practical solutions for protecting users’ personal information. The purpose of this study is to explore the ethical considerations related to these systems and extract the privacy requirements. This paper also aims to put forth a system design which ensures appropriate privacy protection.

This paper investigates the existing work in the area of eHealth systems and the related ethical considerations, which establish privacy as one of the main requirements. It lists the ethical requirements and data protection standards that a system needs to fulfil and uses them as a guideline for creating the proposed design.

Even though privacy is considered to be a paramount aspect of the eHealth systems, the existing proposals do not tackle this issue from the outset of the design. Consequently, introducing privacy at the final stages of the system deployment imposes significant limitations and the provided data protection is not always to the standards expected by the users.

This paper motivates the need for addressing ethical concerns in the eHealth domain with special focus on establishing strict privacy protection. It lists the privacy requirements and offers practical solutions for developing a privacy-friendly system and takes the approach of privacy-by-design. Additionally, the proposed design is evaluated against ethical principles as proposed in the existing literature. The aim is to show that technological advances can be used to improve quality and efficiency of care, while the usually raised concerns can be avoided.