Universiteit Leiden ICT in Businessliacs.leidenuniv.nl › assets › Uploads ›...
Transcript of Universiteit Leiden ICT in Businessliacs.leidenuniv.nl › assets › Uploads ›...
Universiteit Leiden ICT in Business
Privacy Maturity Model: Towards Privacy-by-Design Best Practices
Name: Xin Qi Student-no: s1534408 Date: 18/07/2016 1st supervisor: Dr. Amr Ali-Eldin 2nd supervisor: Dr. Steve F. Foster 1st external supervisor: Dr. Haiyun Xu 2nd external supervisor: Dr. Bárbara Vieira MASTER'S THESIS Leiden Institute of Advanced Computer Science (LIACS) Leiden University Niels Bohrweg 1 2333 CA Leiden The Netherlands
ii
ABSTRACTTherapiddevelopmentoftechnologieshasbroughtriskstodataprotectionasabyproduct.InformationPrivacythereforebecomesincreasinglycrucialintheICTenvironment.Inthisstudy,aPrivacyMaturityModelisproposedtoanalyzereal-worldPrivacy-by-Designbestpractices.BasedonISO/IEC29100(2011)privacyprinciples,achecklistofPrivacy-by-Designactivitiesisgenerated.Furthermore,eachactivityisassignedwithaprivacymaturitylevel.Themodelisanalyzedbycasestudies,viaaprivacyquestionnairethatmeasurestheprivacyaspectsofICT-systems.WebelievethatthePrivacyMaturityModelindicatesasystematicwayofadvisingmodernorganizationsonhowtogetprivacyright.
Keywords:InformationPrivacy;DataProtection;Privacy-by-Design;PrivacyMaturityModel.
iii
ACKNOWLEDGEMENTSItisofgreatexperiencetoliveandstudyinadifferentcontinent.DuringthepasttwoyearsthatIhavespentwiththeMasterProgramICTinBusinessinLeidenUniversity,manyprofessors,lecturersandstaffhavebeensupportivetome.IappreciatethemfortheacademicknowledgeIobtained,theamazingbusinesseventsIattended,andthekindhelpIreceivedasaninternationalstudent.
Livinginaremotecountryyetwithlittlehomesick,Iwouldoweittomyfamilyandfriends.Myfamilysupportedmebothemotionallyandfinancially,whichmadethingssoeasyandcomfortable.Myfriends,especiallytheonesImetinHolland,haveaddedenjoyableflavorsintomylife.Besides,creditsgotomyICTiBclassmatesfromLeidenUniversityaswellascolleaguesfromSoftwareImprovementGroupB.V.(SIG);thankstothem,theprevioustwoyearswerefulloffunandinspiration.
Atlast,Iwouldliketogivemyspecialthankstomythesisadvisors:Dr.AmrAli-Eldin:myfirstuniversitysupervisor;Dr.SteveFoster:mysecondreader;Dr.HaiyunXu:myfirstexternalsupervisoratSIG;andDr.BárbaraVireira,mysecondexternalsupervisoratSIG.Theyhavesacrificedagreatamountoftime,fromcoachingmeintheresearchdesigntoreadingmythesisandguidingmeinwriting.Theirsuggestionsarealwaysintime,andaremorethanvaluableformetoconductthissix-monthresearch.
iv
TABLEOFCONTENTS1. Introduction.........................................................................................................9
1.1. Privacy:StateoftheArt................................................................................9
1.2. ResearchQuestions....................................................................................10
1.3. ResearchObjectivesandContributions.....................................................11
1.4. ResearchMethods......................................................................................11
1.4.1. ExploratoryStudy...............................................................................11
1.4.2. LiteratureReview...............................................................................12
1.4.3. ModelConstructionandQuestionnaireImprovement(iterative).....12
1.4.4. DataCollectionandInterviews...........................................................12
1.4.5. DataAnalysisandResultValidation...................................................13
1.5. OrganizationoftheThesis..........................................................................13
2. LiteratureReview...............................................................................................14
2.1. PrivacyanditsPrinciples............................................................................14
2.2. Privacy-by-Design.......................................................................................17
2.3. PrivacyImpactAssessment........................................................................18
2.4. RelatedstudiesonPrivacyMaturity...........................................................19
2.5. MaturityModelasanAnalogue.................................................................20
3. DevelopmentofPrivacyMaturityModel...........................................................21
3.1. TheMergeofISO29100PrivacyPrinciples................................................22
3.2. TheChecklistofPrivacy-by-DesignActivities.............................................23
3.3. PrivacyMaturityLevels..............................................................................28
3.4. ThePrivacyQuestionnaire.........................................................................30
3.5. TheEvaluationFramework.........................................................................33
3.5.1. CompliancewithPrivacyMaturityLevels...........................................33
3.5.2. TheActionPlan...................................................................................38
4. CaseStudies.......................................................................................................40
4.1. OutcomesofCaseStudy.............................................................................40
4.1.1. CaseStudy1.......................................................................................41
4.1.2. CaseStudy2.......................................................................................41
v
4.2. FeedbacksonthePrivacyMaturityModel.................................................42
4.3. FindingsfromCaseStudies.........................................................................43
4.3.1. Non-CompliancewithBasicActivities................................................43
4.3.2. TheNon-ApplicableActivities.............................................................43
4.3.3. OverallComparisonontheCaseStudies............................................44
5. Discussions.........................................................................................................45
5.1. RefinementonthePrivacyMaturityModel...............................................45
5.2. ImprovementontheEvaluationFramework.............................................45
5.2.1. ALimitedNumberofDataPoints.......................................................46
5.2.2. ThePartiallyImplementedPbDActivities..........................................46
5.2.3. PossibilityofAPrivacyMaturityRatingSystem.................................47
6. Conclusions........................................................................................................50
6.1. PrivacyRequiresaProactiveThinking........................................................50
6.2. ImprovementofthePrivacyMaturityModel............................................51
6.3. LimitationsandFurtherResearch..............................................................52
References..................................................................................................................53
Appendices.................................................................................................................56
AppendixA:ThePrivacyQuestionnaire.................................................................56
AppendixB:TheInvitationLetter..........................................................................57
AppendixC:TheMappingbetweenPbDActivitiesandQuestions........................58
vi
LISTOFABBREVIATIONSAICPA/CICA:TheAmericanInstituteofCertifiedPublicAccountantsandtheCanadian
InstituteofCharteredAccountants
BSIMM:BuildingSecurity-InMaturityModel
CMMI:CapabilityMaturityModelIntegration
ENISA:EuropeanNetworkandInformationSecurityAgency
GDPR:GeneralDataProtectionRegulation
ICT:InformationandCommunicationsTechnology
ISO:InternationalOrganizationforStandardization
IEC:InternationalElectrotechnicalCommission
OECD:OrganizationforEconomicCo-operationandDevelopment
OWASP:OpenWebApplicationSecurityProject
(OWASP)ASVS:(OWASP)ApplicationSecurityVerificationStandard
PbD:Privacy-by-Design
PIA:PrivacyImpactAssessment
PII:PersonalIdentifiableInformation
PMM:PrivacyMaturityModel
PRIPARE:PReparingIndustrytoPrivacy-by-designbysupportingitsApplicationinREsearch
SDLC:SoftwareDevelopmentLifeCycle
SNS:SocialNetworkingService
vii
LISTOFFIGURESFigure[3.1].TheCompositionofthePrivacyMaturityModel...................................21
Figure[3.2].OutlineofthePrivacyQuestionnaire.....................................................31
Figure[3.3].TheCompositionofthePrivacyMaturityModel...................................34
Figure[4.1].ProcessofAdoptingthePrivacyMaturityModel..................................40
viii
LISTOFTABLESTable[2.1].MatchingofdifferentversionsofPrivacyPrinciples...............................17
Table[3.1].SummarizingISO29100PrivacyPrinciples..............................................22
Table[3.2].Privacy-by-DesignActivities:Lawfulness&Consent(LC)........................25
Table[3.3].Privacy-by-DesignActivities:DataMinimization(DM)...........................25
Table[3.4].Privacy-by-DesignActivities:Individualrights&DataQuality(IRDQ)....26
Table[3.5].Privacy-by-DesignActivities:Purposebinding&limitation(PBL)...........26
Table[3.6].Privacy-by-DesignActivities:Transparency&Openness(TO).................27
Table[3.7].Privacy-by-DesignActivities:InformationSecurity(IS)............................27
Table[3.8].Privacy-by-DesignActivities:Accountability&Compliance(AC).............28
Table[3.9].AComparisonofPrivacyRequirements..................................................29
Table[3.10].PrivacyMaturityLevelsofPbDActivities..............................................30
Table[3.18].QuestionExample1:OneActivity–MultipleQuestions......................32
Table[3.19].QuestionExample2:MultipleActivities–OneQuestion.....................32
Table[3.20].QuestionExample3:System-specificQuestion....................................33
Table[3.11].EvaluationofCompliance:Lawfulness&Consent(LC).........................35
Table[3.12].EvaluationofCompliance:DataMinimization(DM).............................35
Table[3.13].EvaluationofCompliance:Individualrights&DataQuality(IRDQ).....36
Table[3.14].EvaluationofCompliance:Purposebinding&limitation(PBL).............36
Table[3.15].EvaluationofCompliance:Transparency&Openness(TO)..................37
Table[3.16].EvaluationofCompliance:InformationSecurity(IS).............................37
Table[3.17].EvaluationofCompliance:Accountability&Compliance(AC)..............38
Table[4.4].PrivacyMaturityLevels:OrganizationX..................................................41
Table[4.5].PrivacyMaturityLevels:CompanyY.......................................................41
Table[5.1].EvaluationofCompliance(Updated):DataMinimization(DM).............45
Table[5.2].TheTransitionTableforPrivacyStarRating...........................................48
Table[5.3].ThresholdsofPrivacyStarRating:Basic-focused....................................48
Table[5.4].ThresholdsofPrivacyStarRating:Optimistic.........................................49
Table[5.5].ThresholdsofPrivacyStarRating:Stringent...........................................49
9
1. Introduction
1.1. Privacy:StateoftheArt
Therapidevolutionoftechnologies,alongwiththeexplosivegrowthoftheamountofdata,havebeenimpactingthewaywelive.Whileenjoyingtheefficiencyfromnewlyavailabletechnologies,onethingthatmustnotbeneglectedisthebyproduct:riskstoprivacy.
Privacybreacheshavebeenhappeningmoreoftenandbringingsevererresultsthanwethought.1InDecember2015,191millionU.S.voters’informationwasuncoveredbyanindependentcomputersecurityresearcher–duetoanincorrectconfiguration,thedatabasewasexposedontheopenInternet,whichincludednames,phonenumbers,emails,addresses,birthdates,andpartyaffiliations[Finkle&Volz,2015].InMarch2016,VerizonEnterpriseSolutions,whoconductsbusinessinprovidingsolutionsintermsofprivacybreaches,claimedthattheysufferedfromtheirownbreachofcontactinformationof1.5millionbusinesscustomers[McGee,2016].Inthefirstexample,theindividualvictimsgotpanicked:ifwelookatthetypesoftheleakedpersonaldata,thechanceofindividualsbeingidentifiedandtrackedbecameextremelyhigh.Inthesecondexample,Verizon’sclientshadtodealwithpotentialriskssuchasfraudandphishingattack.Facingprivacybreaches,notonlythevictimsbecomeweak;Theorganizationwhichholdsthedataalsohastopayahugeamountofcompensation,nottosaytheruinedreputation.
Themechanismsbehindinternetencouragepeopletopostmoreandsharemore,notonlyaboutthemselves,butsometimesaboutotherpeopleaswell.However,neithersufficientnumberofpeopleareawareofprivacyissues–especiallywiththefactthatSocialNetworkingService(SNS)tendtobemuchmorepopularamongyoungergenerations[PewResearchCenter,2013],norsufficientnumberofSNSsystemsandapplicationsaredesignedwithappropriateprivacyprotectionmethods.LetustaketheexampleofGoogle.WhenusingGoogleMapstobrowsealocation,theoptiontoaddapictureofthatlocationcanbeeasilyfound.Aclaimappearsbeforeuploading,sayingthepicturewillbesharedwithpublic.However,whathappensifsomeonemistakenlyuploadsaselfie?Anexperimenthasbeen
1Therearecurrentlymultipleonlineresourcesrecordingthedatabreachesthathappenedinrecentyears.Oneofthevisualizationsisavailableat:http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
10
conducted.2Googledoesnotevenremindtheuserwhetherthepicturecanstillberemoved(theanswerisyes),nottosayrespectingtheconsentchoiceoftheuser.Googlecouldhavedonemore,forinstance,implementingfacial-recognitiontechniquestoasktheuser“Wehavedetectedhumanface(s)inyourpicture.Doyoustillwanttosharethispicturetothepublic?”Unfortunately,thisisnotthecase;andthisisjustoneofthecountlessexampleswherebothserviceusersandserviceprovidershappento“forget”aboutprivacy.
AninspiringnewsinApril2016isthat,theGeneralDataProtectionRegulation(GDPR)hasbeenadoptedbytheEuropeanCouncilandtheEuropeanParliament[EuropeanCommission,2016].Thismarksareplacementofthedataprotectiondirective(Directive95/46/EC),whichalreadyhasitshistoryofmorethan20years.SoonaftertheadoptionofGDPR,Facebooklaunchedaspecialversionofitsfacial-recognitionAppinEuropeandCanada.Thespecialversionwasdesignedinalignmentwithprivacylawsandregulations.However,partofthefunctionalityhadtobedisabledfromtheoriginalversionduetothelegalrequirements[Kelion,2016].Infact,howtobalancebetweenpeople’sdemandofusingtheserviceandpursuingamorematurelevelofprivacystillremainsachallengingtopic.
1.2. ResearchQuestions
Privacyisincreasinglyimportanttoindividualsaswellasorganizations.InformationandCommunicationsTechnology(ICT)systemandapplicationsshouldplayabetterroleinprotectingprivacy-sensitivedata.Whileexistingprivacyassessmentmethodsaddressprivacyprotectionatabroadorganizationallevel(whichwillbeelaboratedinChapter2),theneedhasbeenarisingforpracticalapproachesthatdojusticetothisemergingroleofICTapplications.Hence,theoverallresearchquestionhasbeendefinedas:
HowtodesignaPrivacyMaturityModelthatisapplicabletoassessPrivacy-by-Designbestpractices?
ToanswerthemainResearchQuestionstepbystep,threesub-questionshavebeenfurtherdeveloped:
• WhatPrivacy-by-Designactivitiesshallbeincludedinthemodel?• Toreachacertainprivacymaturitylevel,whataretherequirements,i.e.
whichPrivacy-by-Designactivitiesshallbeimplemented?
2ArandomlocationonGoogleMapswaspicked.Whenapicturewhichcontainsrecognizablehumanfacesisselected,itwillbeautomaticallyuploadedtothesystem,andthepictureisalmostimmediatelyavailableforeveryonewhohasaccesstoGoogle.
11
• IsthePrivacyMaturityModelcreatedinthisresearchapplicable,i.e.thegapbetweentheactivitiesthatcompanies/organizationsareexpectedtodoandwhattheyactuallydoisinsignificant?
1.3. ResearchObjectivesandContributions
Theresearchobjectivesarementionedasthefollowingaspects,eachaligningwithonesub-researchquestion:
• GenerateaconcretelistofPrivacy-by-Designactivities.• DerivethePrivacyMaturityModel.Thatis,foreachmaturitylevel,define
whichPrivacy-by-Designactivitiesshallbelongtothatlevel.• AssessthevalidityofthePrivacyMaturityModelbycasestudies.
Withanaccomplishmentoftheresearchobjectives,Privacy-by-DesignactivitiesofanICTsystemorapplicationcanbepracticallyanalyzed.ThelistofPrivacy-by-Designactivitieswillleadtosuggestionsonhowtofurtherimprovethesystemtomovetowardsahigherprivacymaturitylevel.
ThePrivacyMaturityModeliscrucialforraisingprivacyalarmsthroughouttheentireSoftwareDevelopmentLifeCycle(SDLC)–andespeciallyintheearlystages.Forcompaniesandorganizations,themodelencouragesthemtoproactivelyimplementPrivacy-by-Design.Havingmoresafeguardedandtrustworthysystemsinthefirstplace,theriskofpayingforunwillingcosts(suchaslargeamountsofcompensationcausedbyprivacybreaches)canbeminimized.
1.4. ResearchMethods
1.4.1. ExploratoryStudy
ThisstudyaimstofirstgatheralistofpracticalPrivacy-by-Designactivities,andlatercreatethePrivacyMaturityModelbymappingeachactivityintoapropermaturitylevel.Theactualperformanceofthemodelshallbeassessedbyfeedbacksfromrealworldcases,andadjustmentsshallbemadetothemodelwheneverneeded.
InordertoinductivelycomeupwithanapplicablePrivacyMaturityModel,theresearchisdesignedasananaloguetoboththeBuildingSecurity-InMaturityModelversion6[BSIMM6,2015]andOWASPApplicationSecurityVerificationStandardversion3.0[OWASPASVS3.0,2015].
Moredetailedresearchstepsareexplainedseparatelyinthefollowingsections.
12
1.4.2. LiteratureReview
ThePrivacy-by-Designactivitiesshallbelistedinaclearandstructuredway.Aheadofcreatingthemodel,severalconceptsneedtobeelaboratedtoavoidambiguityinlaterstages:1)relevantinformationprivacyterminologies,2)variousversionsofwide-acceptedprivacyprinciples,and3)previousstudies,i.e.,PrivacyImpactAssessment(PIA)frameworks/models.TheresultsofliteraturereviewwillbepresentedinChapter2.
1.4.3. ModelConstructionandQuestionnaireImprovement(iterative)
ThePrivacyMaturityModelconsistingofPrivacy-by-Designactivitieswillbegeneratedaccordingtoprivacyprinciples.Asthefoundationofthemodel,theprivacyprinciplesusedinthisresearchwillbebasedonanoverallunderstandingofmultipleexistingprivacyprinciples.Meanwhile,theconstructionofthemodelwillbesupervisedbySoftwareImprovementGroupB.V.(SIG)experts.
ThePrivacyMaturityModelwillcontainalistofmaturitylevels,whichactasmeasuringsticksforPrivacy-by-Designactivities.Afterthat,anevaluationframeworkwillbedevelopedtoanalyzetheactualperformanceofPrivacy-by-Designactivities.Thismeanswhenareal-worldcaseiscollectedbytheprivacyquestionnaire,wewillbeabletoapproachtheevaluationframeworktodeterminetheprivacymaturitylevelsforthatspecificcase.
Finally,thePrivacyMaturityModelwillbevalidatedviacasestudies.Inthisresearch,aprivacyquestionnaireisusedtocollectinformationaboutthereality(i.e.whatPrivacy-by-Designactivitiescompanies/organizationsactuallyconduct,howistheperformanceoftheseactivities,etc.).Initially,SIGprovidesthisresearchwithadraftversionquestionnaire.Beforesendingoutthecopiestoparticipants(i.e.SIGclientsaswellasexternalcompanies/organizations),thequestionnairerequirestoberevisedtosatisfyourresearchobjectives.AthoroughdescriptionaboutthedesignoftheprivacyquestionnairecanbefoundinChapter4.1.
1.4.4. DataCollectionandInterviews
Theprivacymaturityquestionnaireneedstobefilled-inona“onespecificsystemperquestionnaire”basis.Whenourparticipantsfeelnecessary,asemi-structuredinterviewsessionwillbearrangedtodiscussaboutthecontentofthequestionnaire.Participantsshallbewellinformedthatinterviewswillberecorded.Estimatednumberofparticipantsforthepurposeofmodelvalidationis5–10intotal.Thatis,2–3participantspercompany/organization:atleastonebeingthesystemdesigner/architect,andtheotherbeingthepersoninchargeoforganization’sprivacypolicy.Inreturn,participantswillreceiveaPrivacyMaturityReportalongwithaninteractivesession.
13
1.4.5. DataAnalysisandResultValidation
Basedonthedatacollectedfromquestionnairesaswellasfeedbacksfromparticipants,thePrivacyMaturityModelwillbeevaluated.ThemappingbetweenPrivacy-by-designactivitiesandmaturitylevelsmightfacewithslightadjustments,duetothefeedbacksfromrespondents.SIGexpertsshallbeinvitedtosuperviseanymodificationstothePrivacyMaturityModel.
1.5. OrganizationoftheThesis
Therestofthethesisisstructuredinthefollowingway:Chapter2presentsanoverviewofexistingliteraturesandstudiesinthefieldofprivacy,whichperformsasascientificfoundationofourresearch.Chapter3explainstheprocessesofconstructingthePrivacyMaturityModelandthemodelitself.Chapter4describesthemodelvalidationbytheanalysisofrealworldcases.FollowingisChapter5,wherefindingsfromcasestudiesandpossibleimprovementtothemodelarediscussed.Atlast,theconclusionandthelimitationofthisstudy,aswellasfurtherresearchpathscanbefoundinChapter6.
14
2. LiteratureReviewThisliteraturereviewbuildsageneralresearchfoundationbylookingintoalistofprivacy-relatedissuesandunderstandingthem,suchasprivacyprinciples,theconceptofPrivacy-by-Design,andPrivacyImpactAssessment.Ontheotherhand,whenreadingaboutstudiesconductedonPrivacyMaturity,insightsaswellaswonderspoppedup.Furthermore,tograsptheideaofhowamaturitymodelworks,otherstudiessuchasaprocessimprovementprogramandsecuritymaturitymodelsarebeingreviewedasananalogue.Notethat,althoughBanisar&Davies[Banisar&Davies,1999]andlaterresearchersclaimedthatprivacycouldbespecifiedindifferentcategories,thetermisusedtoreferinformationprivacy(or,dataprotection)inourstudy.
2.1. PrivacyanditsPrinciples
Amongtheearliestprivacyquotes,themostfamousonedescribesprivacyasthe“righttobeletalone”[WarrenandBrandeis,1890].Privacyissuchacommonwordinoursocietythatgivinganaccuratedefinitiontoitbecomeshard.Nevertheless,ISO/IEC29100–alsoknownas“thePrivacyFramework”[ISO/IEC29100:2011]hassuggestedusapossibledefinition:
“Privacyistheconcernofnaturepersonsandorganizationsspecifying,procuring,architecting,designing,developing,testing,maintaining,administering,andoperatinginformationandcommunicationtechnology(ICT)systemsorserviceswhereprivacycontrolsarerequiredfortheprocessingofPersonallyIdentifiableInformation(PII).”
Thatis,privacyrequiresrightpeopletoconductpropertaskstowardsspecificpiecesofpersonalinformation.Yetinanotherstudy[Schwaig,Kane&Storey,2006],researchersarguethatprivacyinmostcontextsisnolongerviewedasanabsoluteright,butmustbebalancedagainsttheneedsofsociety.
Privacyprotectionreliesverymuchonobeyingtheinstructionofprivacyprinciples.In1980,theOrganizationforEconomicCo-operationandDevelopment(OECD)[OECD,1980]summarized8widelyusedprivacyprinciples,andthusearneditsglobalfame.TheOECDprivacyprinciplescanbesummarizedas:
1. CollectionLimitation:anycollecteddatashouldbeobtainedbylawfulandfairmeansand,whereappropriate,withtheknowledgeorconsentofthedatasubject.
2. DataQuality:personaldatashouldbeaccurate,completeandkeptup-to-date,andrelevanttothepurposesforwhichtheyaretobeusedandtotheextentnecessaryforthosepurposes.
15
3. PurposeSpecification:Thepurposesforpersonaldatacollectionshouldbespecifiednotlaterthanatthetimeofdatacollection.
4. UseLimitation:personaldatashouldnotbedisclosed,madeavailableorotherwiseusedforpurposesotherthanthosespecified(unlesswiththeconsentofthedatasubject,orbytheauthorityoflaw).
5. SecuritySafeguards:datashouldbeprotectedbyreasonablesecuritysafeguardsagainstriskssuchasloss,unauthorisedaccess,destruction,use,modificationordisclosureofdata.
6. Openness:ageneralpersonaldatapolicyshouldbeintroducedwithopennessondevelopments,practicesandpolicies,forestablishingtheexistenceandnatureofpersonaldata,andthemainpurposesoftheiruse,aswellastheidentificationandusualresidenceofthedatacontroller.
7. IndividualParticipation:theindividualshouldhavetherighttoobtainfromadatacontroller,orotherwise,confirmationofwhetherornotthedatacontrollerhasdatarelatingtohim;tohavecommunicatedtohim,datarelatingtohimwithinareasonabletime,atacharge,ifany,thatisnotexcessive,inareasonablemanner;andinaformthatisreadilyintelligibletohim;tobegivenreasonsifarequestisdenied,andtobeabletochallengesuchdenial;andtochallengedatarelatingtohimand,ifthechallengeissuccessful,tohavethedataerased,rectified,completedoramended.
8. Accountability:datacontrollershouldbeaccountableforcomplyingwithmeasures,whichgiveeffecttotheprinciplesstatedabove.
Threedecadeslater,facingrapidchangesofboththesocietyandtechnologies,OECDdecidedtopublishanamendmentversionin2013,addingdetailstotheprinciples.Butthisnewversionhasnotbecomethesameauthorityastheoriginalone.
ApartfromOECD,ISO/IEC29100defines11privacyprinciplesfortheprivacyframework,whichcanbeconcludedas[ISO/IEC29100:2011]:
1. Consentandchoice:PIIprincipal’schoicemustbegivenfreely,specificandonaknowledgeablebasis;
2. Purposelegitimacyandspecification:purposeofdataprocessingcomplieswithapplicablelegislationandiscommunicatedtothePIIprincipalbeforecollection;
3. Collectionlimitation:limitdatacollectiontothestrictlynecessaryforthespecificpurpose(onlycollectthedataindispensableforprovisioningaparticularservice);
4. Dataminimization:minimizethePIIthatisprocessedandavoidobservabilityandlinkabilityofPIIcollected;DeleteanddisposeofPIIwheneverthepurposeforPIIprocessinghasexpired;
16
5. Use,retentionanddisclosurelimitation:limittheuse,retentionanddisclosureofPIItospecificpurposes,unlessadifferentpurposeisrequiredbylaw;
6. Accuracyandquality:PIIprocessedmustbeaccurate,completeandup-to-date;
7. Openness,transparencyandnotice:provideclearandeasytoaccessinformationaboutpolicies,proceduresandpracticesofPIIprocessing;
8. Individualparticipationandaccess:providePIIprinciplestheabilitytoaccessandreviewtheirowndata;enforceaccesscontrol;
9. Accountability:assignthetaskofimplementingtheprivacy-relatedpolicies,proceduresandpracticestoaparticularindividualwithintheorganization;providesuitabletrainingtotheorganizationmembershandlingPII;
10. Informationsecurity:enforceconfidentiality,integrityandavailabilityofPII;preventunauthorisedaccess,destruction,modification,disclosureanduseofPII;
11. Privacycompliance:verifyanddemonstratethatPIIprocessingmeetsdataprotectionandprivacysafeguardingrequirements.
Inaddition,EuropeanNetworkandInformationSecurityAgency(ENISA)[Danezisetal.,2014]providesalistof9privacyprinciples,whichisonabasisofunderstandingthelegalframework:
1. Lawfulness:datamustbecollectedorprocessedeitherbasedonthedatasubject’sexplicitconsentorthereislegalobligation;
2. Consent:thedatasubjectshouldgiveunambiguousandexplicitconsentondatacollectionandprocessing;
3. Purposebinding:apurposemustbewell-definedforbothdatacollectionandprocessing;
4. Necessity&Dataminimisation:onlynecessarydatamustbecollected;5. Transparency&Openness:privacypoliciesmustbewelldefinedandpublicly
known;6. Rightsoftheindividual:datasubjectsshouldhavetherighttoaccess,
changeanddelete(theirown)collecteddata;7. Informationsecurity:confidentiality,integrityandavailabilitymustbe
enforced;8. Accountability:responsibilitiesonenforcingprivacypoliciesshouldbeclearly
assignedtospecificperson(s)fromtheorganisation;9. Dataprotectionbydesignandbydefault:dataprotectionshouldbetaken
intoaccountfromtheinitialdesignphaseofthesystem.
Fromthedescriptionsofthe3groupsofprivacyprinciples,itisobvioustotellthat,indifferentversions,differentnameshavebeengiventothesamecontent–andthisisacommonsituation.Ontheonehand,withacomparisonofthedescriptions,
17
theISO29100principlescanberegardedasanextensionofOECD’s8principles.Ontheotherhand,beinganinternationalstandard,ISO29100describesprivacyprinciplesinamorestructuredandthoroughwaythanOECDandENISA.Therefore,tominimizeambiguity,thisresearchwillregardtheISO29100versiondescriptionsasafoundationofcreatingthePrivacyMaturityModel.ThefollowingtabledepictsamatchingbetweenISO29100privacyprinciplesandOECDaswellasENISAprivacyprinciples.Althoughnamesinonespecificrowaredifferent,theyactuallyrefertothesamecontent.
Table[2.1].MatchingofdifferentversionsofPrivacyPrinciples
# ISO/IEC29100(2011) MatchingPrivacyPrinciplesInOECD(1980)
MatchingPrivacyPrinciplesInENISA(2014)
1 Consentandchoice CollectionLimitation,UseLimitation Consent
2 Purposelegitimacyandspecification PurposeSpecification Lawfulness
3 Collectionlimitation CollectionLimitation PurposeBinding
4 Dataminimization CollectionLimitation PurposeBinding,NecessityandDataMinimization
5 Use,retentionanddisclosurelimitation UseLimitation NecessityandData
Minimization
6 Accuracyandquality DataQuality -
7 Openness,transparencyandnotice Openness TransparencyandOpenness
8 Individualparticipationandaccess IndividualParticipation RightoftheIndividual
9 Accountability Accountability Accountability
10 Informationsecurity SecuritySafeguards Informationsecurity
11 Privacycompliance - -
Dataprotectionbydesignandbydefault
2.2. Privacy-by-Design
TheconceptofPrivacy-by-Design(PbD)wasfirstdevelopedinthe1990s.Overtheyears,itsuggeststhatprivacycanbebetterprotectedifitisembeddedintothedesignspecificationsoftechnologies,businesspractices,andphysicalinfrastructures3.Nowadays,becauseoftheurgencyindataprotection,PbDhas
3ToviewadetailedintroductiontoPrivacy-by-Design,readersaresuggestedtovisit:https://www.ipc.on.ca/english/privacy/introduction-to-pbd/
18
receiveditsevenmoreproponents.ENISAisoneoftheorganizationsthatadvocatePbD.AccordingtoENISA’sdefinition,PbDisaprocessofimplementingprivacyanddataprotectionprinciples,whichinvolvesnotonlytechnologicalbutalsoorganizationalcomponents[Danezisetal.,2014].
Privacy-EnhancingTechnologies(PETs)isregardedasatoolkittoassisttheimplementationofPbD.PETsaredefinedas“coherentICTmeasuresthatprotectprivacybyeliminatingorreducingpersonaldata,orbypreventingunnecessaryand/orundesiredprocessingofpersonaldata;allwithoutlosingthefunctionalityofthedatasystem”[Borking&Raab,2001].Standardtechnologiesusedforprivacyprotectionsare:pseudo-identity,encryption,digitalsignatures,privacypolicylanguages(P3P),etc.However,relyingonlyonimplementingPETsisfarlesssufficienttorealizePbD[Heurixetal.,2015].
2.3. PrivacyImpactAssessment
IntheEuropeanDataProtectionDirective[Directive95/46/EC,1995],Recital71aclaims:“Dataprotectionimpactassessmentsshouldconsequentlyhaveregardtotheentirelifecyclemanagementofpersonaldata”.
OnewidelyacceptdeliverableofprivacysafeguardingrequirementsisPrivacyImpactAssessment(PIA).Beingariskassessmenttoolfordecision-makers,PIAisabletoaddresslegalaswellasmoralandethicalissues,andithelpstoringtheprivacyalarmfororganizationsattheplanningstage[Flaherty,2000].APIAchecklistcanbefoundatDutchProfessionalAssociationforIT-auditors(NOREA)4.ThisPIAchecklistisbasedontheOECDprivacyprinciples.
Upuntiltoday,moreandmorecountriesandallianceshavesetregulationstoenforcePIAasamandatoryprocess.
InthereportofPauldeHertandhiscolleagues[DeHert,Kloza&Wright,2012],theauthorsmentionedthatPIAcouldruntheriskofbeingtoocomplicatedandburdensomefororganizationstoconductactualprivacyacts.ItisafactthatPIAwillleadtoincreasingcost,whichisdependingonthecomplexityandseriousnessoftheprivacyrisks.However,researchersholdanoptimisticviewonPIA,becausePIAisvaluableinreducingcostintermsofmanagementtime,legalexpenses,and
4ApresentationonNOREAPIA(cache):https://webcache.googleusercontent.com/search?q=cache:naeZQ1PHSr8J:https://www.pilab.nl/wp-content/uploads/2013/12/2013-12-05-PIL-Presentatie-PIA-namens-NOREA.pdf+&cd=6&hl=en&ct=clnk&gl=nl&client=safari
19
potentialmediaorpublicconcerns[Wright,2013].A16-stepoptimizedPIAmethodologyisalsoproposedinthesamepaperasanoutline.
2.4. RelatedstudiesonPrivacyMaturity
AnidealPrivacyMaturityModel(PMM),inouropinion,shouldbemoredown-to-the-earth.ItshouldbeabletofirstsuggestpracticalPbDactivities,andthenexaminehowtheprivacyinanorganizationperformsaccordingtothematuritylevelofeachactivitythataredefinedinthePMM.ThePMMwillthenpragmaticallyguidetheorganizationstoimplementprivacybydesignandbydefault,andthusbenefitthecontrolofPII.
Nowadays,duetotheurgencyofdataprotection,thenumberofstudiesthatdesiretoanalyzeprivacyactivitiesandtheirmaturitylevelskeepsincreasing,anditbecomescommontousetheterm“PrivacyMaturityModel”.However,thesestudieseitherfocusonarelativelynarrowdomain,suchasthestudyofAPrivacyMaturityModelforCloudStorageService[Revoredoetal.,2014],ormerelyfunctionasalegislation/management-orientedPIA.ThePMMproposedbytheAmericanInstituteofCertifiedPublicAccountantsandtheCanadianInstituteofCharteredAccountants[AICPA/CICA,2011]isagoodexampleofhigh-levelguidelines,ratherthanapracticalmodelthatiseasytofollow.
Inadditiontothat,therealsoexistsseveralpublishedstudies,whichhavebeenusingthetermsofPIAandPMMinterchangeably.OneexampleisthePrivacyMaturityAssessmentFrameworkofNewZealandgovernment[NewZealandgovernment,2014(1)&(2)].Whilethedocumentclaimsitselftobe“simple,pragmatic,andeasytouse”,thecontentdoesnotreflectso-unlesstheuserisenthusiasticaboutreadingthroughpagesofpolicies.Actually,thisPMMcontainsmoreofgeneralrisk-reducingstrategiesfordecisionmakers,ratherthananeasy-to-followactionplanonPbDactivities.
Moreover,HindeproposedaPMMforassessingSouthAfricaorganizationsinformationprivacyonthetopicofProtectionofPersonalInformation(PoPI)[Hinde,2014].Buttheemphasisofthisdissertationwasstillprivacypolicies,andsomediscussionsseemedtobetoowideandoff-topic.
Tothebestofourknowledge,aPrivacyMaturityModelthatassignsmaturitylevelstoPbDactivitiesaccordingtotheirrealperformancestilldoesnotexist.Therefore,itiscrucialtointroducesuchmodelthatcanreallyassistorganizationstorecognizethematurityleveloftheirprivacy,tocomparewithsame-industryorganizations,ortoimplementsufficientPbDactivitiesforacertainprivacymaturitylevel.
20
2.5. MaturityModelasanAnalogue
DevelopedbyCarnegieMellonUniversity,theCapabilityMaturityModelIntegration(CMMI)isusedforprocessimprovementbyawide-rangeofdomainsandindustries.CMMIv1.3[CMMIv1.3,2011]mentionedfivematuritylevels,namelyInitial,Managed,Defined,QuantitativelyManaged,andOptimizing.Maturitylevelsindifferentprocessareasmayvary.Forexample,RiskManagementhasbeenintegratedwithmaturitylevelthree,whileOrganizationalPerformanceManagementhasbeenintegratedwithmaturitylevelfive.
ApartfromCMMI,twosecuritymaturitymodelshavealsobeenexaminedinordertodevelopthePrivacyMaturityModelasananalogue.ThefirstoneisApplicationSecurityVerificationStandard3.0,whichprovidesabasisfortestingwebapplicationtechnicalsecuritycontrols,aswellasalistofsecuredevelopmentrequirementsfordevelopers[OWASPASVS3.0,2015].OWASPASVSv3.0definedthreelevelsforapplicationsecurityverifications,andeachlevelcontainsalistofsecurityrequirements.Toreachacertainlevel,thebeing-analyzedsoftwareshouldbindwithallrequirementsunderthatlevel.
ThesecondsecuritymaturitymodelisBuildingSecurity-InMaturityModel6,whichpaysmoreattentiononthemanagementsideofsoftwaresecurity.Byinterviewingbothsecurityexpertsand78firms,BSIMM6defined4domainsfortheSoftwareSecurityFramework(SSF),namely:Governance,Intelligence,SecureSoftwareDevelopmentLifecycle(SSDL)Touchpoints,andDeployment.Eachdomaincontains3practicesandseveralsoftwaresecurityactivities.TheSSFincludes112activitiesintotal,andeachactivityisassignedwithacertainmaturitylevelaccordingtoitsactualperformanceinthefirms.Therefore,BSIMMcanhelporganizationscomparetheirsoftwaresecuritymaturitylevelstotheothers[BSIMM6,2015].
21
3. DevelopmentofPrivacyMaturityModelThePrivacyMaturityModelisvaluableinexaminingtowhichlevelPrivacy-by-Designisembeddedintoreal-worldICTsystems.Ofcourseinreality,notallorganizationsareexpectedtoachievethesamelevelofprivacymaturity.Forinstance,whiletheprivacyrequirementsforalibraryregistrationsystemmayjustberankedasaverageamongdifferentindustries,aninsuranceapplicationsystemshouldreachahigherlevelofprivacymaturity,sinceitcollects,storesandprocessesmuchmoresensitivePIIs(suchashealthconditionsandbankdetailsofindividuals).Butbeingameasuringinstrument,allorganizationscanbenefitfromthePrivacyMaturityModel,i.e.theycanreceivenotonlyaclearviewofthestatusquooftheirownsystem’sprivacymaturity,butalsoaninstructiononhowtobetterconductactivitiestopursueahigherprivacymaturitylevel.
AsFigure3.1shows,thePrivacyMaturityModelisformattedasaPrivacy-by-Designchecklist,inwhichdifferentcategoriesofPbDactivitiesarearrangedundertheirbelongingprivacyprinciples.TheISO29100privacyprinciplesaresummarizedandknownasSIGprivacyprinciples(whichwillbeexplainedinChapter3.1).Furthermore,themodeldefinesalistofmaturitylevelwhichincreasesindepth.EachPbDactivityisassignedwithoneofthematuritylevels.
Figure[3.1].TheCompositionofthePrivacyMaturityModel
FollowingsectionswillexplaintheconstructionofPrivacyMaturityModelstepbystep.
22
3.1. TheMergeofISO29100PrivacyPrinciples
AnupfrontandconsistentunderstandingofprivacyprinciplesisvaluableforalaterattempttogeneratePbDactivities.Thus,theaimofthissectionistoprovidethefoundationforourstudyintermsofprivacyprinciples.
ItisobviousthattheISO29100’s11privacyprinciplesaremoreorlessoverlappingwitheachotherincontents.Toenhancetheconsistencyofourwork,the11ISO29100principleshavebeengroupedinto7byaninterpretationofthedescriptionsintheISO29100PrivacyFramework.Besides,theresultofgroupingisalsoaligningwiththeENISA’s9privacyprinciples.
Table[3.1].SummarizingISO29100PrivacyPrinciples
ISO29100PrivacyPrincipleSummarizedPrivacyPrinciple(SIGPrinciple)
collection process protection
Consentandchoice
Lawfulness&Consent x Purposelegitimacyandspecification
Dataminimization DataMinimization x
IndividualparticipationandaccessIndividualRights&DataQuality x
Accuracyandquality
Collectionlimitation
PurposeBinding&Limitation x Use,retentionanddisclosurelimitation
Openness,transparencyandnotice Transparency&Openness x
Informationsecurity InformationSecurity x
PrivacycomplianceAccountability&Compliance x
Accountability
TheabovetableindicatesawayofmergingtheISO29100principles,withanaimofminimizingtheoverlapsandredundancy.
• ConsentandchoiceandPurposelegitimacyandspecificationaremergedintoLawfulness&Consent,whichmeansthatPIIshouldbecollectedwitheitherconsentofdatasubjectorlawrequirements;
• DataMinimizationremainsDataMinimization,whichmeansonlynecessaryPIIshouldbecollected;
23
• IndividualparticipationandaccessandAccuracyandqualityaremergedintoIndividualRights&DataQuality,whichmeansPIIshouldbekeptuptodate,anddatasubjectsshouldbeallowedtoadd,changeordeleteassociatedPII;
• CollectionlimitationandUse,retentionanddisclosurelimitationaremergedintoPurposeBinding&Limitation,whichmeansPIIbeingcollectedshouldhaveawell-definedpurposeaswellasbindingwiththelawrequirements;
• Openness,transparencyandnoticebecomesTransparency&Openness,whichmeansthepurposesofPIIcollectionandprocessingshouldbepubliclyknown;
• InformationsecurityremainsInformationSecurity,whichmeanstheconfidentiality,integrityandavailabilityofsysteminformationshouldbeenforced;
• Finally,PrivacycomplianceandAccountabilityaremergedintoAccountability&Compliance,whichmeanstheprivacy-relatedresponsibilitiesshouldbeassignedandenforced.
Thecolumns“collection”,“process”and“protection”refertothemainstageswherePIIisinvolved.Onamostrelevantbasis,themergedprinciplesaremappedintothesestages.InthePIIcollectionstage,theprinciplesthatapplyare:Lawfulness&Consent,DataMinimization,andIndividualRights&DataQuality.Later,whenPIIarebeingprocessed,theprinciplesthatapplyare:PurposeBinding&LimitationandTransparency&Openness.ApartfromPIIcollectionandprocessing,PIIprotectionmustalsonotbeneglected,andtheprinciplesthatapplyare:InformationSecurityandAccountability&Compliance.
3.2. TheChecklistofPrivacy-by-DesignActivities
IntheISO/IEC29100document,eachprivacyprincipleisfollowedbyseveralsuggestions,sometimesalongwithafewlinesofdescription.Foraspecificprivacyprinciple,thesuggestionsbringupguidelinesfortheadherentdesignandimplementationofICTsystems;andthedescriptioninstructsonhowtoconductprivacy-preservingactivities,andsometimescontainsadditionalinformationaboutlegislations.
However,foraratherlargenumberoforganizations,thesystematicimplementationofPbDactivitiesstillremainsprettyvague,becausetheseorganizationseitherdonothavesufficienttime/personneltoderiveato-dolistbythemselves,orconductmerelyPIAand/orprivacyauditinginsteadofPrivacy-by-Design.Thus,adoablechecklistofPbDactivitiesbecomesapremisefortheseorganizationstogetprivacyright.
24
Thechecklistwasgeneratediteratively.ThefollowingparagraphsexplainontheconstructionofthePbDchecklist.Theoverallchecklistisprovidedattheendofthissection.
TheoriginalversionofPbDchecklistwaspurelybasedonaninterpretationofISO29100privacyprinciples,andcontained92activitiesintotal.Later,thesizeofthechecklistexpandedinto108:ontheonehand,withacomparisonbetweenISO29100-basedactivitiesandPRIPARE’ssuggestiononPbDactivities[Leetal.,2015(AnnexB)],afewactivitiesthatwereinitiallymissinginourchecklistbutmentionedbyPRIPAREwereadopted.SomeactivitieswerealsorenamedaccordingtothePRIPAREpapertoenhanceclarity.Ontheotherhand,sincethenecessityoftakingintoaccountwhatisactuallybeingconductedinreality,severalactivitiesweregeneratedfromacomprehensionofprivacypoliciesofworld-leadingcompanies/organizations.5differentindustrieswerechosen:Communications,Accommodations,Banking,Transportation,andConsulting.Allofthechosencompanies/organizationshavetheiroperationsbindingwiththeEuropeanlegalframework.Incaseofanyfutureupdates,thebeing-examinedprivacypolicieshavebeenarchived.
AdiscussionwithSIG’sexpertsrevealedthat,anumberofPbDactivitiesinchecklistversion2wereoverlappingwitheachother.Thereasonbehindthisproblemwas,althoughtheseactivitieswerelyingunderdifferentISO29100privacyprinciples,theyactuallydescribedsimilarsituations.Hence,theoverlappingactivitieswereeithermergedintoone,orredefinedtobedistinctivefromeachother.Inaddition,SIG’sexpertsconsideredthatsomeactivitiesgeneratedfromthepolicieswereonlyapplicableinoneortwospecificindustries.Therefore,afewactivitieswereremovedduetotheirinapplicabilityinmorethanhalfoftheindustriesthatwerelookedinto(Thatis,morethan3outof5).
Thefollowingtablespresentanoverviewofthefinalizedchecklist.
25
Table[3.2].Privacy-by-DesignActivities:Lawfulness&Consent(LC)
ActivityID Lawfulness&Consent(LC)
LC1 AllowPIIprincipaltofreelyopt-inandopt-out
LC2 DefinelawfulpurposesforcollectingandprocessingPIIbeforePIIcollection
LC3 NotifyPIIprincipalsaboutmandatorycollectionofPII(e.g.forlegalpurpose)
LC4 EnsurePIIprincipalsunderstandtheprivacypoliciesbeforeprovidingconsentwithoutspecialknowledge
LC5 ProvideeasytoaccessandunderstandableinformationregardingPIIcollection
LC6 DisplaynotificationsofprivacypoliciesattheentranceofphysicallocationswherePIIiscollected
LC7 CollectPIIinaprivacyfriendlyway
LC8 Specifythetrackingtechnologiesthathavebeenused(cookies,webbeacons,clickingbehavior,etc.)forPIIcollection
LC9 NotifyPIIprincipalsthatprovidingadditionalPII(e.g.formarketingpurpose)isoptional
LC10 ObtainconsentbeforeusingordisclosingPII
LC11 MakeprovisionsforPIIprincipalstowithdrawconsent
LC12 InformPIIprincipalsabouttheconsequencesofapproveordeclinetheconsent
LC13 OfferequitableconditionstoPIIprincipalswhodonotconsenttoprovidePII
LC14 ConductactivitiesonanyPIIonlywithuserconsentoronalegalbasis
Table[3.3].Privacy-by-DesignActivities:DataMinimization(DM)Activity
ID DataMinimization(DM)
DM1 MinimizePIIcollectedforeachpurpose
DM2 SeparatethestorageofPIIcollectedfromdifferentsources
DM3 SetupaggregationmechanismsbeforePIIprocessingandstorage
DM4 SetupanonymizationmechanismsbeforePIIcollection,processingandstorage
26
Table[3.4].Privacy-by-DesignActivities:Individualrights&DataQuality(IRDQ)Activity
ID Individualrights&Dataquality(IRDQ)
IRDQ1 CollectPIIdirectlyfromPIIprincipalswheneverpossible
IRDQ2 OnlycollectPIIfromsourceswhosereliabilitycanbeattested
IRDQ3 MakesurethattheautomaticallygeneratedPIIdoesnotleadtofalsejudgements
IRDQ4 AllowPIIprincipalstoaccesstheirindividualizedPIIstoredinthesystem
IRDQ5 AllowPIIprincipalstoamend,correctandremovetheirownPII
IRDQ6 AllowPIIprincipalstoobjectthecollection,processing,andsharingoftheirPIIatanytime
IRDQ7 Enabletimelyandfree-of-chargeindividualparticipation
IRDQ8 Checkregularlytheaccuracy,completeness,up-to-date,adequacyandrelevanceofPII
IRDQ9 ProvidePIIchangesintimetoanyrelevantprivacystakeholders
IRDQ10 RecordtheunresolvedPIIchallenges
IRDQ11 InformprivacystakeholdersintimeabouttheunresolvedPIIchallenges
Table[3.5].Privacy-by-DesignActivities:Purposebinding&limitation(PBL)
ActivityID Purposebinding&limitation(PBL)
PBL1 NotifyPIIprincipalsaboutthelegalreasonformandatoryprocessingofPII
PBL2 IdentifyanddocumentthepurposesforconductingactivitiesinvolvingPII
PBL3 DefineanddocumentthepurposesandtechnologiesusedforPIIprocessing
PBL4 InformPIIprincipals/serviceusersaboutthepurposes/servicesforwhichPIIisused
PBL5 PeriodicallyevaluatethealignmentbetweenPIIanditspurpose
PBL6 ExcludeunnecessaryPIIwhichneedstoberetainedfromregularprocessing
PBL7 RevealPIIprincipalsidentityaslessaspossible(e.g.avoidcreatingde-anonymizedprofiles)
PBL8 Deleteanddisposenon-purposebindingPIIandback-upsassoonasthepurposeexpires
PBL9 RetainPIIforalimitedtimespanonlyasneededorasrequiredbylaw
PBL10 EvaluatewhethertheprivacypolicyneedstobeexpandedforsharingnewtypesofPII
27
Table[3.6].Privacy-by-DesignActivities:Transparency&Openness(TO)Activity
ID Transparency&Openness(TO)
TO1 DocumentthetypeofPIIcollected
TO2 DefineanycasesthatmaydisclosePII
TO3 MakePIIprocessingexplicitlyannouncedanddescribed
TO4 Specifypoliciesandpracticesaboutpublic-availablePII
TO5 EnsurethepolicyisavailableinanynaturallanguagesthatPIIprincipalsmightuse
TO6 InformPIIprincipalsabouttheirrightsandchoices
TO7 Providecontactinformationforquestionsandcomplaints
TO8 InformPIIprincipalsaboutprivacystakeholdersandPIIcontroller
TO9 Archiveandprovideeasyaccesstothehistoricalversionsofpolicy
TO10 DesignandmaintainaPrivacyDashboard
TO11 MakesurethePIIprincipalreadtheprivacynotice(byimplementinganaffordance)
TO12 SpecifyaPIIdecommissionplaninthesystemdesign
Table[3.7].Privacy-by-DesignActivities:InformationSecurity(IS)Activity
ID InformationSecurity(IS)
IS1 RestrictthenumberofPIIstakeholdersandtheiraccesstotheminimumneedofPII
IS2 Minimizeriskssuchasunauthorizedaccess,destruction,use,modification,disclosureorloss
IS3 Conductattacksurfaceanalysisandprivacythreatmodeling
IS4 Identifyandprioritizeprivacythreats
IS5 Validateandverifythesystem'salignmentwiththeprivacyrequirements
IS6 Defineprivacyrequirementsexplicitly
IS7 DesignandimplementadequatePrivacy-EnhancingTechnologies(PETs)
IS8 PreventthirdpartiesfromprofilingPII
28
Table[3.8].Privacy-by-DesignActivities:Accountability&Compliance(AC)Activity
ID Accountability&Compliance(AC)
AC1 NotifyPIIprincipalsaboutprivacybreaches
AC2 NotifytheSupervisoryAuthoritywhenthereareprivacybreaches
AC3 Providesanctionand/orremedyproceduresforprivacybreaches
AC4 Placeinternalcontrolsthatalignwithexternalsupervisionmechanisms
AC5 Specifyanentityresponsibleforprivacyrelatedissues
AC6 Arrangeregularpersonneltraining
AC7 Checkregularlyifsecuritysafeguardsareup-to-date
AC8 SetuppolicyforinternalPIIsharing
AC9 ChoosereliablePIIprocessorsthathaveanequivalentprivacymaturity
AC10 Specifytheresponsibilitiesofexternalentities
AC11 MinimizePIIsharedwithexternalentities
AC12 InformPIIprincipalsaboutsharingtheirPII
AC13 Conductprivacyriskassessments(PIA)andimplementperiodicreviewandreassessment
AC14 ImplementPIIprotectionmechanismswhenconductingtesting,researchortraining
AC15 Conducteitherinternalorthird-partyprivacyauditing
AC16 Cooperatewithsupervisoryandregulatoryauthorities
3.3. PrivacyMaturityLevels
Maturitylevel1to3aredefinedforthePrivacyMaturityModel.Thematuritylevelsincreaseindepth:
• Level1istheinitialprivacymaturitylevel.ItrequirestheimplementationofboththemostfundamentalPbDactivitiesregardlessofindustries,andthelaw-bindingPbDactivities.Level1isregardedastheprivacylevelforallcompanies/organizationstoachieveinorderto“makeprivacywork”.
• Level2isthestandardprivacymaturitylevel,whichisfordata-sensitivecompanies/organizationstoreach.ItrequirestheimplementationofallPbDactivitiesfromLevel1,plusalistofPbDbestpracticesregardingtotheprivacystatus-quo;
• Level3isthecutting-edgeprivacymaturitylevel.ToreachLevel3,acompany/organizationshouldnotonlyimplementallPbDactivitiesfromtheprevioustwomaturitylevels,butalsomoreadvancedoneswhichare
29
supposedtobemoreproactiveacts,andcostmoreresources(i.e.time,moneyandknowledge)intheory.
Toreachanyofthematuritylevels,requirementsintheimplementationofPbDactivitiesdiffer.Therequirementforeachmaturitylevelisdefinedaccordingly,namelyBasic,Intermediate,andAdvanced.
• Basic(B)istheminimumprivacyrequirement.ItreferstoaPbDactivitythatiseithermandatoryforlegalreason,orisexpected(byexpertopinion)tobeimplementedbyeveryorganizationdespitewhichindustrytheorganizationbelongsto.Besides,aBasicactivityisalwayseasytobeimplemented,intermsoflowercosts.SometimesaBasicactivityisthepreconditionforIntermediateand/orAdvancedactivities;
• Intermediate(I)istheaverageprivacyrequirement.ItreferstoaPbDactivitythathasnotyetsetasmandatorybylaws/regulations,buttheprerequisiteforimplementingthatactivitydoesnotsignificantlyvaryfromindustrytoindustry.AnintermediatePbDactivityisexpectedtobeimplementedbyaroundhalfoftheoverallpopulationintherealworld.Inafewcases,anIntermediateactivityisapreconditionforAdvancedactivities;
• Advanced(A)isthemostcomplexprivacyrequirement.ItreferstoaPbDactivitythatisneithermandatedbylaw,norconsideredtobepopularwiththemajorityyet,andtheimplementingratecanbestronglydistinctiveamongdifferentindustries.
FortheclassificationofPbDactivities,3indicatorsareanalyzed:Mandatory,Popularity,andComplexity.Acomparisonofthe3privacyrequirementscanbefoundinthefollowingtable:
Table[3.9].AComparisonofPrivacyRequirements
Requirement
IndicatorBasic Intermediate Advanced
Mandatory Inmostcases* Non-mandatory Non-mandatory
Popularity High Medium Low
Complexity Low Medium High
*:Mandatoryisasufficient(butnotnecessary)conditionforBasicPbDactivity.
Then,eachPbDactivityinthechecklistarematchedwithoneoftherequirements.InordertoexaminetheindicatorsPopularityandComplexity,previousreal-worldprivacypolicieswerealsotakenintoaccount.TheresulthasbeenvalidatedalongwithSIGexpertopinions.
30
Intheend,eachofthe75PbDactivitiesreceivedamatching:intotal,23beingBasic,28beingIntermediate,and24beingAdvanced.Thisdistributionisaligningwiththestatus-quooftheimplementationofPbDactivities.
Table3.10presentstheclassificationofPbDactivitiesintermsofdifferentrequirements.Undereachprivacyprinciple,the3columnsstandforBasic,Intermediate,andAdvancedfromlefttoright,whicharemarkedbythecolorofyellow,green,andblue,respectively.
Table[3.10].PrivacyMaturityLevelsofPbDActivitiesLawfulness&Consent(LC) DataMinimization(DM)
LC1 LC6 LC12 DM1 DM2
LC2 LC7 DM3
LC3 LC8 DM4
LC4 LC9 Transparency&Openness(TO)
LC5 LC10 TO6 TO3 TO1
LC13 LC11 TO7 TO4 TO2
LC14 TO8 TO5 TO9
Individualrights&Dataquality(IRDQ) TO10
IRDQ1 IRDQ2 IRDQ3 TO11
IRDQ4 IRDQ7 IRDQ6 TO12
IRDQ5 IRDQ9 IRDQ8 InformationSecurity(IS)
IRDQ10 IS1 IS3 IS6
IRDQ11 IS2 IS4 IS7
Purposebinding&limitation(PBL) IS5 IS8
PBL1 PBL3 PBL6 Accountability&Compliance(AC)
PBL2 PBL4 PBL7 AC1 AC6 AC8
PBL5 AC2 AC7 AC9
PBL8 AC3 AC10 AC14
PBL9 AC4 AC11 AC15
PBL10 AC5 AC13 AC12 AC16
3.4. ThePrivacyQuestionnaire
AsdiscussedintheResearchMethodssection(Chapter1.4),thevalidationofthePrivacyMaturityModelreliesonaprivacyquestionnairethatcollectinformationaboutreal-worldITsystems.Initially,SIGprovidedthestudywithadraftversionoftheprivacyquestionnaire(v1.1),whichcontained35questionsintotal.Later,basedontheiterativematchingwiththePbDchecklist,thequestionnairewasenlargedto50questions.
31
Thequestionnairecontainsacombinationofclose-endandopen-endquestions.Withclosed-endquestions,theparticipantsarerequiredtopickupthechoice(s)thatcouldmostcloselydescribethestatusquooftheirsystem.Withopen-endquestions,theparticipantsarerequiredtospecifytheuniqueaspect(s)oftheirsystem.
Thesequenceofquestionsfollowsthe3stagesofPIIworkflow(whichhasbeenspecifiedinChapter3.1).QuestionsundereachPIIworkflowarefurthergroupedtoindicatedifferentprivacyprinciples.Aseparatesectionisbeingaddedattheendofthequestionnairetocollectinformationaboutthesystemdesignandimplementation.Belowisanoutlineofthequestionnaire,witheachsectionfollowedbythenumberofquestionsaskedinthatpart.
Figure[3.2].OutlineofthePrivacyQuestionnaire
The50questionsensureallthe75PbDactivitiesinourchecklistaremeasurable–themappingbetweenthePbDactivitiesandthequestionsismultipletomultiple.Insomecases,onePbDactivityreferstomultiplequestions;inothers,severalPbDactivitiesaremeasuredbyonequestion.Besides,somequestionsaresystem-specificforgaininganimpressionofthecontext.Examplesofdifferentquestiontypesaregivenbythefollowingtables.
PrivacyQuestionnaire
Questionnaire
DataCollection
1. DataMinimization(5)2. Lawfulness&Consent(7)3. Individualrights&DataQuality(7)
DataProcessing
4. Purposebinding&limitation(4)5. Transparency&Openness(5)
DataProtection
6. InformationSecurity(4)7. Accountability&Compliance(12)
DesignandImplementation(6)
Systeminformation
Appendix
32
Table[3.18].QuestionExample1:OneActivity–MultipleQuestions
ActivityID
Question6.Whichofthefollowingactivesregardingdatacollectionareperformedbytheorganization?(Please,checkallthatapply.)
LC2
Options
TheorganizationdefineslawfulpurposesforcollectingandprocessingPIIbeforePIIcollection;
LC3TheorganizationnotifyPIIprincipalsaboutmandatorycollectionofPII(e.g.forlegalpurpose);
LC4TheorganizationensuresthatdatasubjectsunderstandtheprivacypolicieswhengivingconsentuponPIIcollection;
LC5TheorganizationprovidesunderstandableinformationregardingPIIpurposeandcollection;
LC6UponPIIcollection,theorganizationdisplaysnotificationsoftheassociatedprivacypolicies.
Table[3.19].QuestionExample2:MultipleActivities–OneQuestion
ActivityID
Question39.c.(IftheorganisationsharesPIIwithexternalentities)withwhichtypeoforganisation(s)isPIIshared?(Pleasecheckallthatapply)
AC11
Options
OutsourcedITpartner
Legalentity
Government
Other(s)
Question 39.d.Ifyes,howoftenisthePIIsharedwithexternalparties?
Options
Onetime
Periodically
Continuously
33
Table[3.20].QuestionExample3:System-specificQuestion
Question 45.Doestheorganizationhosttheapplicationwithinitsownpremises?
Options
Yes,theorganizationlocallyhostsandmanagestheapplicationandallelementsthatinteractwithit(e.g.:datastores,proxy,firewall,etc.);
Yes,theorganizationhoststheapplicationwithinitsownpremises,butanexternalpartyisresponsibleformanagingtheapplicationandallitsassociatedelements;
No,theorganizationdoesnothosttheapplicationandanexternalpartyisresponsibleformanagingtheapplicationandallitsassociatedelements;
Others:
3.5. TheEvaluationFramework
Basedonthesystemfactscollectedbytheprivacyquestionnaire,thePbDchecklistcanbereviewedandevaluated.
Theevaluationofprivacymaturityistwo-fold:Firstly,thecompliancewithprivacymaturitylevelswillbechecked.Secondly,anactionplanwillbeprovidedtothecompany/organization.ThetwopartsfunctiontogethertogiveaninsightonwhatPbDactivitiesarecurrentlybeingimplemented,andthereforeencouragesthecompany/organizationtomovetowardsahigherprivacymaturitylevel.
3.5.1. CompliancewithPrivacyMaturityLevels
Insteadofmerelyprovidinganoverallresultofcompliancebasedonthewholemodel,theevaluationaimstoprovideaseriesofresultsbasedoneachofthe7privacyprinciples.
Rulesforafullcompliancewithaspecificprivacyprinciplearedefinedasbelow:
• AfullcompliancewithPrivacyMaturityLevel1isachievedbya100%implementationofBasicPbDactivities;
• AfullcompliancewithPrivacyMaturityLevel2isachievedontopofafullcompliancewithLevel1,butalsorequiresa100%implementationofIntermediatePbDactivities;
• AfullcompliancewithPrivacyMaturityLevel3isachievedontopofafullcompliancewithLevel2,butalsorequiresa100%implementationofAdvancedPbDactivities.
Theaboverulesindicatethat,onlywhenasystem/applicationreachesafullcompliancewiththepreviousmaturitylevel,canthecompliancewithnextlevelbeachieved.
34
IfasystemdoesnotfullyimplementBasicPbDactivitieswhichisrequiredbyLevel1,thenitisregardedasLevel1non-compliance.AnyunimplementedIntermediateorAdvancedPbDactivitiesunderaspecificprivacyprinciplewillstopitfrombeingLevel2orLevel3fullcompliance,respectfully;thesecasesarethusclassifiedasnon-compliancewiththatprivacymaturitylevel,andthereforetheresultwilldegradetothepreviouslevel.
Theprivacymaturityleveldeterminationprocessisdepictedasthefollowingflowchart:
Figure[3.3].TheCompositionofthePrivacyMaturityModel
Tablesbelowrepresentsthefullcompliancecircumstanceofeachprivacyprinciple.Notethattheprivacymaturityevaluationalwaysstartsfromtheminimumlevel.UnlessallPbDactivitiesundertheminimalprivacyrequirement(Basic)are“checked”,oralternatively,afullcompliancewithLevel1isachieved,cantheevaluationmoveforwardtothenextlevel.Sincetheprivacymaturitylevelsareinlinewiththeprivacyrequirements(seeChapter3.3),thesamecolorset{yellow,green,andblue}hasbeenadoptedinthefollowingtablestorepresenttheconditionsforachievingdifferentmaturitylevels.
35
Table[3.11].EvaluationofCompliance:Lawfulness&Consent(LC)Activity
ID Lawfulness&Consent(LC) L1 L2 L3
LC1 AllowPIIprincipaltofreelyopt-inandopt-out ✓ ✓ ✓
LC2 DefinelawfulpurposesforcollectingandprocessingPIIbeforePIIcollection ✓ ✓ ✓
LC3 NotifyPIIprincipalsaboutmandatorycollectionofPII(e.g.forlegalpurpose) ✓ ✓ ✓
LC4 EnsurePIIprincipalsunderstandtheprivacypoliciesbeforeprovidingconsentwithoutspecialknowledge ✓ ✓ ✓
LC5 ProvideeasytoaccessandunderstandableinformationregardingPIIcollection ✓ ✓ ✓
LC6 DisplaynotificationsofprivacypoliciesattheentranceofphysicallocationswherePIIiscollected ✓ ✓ ✓
LC7 CollectPIIinaprivacyfriendlyway ✓ ✓
LC8 Specifythetrackingtechnologiesthathavebeenused(cookies,webbeacons,clickingbehavior,etc.)forPIIcollection ✓ ✓
LC9 NotifyPIIprincipalsthatprovidingadditionalPII(e.g.formarketingpurpose)isoptional ✓ ✓
LC10 ObtainconsentbeforeusingordisclosingPII ✓ ✓
LC11 MakeprovisionsforPIIprincipalstowithdrawconsent ✓ ✓
LC12 InformPIIprincipalsabouttheconsequencesofapproveordeclinetheconsent ✓ ✓
LC13 OfferequitableconditionstoPIIprincipalswhodonotconsenttoprovidePII ✓
LC14 ConductactivitiesonanyPIIonlywithuserconsentoronalegalbasis ✓ ✓ ✓
Table[3.12].EvaluationofCompliance:DataMinimization(DM)Activity
ID DataMinimization(DM) L1 L2 L3
DM1 MinimizePIIcollectedforeachpurpose ✓ ✓
DM2 SeparatethestorageofPIIcollectedfromdifferentsources ✓
DM3 SetupaggregationmechanismsbeforePIIprocessingandstorage ✓
DM4 SetupanonymizationmechanismsbeforePIIcollection,processingandstorage ✓
36
Table[3.13].EvaluationofCompliance:Individualrights&DataQuality(IRDQ)Activity
ID Individualrights&Dataquality(IRDQ) L1 L2 L3
IRDQ1 CollectPIIdirectlyfromPIIprincipalswheneverpossible ✓ ✓ ✓
IRDQ2 OnlycollectPIIfromsourceswhosereliabilitycanbeattested ✓ ✓
IRDQ3 MakesurethattheautomaticallygeneratedPIIdoesnotleadtofalsejudgements ✓
IRDQ4 AllowPIIprincipalstoaccesstheirindividualizedPIIstoredinthesystem ✓ ✓ ✓
IRDQ5 AllowPIIprincipalstoamend,correctandremovetheirownPII ✓ ✓ ✓
IRDQ6 AllowPIIprincipalstoobjectthecollection,processing,andsharingoftheirPIIatanytime ✓
IRDQ7 Enabletimelyandfree-of-chargeindividualparticipation ✓ ✓
IRDQ8 Checkregularlytheaccuracy,completeness,up-to-date,adequacyandrelevanceofPII ✓
IRDQ9 ProvidePIIchangesintimetoanyrelevantprivacystakeholders ✓ ✓
IRDQ10 RecordtheunresolvedPIIchallenges ✓
IRDQ11 InformprivacystakeholdersintimeabouttheunresolvedPIIchallenges ✓
Table[3.14].EvaluationofCompliance:Purposebinding&limitation(PBL)Activity
ID Purposebinding&limitation(PBL) L1 L2 L3
PBL1 NotifyPIIprincipalsaboutthelegalreasonformandatoryprocessingofPII ✓ ✓ ✓
PBL2 IdentifyanddocumentthepurposesforconductingactivitiesinvolvingPII ✓ ✓ ✓
PBL3 DefineanddocumentthepurposesandtechnologiesusedforPIIprocessing ✓ ✓
PBL4 InformPIIprincipals/serviceusersaboutthepurposes/servicesforwhichPIIisused ✓ ✓
PBL5 PeriodicallyevaluatethealignmentbetweenPIIanditspurpose ✓ ✓
PBL6 ExcludeunnecessaryPIIwhichneedstoberetainedfromregularprocessing ✓
PBL7 RevealPIIprincipalsidentityaslessaspossible(e.g.avoidcreatingde-anonymizedprofiles) ✓
PBL8 Deleteanddisposenon-purposebindingPIIandback-upsassoonasthepurposeexpires ✓ ✓
PBL9 RetainPIIforalimitedtimespanonlyasneededorasrequiredbylaw ✓ ✓
PBL10 EvaluatewhethertheprivacypolicyneedstobeexpandedforsharingnewtypesofPII ✓ ✓
37
Table[3.15].EvaluationofCompliance:Transparency&Openness(TO)Activity
ID Transparency&Openness(TO) L1 L2 L3
TO1 DocumentthetypeofPIIcollected ✓
TO2 DefineanycasesthatmaydisclosePII ✓
TO3 MakePIIprocessingexplicitlyannouncedanddescribed ✓ ✓
TO4 Specifypoliciesandpracticesaboutpublic-availablePII ✓ ✓
TO5 EnsurethepolicyisavailableinanynaturallanguagesthatPIIprincipalsmightuse ✓ ✓
TO6 InformPIIprincipalsabouttheirrightsandchoices ✓ ✓ ✓
TO7 Providecontactinformationforquestionsandcomplaints ✓ ✓ ✓
TO8 InformPIIprincipalsaboutprivacystakeholdersandPIIcontroller ✓ ✓ ✓
TO9 Archiveandprovideeasyaccesstothehistoricalversionsofpolicy ✓
TO10 DesignandmaintainaPrivacyDashboard ✓
TO11 MakesurethePIIprincipalreadtheprivacynotice(byimplementinganaffordance) ✓
TO12 SpecifyaPIIdecommissionplaninthesystemdesign ✓
Table[3.16].EvaluationofCompliance:InformationSecurity(IS)Activity
ID InformationSecurity(IS) L1 L2 L3
IS1 RestrictthenumberofPIIstakeholdersandtheiraccesstotheminimumneedofPII ✓ ✓ ✓
IS2 Minimizeriskssuchasunauthorizedaccess,destruction,use,modification,disclosureorloss ✓ ✓ ✓
IS3 Conductattacksurfaceanalysisandprivacythreatmodeling ✓ ✓
IS4 Identifyandprioritizeprivacythreats ✓ ✓
IS5 Validateandverifythesystem'salignmentwiththeprivacyrequirements ✓ ✓
IS6 Defineprivacyrequirementsexplicitly ✓
IS7 DesignandimplementadequatePrivacy-EnhancingTechnologies(PETs) ✓
IS8 PreventthirdpartiesfromprofilingPII ✓
38
Table[3.17].EvaluationofCompliance:Accountability&Compliance(AC)Activity
ID Accountability&Compliance(AC) L1 L2 L3
AC1 NotifyPIIprincipalsaboutprivacybreaches ✓ ✓ ✓
AC2 NotifytheSupervisoryAuthoritywhenthereareprivacybreaches ✓ ✓ ✓
AC3 Providesanctionand/orremedyproceduresforprivacybreaches ✓ ✓ ✓
AC4 Placeinternalcontrolsthatalignwithexternalsupervisionmechanisms ✓ ✓ ✓
AC5 Specifyanentityresponsibleforprivacyrelatedissues ✓ ✓ ✓
AC6 Arrangeregularpersonneltraining ✓ ✓
AC7 Checkregularlyifsecuritysafeguardsareup-to-date ✓ ✓
AC8 SetuppolicyforinternalPIIsharing ✓
AC9 ChoosereliablePIIprocessorsthathaveanequivalentprivacymaturity ✓
AC10 Specifytheresponsibilitiesofexternalentities ✓ ✓
AC11 MinimizePIIsharedwithexternalentities ✓ ✓
AC12 InformPIIprincipalsaboutsharingtheirPII ✓ ✓ ✓
AC13 Conductprivacyriskassessments(PIA)andimplementperiodicreviewandreassessment ✓ ✓
AC14 ImplementPIIprotectionmechanismswhenconductingtesting,researchortraining ✓
AC15 Conducteitherinternalorthird-partyprivacyauditing ✓
AC16 Cooperatewithsupervisoryandregulatoryauthorities ✓ ✓
3.5.2. TheActionPlan
CompliancewithprivacymaturitylevelsreflecthowwellanICTsystemorapplicationisdoingintermsofprivacyprotection.Apartfromthat,havinganactionplanprovidingfeedbacksandtailoredsuggestionsiscrucialforcompaniesandorganizations;despitethatthePrivacyMaturityModelshowsmaturitylevelsunder7privacyprinciples,itisbelievedthatcompanyandorganizationswouldliketoknowthemeaningbehindtheresults,aswellashowtoconductPbDactivitiesinamoreconsistentway.
Thepotentialbenefitsofhavinganactionplanalongwiththematurityresultscanbedistinguishedassuch:Firstly,alistofunimplementedPbDactivitiesisabletobeidentifiedfromthespecificanswerstothequestionnaire;Secondly,aprioritizationoftheseunimplementedPbDactivitiescanbedeterminedbyconductingriskanalysisbasedonrelevantfactors(suchaslikelihood/impact/cost,etc.).However,sinceeachcompany/organizationhasitsspecificationintermsofbusinessresources,
39
itwillnotbefurtherdiscussedonhowtocalibratetheriskmanagementprocessinthisPrivacyMaturityModelresearch.
40
4. CaseStudiesFigure4.1representsaflowchartabouttheadoptionofthePrivacyMaturityModel.Itwillbedescribedindetailinthefollowingsections.
Figure[4.1].ProcessofAdoptingthePrivacyMaturityModel
4.1. OutcomesofCaseStudy
Overall,twocasestudieshavebeenperformedtoanalyzethePrivacyMaturityModel.Duetoaconsiderationofprotectingtheparticipantsfrombeingdisclosed,thetwoparticipantswillbeanonymizedandreferredasOrganizationXandCompanyYthroughoutthetext.OrganizationXresidesintheDutchGovernmentsector(51–200employees,retrievedfromtheorganization’sLinkedInpage);CompanyYisaleadingDutchcompanyintheUtilitiesindustry(1,001–5,000employees,retrievedfromthecompany’sLinkedInpage).
Bothparticipantshaveansweredtheprivacyquestionnaireinthefirstplace,eachwiththeirownsystemservingtheircorebusinessoperations.Later,aninterviewwithCompanyYhavealsobeenconducted(Chapter4.2willfocusonthisinterview).Thetwosetsofresponsestothequestionnaireareprocessedinthesameway:firstofall,theanswersaremappedintothePbDchecklist.Then,theimplementationofPbDactivitiesischeckedbytheevaluationframeworkmentionedinChapter3.5.
Onethingneededtobeclarifiedbeforeshowingthematuritylevelresultsisthat,inbothcasestudies,thereareafewquestionsthathaven’tbeenanswered.Thisisduetotheiterativeimprovementoftheprivacyquestionnaire,i.e.,newquestionshavebeenadded.Comparatively,CompanyYparticipatedinalaterstageofthisresearch,sotheyhavelessunansweredquestionsthanOrganizationX.TheseunansweredquestionsleadtotheunknownimplementationofPbDactivities.Thewayofdealingwiththissituationistochecktheunansweredquestionsadditionally.TakeprivacyrequirementBasicasanexample,thismeans,ifthequestion(s)mappingintoaBasicPbDactivityisunanswered,whichindicatestheimplementationofthatBasicactivityisunknown,thentheprivacymaturitywillbeconsideredasLevel1:partialcomplianceratherthanLevel1:fullcompliance,despitethatitmightbethecasethattherestofBasicactivitiesarefullyimplemented.
41
4.1.1. CaseStudy1
ThefollowingtableindicatestheresultsofprivacymaturitylevelsreceivedbyOrganizationX:
Table[4.4].PrivacyMaturityLevels:OrganizationX
PrivacyPrinciples MaturityLevel
Lawfulness&Consent(LC) Level1:partialcompliance
DataMinimization(DM) Level1:non-compliance
Individualrights&Dataquality(IRDQ) Level2:partialcompliance
Purposebinding&limitation(PBL) Level1:partialcompliance
Transparency&Openness(TO) Level1:non-compliance
InformationSecurity(IS) Level1:partialcompliance
Accountability&Compliance(AC) Level1:non-compliance
4.1.2. CaseStudy2
ThefollowingtableindicatestheresultsofprivacymaturitylevelsreceivedbyCompanyY:
Table[4.5].PrivacyMaturityLevels:CompanyY
PrivacyPrinciples MaturityLevel
Lawfulness&Consent(LC) Level2:fullcompliance
DataMinimization(DM) Level2:fullcompliance
Individualrights&Dataquality(IRDQ) Level3:partialcompliance
Purposebinding&limitation(PBL) Level2:partialcompliance
Transparency&Openness(TO) Level2:fullcompliance
InformationSecurity(IS) Level3:partialcompliance
Accountability&Compliance(AC) Level3:fullcompliance
42
4.2. FeedbacksonthePrivacyMaturityModel
Afterfillingoutthequestionnaire,CompanyYshowedwillingnesstoparticipateinafurtherdiscussionontheprivacytopic.ThiswasmainlybecauseCompanyYfeltthatduringfillingoutthequestionnaire,theyencounteredseveralsituationsthatthesystemfactsweremoreofambiguityratherthanblack-and-white.Therefore,afacetofacediscussionwasplannedbetweenSIGPrivacyResearchersandtheChiefPrivacyOfficerofCompanyY,alongwithhiscolleague,theSecurityOfficer.
Duringthemeeting,fundamentalinformationhasbeenbrieflysharedwithCompanyY,suchastheinitialmotivationofhavingthisresearchonprivacy,theoverallresearchprocess,thesummarizingofprivacyprinciples,andthedistributionofPbDactivitiesundereachprivacyprinciple.Then,theanswersprovidedbyCompanyYwerereviewedtogether.Ontheonehand,SIGexpertspointedoutseveralcasesthatCompanyYmightmisunderstoodthequestions,andthesecaseswereclarifiedduringthediscussion;Ontheotherhand,CompanyYstrengthenedtheiranswersbyexplainingmoreaccordingtothesystemfacts.
Mostcrucially,themeetingwithCompanyYrevealsthathavingthePrivacyMaturityModelinplacewillbevaluableinguidingtheimplementationofPbDactivities.TheopinionsheldbyCompanyYarethree-fold,eachfollowedbyabriefexplanation:
• Overall,havingaroadmapforsolvingprivacyissuesisofincreasinglyhigherimportancetomodernorganizations.Althoughmanyprivacyactshavebeenregulatedasmandatory,itisstillrarethatanorganizationimmediatelyownsaprivacychecklistcontainingbestpracticestofollow.Tocreateato-dolistforprivacy,theorganizationhastoeitherapproachin-housedevelopment,orhiresomeoneoutside.Bothareexpensiveandtime-consuming,andmightruntheriskofbeinginvolvedwithredtapeorlawyers;
• ImplementingonlyPrivacy-EnhancingTechnologieswillnotalwaysbesufficientfortheprotectionofpersonaldata,especiallysensitivedata.ApartfrompurelyimplementingPETs,theemergingissuessuchasgovernanceandcompliancearecrucialtobesolvedbytheorganization.Besides,customersarebecomingmoreandmoreeagertoprotectingtheirPII,whichrequirestheorganizationtobemoretransparentonsharingtheinformationofhowPIIisused;
• Organizationsneedtobeawareof,andconsidermoreonhowtoprovideservicesasmuchaspossiblewithlessPII.Theorganizationshouldalwaysthinkmoreaboutthequestion“IsthePIIwecollectreallynecessaryforprovidingservice?”.Previously,thetrendwas“collectasmuchasdataatfirst,andthinkhowtousethedatalater”;butnowadays,theorganizationiswarnedbythefactthat,themorePIItheorganizationholds,thelarger
43
amountofcompensationtheorganizationhastopayoncethedatabreachhappens.
RegardingtheaboveopinionsprovidedbyCompanyY,itisconvincingthatthePrivacyMaturityModelwillbeabletonotonlyactasaguidanceintermsofconductingPbDactivities,butalsobetterpreventcasessuchasrelyingonPETsaspanacea,or“actbeforethink”fromhappening.
4.3. FindingsfromCaseStudies
ThefocusofthissectionisonpresentingthefindingsintermsofprivacyissueswhenapplyingthePrivacyMaturityModel.Apartfromdescribingtheproblemsoccurredinthetwocasestudies,thissectionalsoexplainsthereasonsbehindthoseproblems,andpurposespossiblesolutions.
4.3.1. Non-CompliancewithBasicActivities
WhenlookingatthematuritylevelsofOrganizationX,itappearsthatcompliancewithPrivacyMaturityLevel1hasnotbeenfulfilledbythesystemunder3privacyprinciples:Lawfulness&Consent,Transparency&Openness,andAccountability&Compliance.ThismeansthatthesystemismissingouttheimplementationofsomeBasicPbDactivities,whichshouldbethemostcommonprivacypractices,orevenmightbemandatedbylaw.
Thereasonbehindnon-compliancewithLevel1isthat,OrganizationXisundergoingasystemredesign.ThepreviousversionoftheirsystemwaslaunchedfaraheadoftherecentreleaseofGDPR(April,2016),sothereexistquiteafewissuesthatdoesnotbindingwiththenewprivacyregulation.AccordingtothecommunicationbetweenSIGandOrganizationX,non-complianceissuesarenotonlylyinginthesystemdesign,butalsointheX’sorganizationalprocedures.Butthepositivethinkinginthiscasestudyisthat,OrganizationXwilltaketheevaluationresultsintoseriousconsideration,andregardthemasinputforthesystemre-design.
4.3.2. TheNon-ApplicableActivities
ThereexistafewsituationsthataPbDactivityisnotapplicabletothespecificsystem.Forexample,underprivacyprincipleAccountability&Compliance,oneBasicPbDactivityis“MakesuretheautomaticallygeneratedPIIdoesnotleadtofalsejudgements”.“MakesuretheautomaticallygeneratedPIIdoesnotleadtofalsejudgements”.Butinthereality,sincethebeinganalyzedsystemsofourparticipantsdonotgeneratePIIautomatically,thisactivityisregardedasnotapplicableinbothcasestudies.
44
WhengoingthroughtheprocessofmatchinganswerstothePbDchecklist,bothparticipantshavegotaround3non-applicablePbDactivities.Thesenon-applicableactivitieshavenotbeentakenintoconsiderationfortheevaluation.Therefore,theydonothamperthedeterminationofprivacymaturitylevels.
4.3.3. OverallComparisonontheCaseStudies
Beforesendingouttheprivacyquestionnaire,itisknownthatCompanyYemphasizesmoreontheprivacyissuethanOrganizationX.Therefore,theresultsoftheirprivacymaturitylevelsareinlinewiththeexpectation.
TheresultsalsoshowthatbothparticipantshavegainedahighermaturitylevelinIndividualRights&DataQualityaswellasInformationSecurity.Thecomprehensiontothisresultisthat,thesetwoprivacyprincipleshavecoveredmorePbDactivitieswhichcanbelabeledas“do’s”ratherthan“notice’s”.SinceOrganizationXandCompanyYarebothwillingtogetprivacyright,theimplementationof“do’s”arehigh.However,sometimesitmightbethecasethattheorganizationsonlyfocusonimplementing,butforgettoputthose“do’s”intodocumentation.AlthoughprivacyprinciplessuchasTransparencyandOpennesssuggestPbDactivitiesmoreaboutpublishingpolicies,theyareregardedasofequalimportanceinthePrivacyMaturityModel.Toenhancethematuritylevelofthesepreviouslyneglectedprivacyprinciples,bothparticipantsshouldfocusmoreonthe“notice’s”inthefuture.
45
5. DiscussionsThischapteraimstoproviderefinementtothePrivacyMaturityModelbasedonthecompanyinterviewinthefirstplace.Later,thischapterpresentsdiscussionsonalternativeapproachesofconductingtheevaluationframeworkofthePrivacyMaturityModel.
5.1. RefinementonthePrivacyMaturityModel
DuringtheinterviewwithCompanyY,theparticipantswereencouragedtosharetheiropinionsonthePrivacyMaturityModel.TheChiefPrivacyOfficerspokeoutaconcernwithpartofthemodel:AccordingtothedistributionofPbDactivitiesundertheDataMinimizationprinciple,itmightbeconfusingtohavezeroBasicactivityforMaturityLevel1.OnceacompanyimplementsnothingunderDataMinimization,itcanbejudgedasbothnon-compliancewithLevel1aswellasnon-compliancewithLevel2.
Thus,adiscussiononthisactivitydistributionissuewastakenplacewithSIGexperts.However,becausethereisonly4PbDactivitieslyingundertheDataMinimizationprinciple,acomparisonofthematurityofeachactivitywasmade.Therefore,activityDM1wasre-assignedasaBasicactivity,andDM2wasre-assignedasanIntermediateactivity.Besides,ithasalsoresultedinachangetothispartofthemodelevaluation:
Table[5.1].EvaluationofCompliance(Updated):DataMinimization(DM)Activity
ID DataMinimization(DM) L1 L2 L3
DM1 MinimizePIIcollectedforeachpurpose ✓ ✓ ✓
DM2 SeparatethestorageofPIIcollectedfromdifferentsources ✓ ✓
DM3 SetupaggregationmechanismsbeforePIIprocessingandstorage ✓
DM4 SetupanonymizationmechanismsbeforePIIcollection,processingandstorage ✓
TheupdatedDataMinimizationevaluationwillbeabletoeliminatetheambiguitybroughtupbyCompanyY.Insteadofconfusinglybeingjudgedasnon-compliancewitheithermaturitylevel1or2,acompany/organizationdoesnotimplementDM1willnowbejudgedasLevel1:non-complianceforcertain.
5.2. ImprovementontheEvaluationFramework
Duetothefactoffewer-than-expecteddatapointscollectedbytheprivacyquestionnaire,thecurrentapproachofevaluatingthePrivacyMaturityModelstill
46
hasitsconstraints.Forexample,thecurrentevaluationdoesnotindicateabenchmark.However,ifmoredatapointscouldbegatheredviaquestionnaireinthefuture,thechancewillbehighthattheevaluationframeworkdiffersfromhowitlooksnow.Inthefollowingsections,thereasonofhavingalowresponserateaswellasapotentialredesignoftheevaluationframework(i.e.astar-ratingsystem)arediscussed.
5.2.1. ALimitedNumberofDataPoints
Duringthewholeresearchprocess,themostchallengingissueistheunexpectedfewresponsestoourquestionnaire.Originally,anInvitationtoParticipateletterhasbeensentouttomorethan20companies/organizationsintotal.However,amongthesepotentialparticipants,onlyhalfrespondedtotheinvitation,andeventuallyonly2participatedinansweringthequestionnaire(andCompanyYparticipatedinaninterview).Later,theInvitationtoParticipatewasiteratively(i.e.monthly,fromApriltoJune)spreadviasocialnetworks,suchasSIGofficialLinkedInpage,SIGexpertspersonalLinkedInpages,aswellasSIGofficialTwitteraccounts.Yet,nofurtherresponsehasbeenreceiveduntiltheendofmodelvalidation.
Tosummarize,themajorreasonbehindthelowmotivationtoparticipatecanbeidentifiedfromthecommunicationswiththeinvitedcompanies/organizations:itishardtoavoidbureaucracyinlargeorganizations,whichreallyslowedthingsdown.Especially,theresearchhasfacedmoreresistancewhentheinternalcommunicationproceduresrequireseverythingtobekeptintrackbyvariousdepartments.Theworstcasewasthattheresearchevengotrejectedsimplybecauseoftheignoranceoflessrelevantpersonnel.
5.2.2. ThePartiallyImplementedPbDActivities
AnissueontheimplementationofPbDactivitiesisthat,forseveralactivities,itisnotenoughtomeasurethingsas“eitherblack,orwhite”.AfewquestionsweredesignedtoaskaboutthefrequencyofconductingaPbDactivity.Forinstance,onequestionaskshowoftendoestheorganizationplanapersonnelprivacytraining.Theanswerscouldbe“frequently”“once”and“never”.Theideais,ofcourse,nottomerelylookatifatraininghaseverbeendoneornottothepersonnel,buttoseewhetherthetraininghasbeendoneregularly.
Inthatsense,thespecificPbDactivitycanbemeasuredas“partiallydone”iftheparticipantanswered“once”.Tobetterunderstandthetypeof“partiallydone”situation,therespondentsarealsoaskedtospecifythefrequencybyenteringfreetexttothequestionnaire.
Thegoodnewsisthat,theanswersfrombothparticipantsshowedthatenteringfreetextisnotaburden.CompanyYisevenhappytowritedownsomeextrainformation
47
tobetterdescribethesituationtheyaregoingthrough,whichisindeedanappealingoutcomethatencouragesthedevelopmentofPrivacyMaturityModel.
InordertotakethepartialimplementationofPbDactivitiesintoaccount,theruleofcurrentmodelevaluationcanbefurtherdeveloped.TogetherwithSIGexperts,wesuggestapossibledefinitionofthepartialcompliancecircumstance:
• Asystem/applicationreachesLevel1partialcompliancewheneveryBasicactivityisatleastpartiallyimplemented;
• Asystem/applicationreachesLevel2partialcompliancewhenithasreachedfull-compliancewithLevel1,andeveryIntermediateactivityisatleastpartiallyimplemented;
• Asystem/applicationreachesLevel3partialcompliancewhenithasreachedfull-compliancewithLevel2,andeveryAdvancedactivityisatleastpartiallyimplemented.
5.2.3. PossibilityofAPrivacyMaturityRatingSystem
A5-starratingsystemisabletoprovidebenchmarkinformationoncetheamountofdatapointsisready.Thestarswillbeacompleteoverwriteoftheevaluationframework,andwillprovideadirectinsighttoacompany/organizationwhowouldliketoconductself-positioningwithineitheritsindustryorthegeneralcontext.
Thefollowingtransitiontablegivesafirstimpressiononhowthestarratingworks.Overall,therearefiverowsspecifyingthenumberofstarsfrom1to5,respectively.Foreachrow,asetofpercentagesisdefinedunderallthreeprivacymaturitylevels.Thepercentages,𝑃"#,𝑃$#,and𝑃%# (𝑖 = 1,2,3,4,5 ),indicatethat,forthetotalnumberofPbDactivities(i.e.,despiteoftheprivacyprinciples)belongingtoaspecificmaturitylevel,howmanyofthemareactuallybeingfullyimplemented.EachpercentagedeterminestheleastamountofPbDactivitiesthathavetobeimplemented.Forinstance,a3-starratingrequiresasystemtoconduct𝑃".ofallPbDactivitiesthatbelongtoBasic,𝑃$.ofIntermediate,and𝑃%.ofAdvanced.
Althoughoneargumentcanbethat,intheory,acompanycanimplementallPbDactivitiesinBasicandyetnoneoftheothertwo;butsincethepercentageswillbedeterminedbydata,itisstillpossibletoavoidthistheoreticalissue.
48
Table[5.2].TheTransitionTableforPrivacyStarRating
Star Basic Intermediate Advanced
HIIII 𝑃"/ 𝑃$/ 𝑃%/
HHIII 𝑃"0 𝑃$0 𝑃%0
HHHII 𝑃". 𝑃$. 𝑃%.
HHHHI 𝑃"1 𝑃$1 𝑃%1
HHHHH 𝑃"2 𝑃$2 𝑃%2
Furthermore,basedontheactualdata,3differentscenarioscanbesuggested,eachaimingataspecificpurposeofanalyzingthePbDchecklist.
• Basic-focused:ThisscenariostressestheimportanceofBasic.Toreachahigherstar-rating,organizationsshouldmakeapromiseonimplementingasmanyBasicPbDactivitiesaspossible;
• Optimistic:Thisscenarioprovidestolerantbasisforreachingdifferentstars,regardingtothecurrentreal-worldimplementations;
• Stringent:Thisscenariodefineschallengingpercentagesfororganizationstoreceiveahigherstar-rating.
Foreachscenario,theexampleofpercentagesettingcanbefoundinthefollowingtables,respectively:
Table[5.3].ThresholdsofPrivacyStarRating:Basic-focused
Star Basic Intermediate Advanced
HIIII 0 0 0
HHIII 40% 25% 10%
HHHII 60% 35% 20%
HHHHI 80% 45% 30%
HHHHH 95% 55% 40%
49
Table[5.4].ThresholdsofPrivacyStarRating:Optimistic
Star Basic Intermediate Advanced
HIIII 0 0 0
HHIII 30% 25% 15%
HHHII 50% 40% 30%
HHHHI 70% 55% 45%
HHHHH 90% 70% 60%
Table[5.5].ThresholdsofPrivacyStarRating:Stringent
Star Basic Intermediate Advanced
HIIII 0 0 0
HHIII 35% 25% 15%
HHHII 55% 45% 35%
HHHHI 75% 65% 55%
HHHHH 95% 85% 75%
50
6. ConclusionsLivinginthedigitalera,moreandmorepeoplestarttorealizethecriticalnessofprivacyissues.Apartfromsimplyenjoyingtheadvancementoftechnologies,theproblemsincollectingandprocessing(sometimesirrelevant)PIIshavelongnotbeensolved.
ThisresearchonPrivacyMaturityModel,thus,hasitssignificanceinbothacademicandindustrialfield.Ontheonehand,thisresearchisabreakthrough,foritsdistinctivetechnology-specificfeaturesfromtheexistingPIA.Ontheotherhand,withthePrivacyMaturityModelworkingasaguidelineforimplementingPbDactivities,moderncompaniesandorganizationswhoseservicesarerelyingonthecollectionandprocessingofPIIwillbeabletobuildservicesandconductactivitieswithmorematureprivacyconcerns.
6.1. PrivacyRequiresaProactiveThinking
Althoughmoderncompaniesandorganizationsarespendingmoretimeandresourcesonfiguringoutissueswithprivacy,thedominanttrendisstill“changeonceweareforcedto”.Thiscanbesupportedby3aspects:
• ArecenttriggerforcompaniesandorganizationstorethinktheirprivacyisnotmuchthanthenewlyreleasedGDPR.Guidelinesforhowtoconductprivacy-bindingactivitieshavebeenemergingandcanbeeasilyfoundonline,butthecontentsofthemaremoreon“howtoavoidpayingfinesbyconductingactivitiesthathavebeensetasmandatoryinGDPR”.Foracompany/organizationwhointendtoimplementPrivacybyDesign,approachingtheseregulation-basedguidelinesisobviouslyfarfromsufficient,becausewhatcanbefoundintheseonlineaccessibleguidelinesismerelyseveralPbDactivitiescategorizedasBasicinourPrivacyMaturityModel.
• Itiscommonlyseenthatcompanies/organizationsonlyfocusondataprotection,withoutconsideringthewholePIIworkflowwhichincludesdatacollectionanddataprocessingaswell(seeChapter3.1).Severalcompaniesandorganizationswewitnessedduringthisresearchareregardingprivacythesameconceptasinformationsecurity;acommoncaseisthatatfirsttheycollectasmuchPIIaspossibletoenhancesecurityaspects,andlaterhavetosufferfromahigherriskofdatabreach.However,informationsecurityisonlyoneofthesevenprivacyprinciplesbeingcoveredbythePrivacyMaturityModel.
• Thegroupofpeoplewhoholdaproactivethinkingiscomparativelysmallinthewholeorganization.ThisaspectoftheproblemisrevealedbytheinterviewwithCompanyY.AlthoughCompanyYhasreceivedhigherprivacy
51
maturitylevels,employeeswhoareeagertothinkproactivelyaboutprivacyarestilllimitedtotheoneswhodirectlydealwithprivacyissues.AccordingtoCompanyY,itisstilloftenthecasethatanambitiousplanonprivacyreceivesignorancebythemanagementteam,andmighttakeseveralyearstobeactuallyimplemented.
Theaspectsabovereflecttheimportanceofhavingamodelthatcanbetterguidethecompanies/organizationstoreachahigherprivacymaturitylevel.ThePrivacyMaturityModelproposedinthisresearchispossibletoraisemoreprivacyawareness,aswellasencouragecompanies/organizationstoimplementPbDactivitiesfromreactivelytoproactively.
6.2. ImprovementofthePrivacyMaturityModel
Duringrecentyears,bothBSIMMandOWASPASVShavebeengoingthroughtheprocessoffurtherdevelopment.BSIMMnowreachesitssixthversionandOWASPASVSisinitsthirdversion.Iflookingatthehistoryversionsofbothmodels,itisobvioustotellthatboththeirsizeaswellasthecontenthavebeenrefined.Designedanalogouslytothesetwomaturitymodels,thePrivacyMaturityModelwillalsobesubjecttochangebothinsizeandincontentinthefuture.
ReviewingandrevisingthePrivacyMaturityModelcanbetriggeredbyeventssuchasthemainupdateofISO29100oranyEuropean/world-classprivacyregulations.TwomainaspectsshallbeconsideredinordertomakeadjustmentstothePrivacyMaturityModel:
• Completeness.ThismeanstocheckifPbDactivitiesmentionedundereachprivacyprincipleinthePrivacyMaturityModelarecomplete.WhenthereisthenecessityofaddingnewPbDactivities,modifyingexistingPbDactivities,orremovingoutdatedPbDactivities,expertopinionsshallbetakenintoconsideration.Thisalsoensuresnooverlapbetweenactivitieswillappear.
• Evolvementofprivacyrequirements.InChapter3.3,theprivacyrequirementsaredefinedasBasic,Intermediate,andAdvanced.ThemappingbetweenPbDactivitiesandtheserequirementsisdynamic.Inthefuture,withthedevelopmentontheconceptofPrivacy-by-Design,existingPbDactivitiesinthecurrentchecklistmightbecomemoreofcommonorevenobligatorypractices.Therefore,itiscrucialtomakesurethatthemappingbetweenPbDactivitiesandtheprivacyrequirementsisup-to-date.
52
6.3. LimitationsandFurtherResearch
Havingseenthefactsofhowmoderncompaniesandorganizationsaredealingwithprivacyissues,ithastobeadmittedthattheimprovementoninformationprivacyisnot,andwillnotbesomethingthathappensimmediately.AsdiscussedinChapter5.2.1,themostchallengingissueinthisresearchisthelower-than-expectedresponseratetotheprivacyquestionnaire.
Nevertheless,thisresearchonPrivacyMaturityModelperformsasaninitializerinthefield,andisexpectedtoraiseseveralrelevantresearchtopicsinthenearfuture.Oncealargernumberofdatapointsisavailable,itwillbeinterestingtoautomaticallyprocessthequestionnaireresultsforthemodelevaluation.Thefurtherresearchwillbefocusingondevelopingabenchmarkandmodelcalibrationwhichisbasedondatacollectedfromvariousindustries.
53
References
[AICPA/CICA, 2011] American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants. (2011). Privacy Maturity Model. Retrieved from http://www.kscpa.org/writable/files/AICPADocuments/10-229_aicpa_cica_privacy_maturity_model_finalebook.pdf
[Banisar & Davies, 1999] Banisar, D., & Davies, S. (1999). Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments. Journal of Computer & Information Law, XVIII, 1–111. Retrieved from http://heinonlinebackup.com/hol-cgi-bin/get_pdf.cgi?handle=hein.journals/jmjcila18§ion=4
[Borking & Raab, 2001] Borking, J. J., & Raab, C. (2001). Laws, PETs and other technologies for privacy protection. Journal of Information, Law and Technology, 1(February), 1–14.
[BSIMM6, 2015] ]Mcgraw, G., Ph, D., Migues, S., West, J., Arkin, A. B., Routh, A. J., … Derdouri, S. (2015). BSIMM6. Retrieved from http://www.inf.ed.ac.uk/teaching/courses/sp/2015/lecs/BSIMM6.pdf
[CMMI v1.3, 2011] CMMI for Development, Version 1.3. (2010). Retrieved from http://resources.sei.cmu.edu/asset_files/TechnicalReport/2010_005_001_15287.pdf
[Comparison of International Privacy Concepts] Comparison of International Privacy Concepts - AICPA. Aicpa.org. Retrieved 2016, from http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/GenerallyAcceptedPrivacyPrinciples/Pages/InternationalPrivacyConcepts.aspx
[Danezis et al., 2014] Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J.-H., Metayer, D. Le, Tirtea, R., & Schiffner, S. (2014). Privacy and Data Protection by Design - from policy to engineering. Retrieved from http://arxiv.org/abs/1501.03726
[De Hert, Kloza & Wright, 2012] De Hert, P., Kloza, D., & Wright, D. (2012). Recommendations for a privacy impact assessment framework for the European Union.
[European Commission, 2016] Reform of EU data protection rules - European Commission. (2016). ec.europa.eu. Retrieved 2016, from http://ec.europa.eu/justice/data-protection/reform/index_en.htm
[Directive 95/46/EC, 1995] European Parliament. (1995). Directive 95/46/EC. Official Journal of the European Communities, L 281/31(L).
54
[Finkle & Volz, 2015] Finkle, J. & Volz, D. (2015). Database of 191 million U.S. voters exposed on Internet: researcher. Reuters UK. Retrieved from http://uk.reuters.com/article/us-usa-voters-breach-idUKKBN0UB1E020151229
[Flaherty, 2000] Flaherty, D. (2000). Privacy impact assessments: an essential tool for data protection. In Privacy Law and Policy Reporter (Vol. 7, p. 85). Retrieved from http://www.austlii.edu.au/au/journals/PLPR/2000/45.html
[Heurix et al., 2015] Heurix, J., Zimmermann, P., Neubauer, T., & Fenz, S. (2015). A taxonomy for privacy enhancing technologies. Computers and Security, 53, 1–17. http://doi.org/10.1016/j.cose.2015.05.002
[Hinde, 2014] Hinde, C. (2014). A Model to Assess Organisational Information Privacy Maturity against the Protection of Personal Information Act. University of Cape Town.
[Huijben, 2014] Huijben, K. (2014). A lightweight, flexible evaluation framework to measure the ISO 27002 information security controls. Radboud University.
[ISO/IEC 29100: 2011] INTERNATIONAL STANDARD ISO / IEC Information technology — Security techniques — Privacy framework. (2011)
[Kelion, 2016] Kelion, L. (2016). Facebook Moments facial-recognition app launches in Europe - BBC News. BBC News. Retrieved from http://www.bbc.com/news/technology-36256765
[Le et al., 2015] Le, D., Inria, M., Trilateral, I. K., & María, J. (2015). PRIPARE: Privacy- and Security-by-Design Methodology Handbook.
[McGee, 2016] McGee, M. (2016). Verizon Confirms Breach Affecting Business Customers. Databreachtoday.eu. Retrieved from http://www.databreachtoday.eu/verizon-confirms-breach-affecting-business-customers-a-8991
[New Zealand Government, 2014 (1)] New Zealand Government. Privacy Maturity Assessment Framework: Elements, attributes, and criteria (version 2.0). (2014).
[New Zealand Government, 2014 (2)] New Zealand Government. User guide for the Privacy Maturity Assessment Framework. (2014).
[OECD, 1980] Organisation for Economic Cooperation and Development guidelines Annex to the recommendation of the Council of 23 September 1980: Guidelines governing the protection of privacy and transborder flows of personal data. (1980).
[OWASP ASVS 3.0, 2015] Application Security Verification Standard 3.0. (2015). Retrieved from https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf
55
[Pew Research Center, 2013] Social Networking Fact Sheet. (2013). Pew Research Center: Internet, Science & Tech. Retrieved September 2014, from http://www.pewinternet.org/fact-sheets/social-networking-fact-sheet/
[Revoredo et al., 2014] Revoredo, M., Marcelo, C., Lutiano, J., Melo, R. M., Batista, R., Lucien, L. R., … Garcia, V. C. (2014). A Privacy Maturity Model for Cloud Storage Services. http://doi.org/10.1109/CLOUD.2014.135
[Roger, 2015] Roger, H. (2015). Right of Subject Access – From request to response: An analysis of process performance. Leiden University.
[Schwaig, Kane & Storey, 2006] Schwaig, K. S., Kane, G. C., & Storey, V. C. (2006). Compliance to the fair information practices: How are the Fortune 500 handling online privacy disclosures? Information and Management, 43(7), 805–820. http://doi.org/10.1016/j.im.2006.07.003
[Thiesse, 2007] Thiesse, F. (2007). RFID, privacy and the perception of risk: A strategic framework. Journal of Strategic Information Systems, 16(2), 214–232. http://doi.org/10.1016/j.jsis.2007.05.006
[Warren and Brandeis, 1890] Warren, S. D., & Brandeis, L. D. (1890). The Right to Privacy. Havard Law Review, 4(5), 193–220.
[Wright, 2013] Wright, D. (2013). Making Privacy Impact Assessment More Effective. The Information Society: An International Journal, 29, 307–315. http://doi.org/10.1080/01972243.2013.825687
56
Appendices
AppendixA:ThePrivacyQuestionnaireThisparthasbeenremovedfromthethesisduetotheconcernofconfidentiality.Thequestionnairehasbeenhandedinseparatelytothethesisadvisors.
57
AppendixB:TheInvitationLetter
ApracticalapproachtoassessprivacyprotectioninandaroundITapplications
Invitationtoparticipateinresearch
Privacyisincreasinglyimportanttocitizensandpolicymakers.Organizationsthatcollectandprocessprivacy-sensitiveinformationareunderrapidlyincreasingscrutiny.
ITapplicationsplayakeyroleinbothprocessingandprotectingprivacy-sensitiveinformation.Whileexistingprivacyassessmentmethodsaddressprivacyprotectionatabroadorganizationallevel,theneedarisesforpracticalapproachesthatdojusticetothiskeyroleofITapplications.
Injointresearch,LeidenUniversityandtheSoftwareImprovementGroup(SIG)aredevelopingaPrivacyMaturityModelthatappliestoanITapplicationinitsorganizationalcontext.
WenowinviteorganizationsthatrelyonITapplicationstoprocessandprotectprivacy-sensitiveinformationtoparticipateinourresearch.Participatingorganizationsareinvitedtogothroughthefollowingsteps:
1. Filloutaquestionnaire.Thiswilltakeapproximately2hoursintotal,dividedovertwoorthreeemployeeswithknowledgeofapplicationfunctionality,architecture,andprivacyrequirements.
2. Partakeinaninterview.Thiswilltakeapproximately1.5hours.Theinterviewincludesadiscussionofthefilled-outquestionnaire.
FeedbackwillbeprovidedtotheparticipatingorganizationsintheformofaPrivacyMaturityreporttogetherwithaninteractivesession.Allstudyresultswillremainanonymous.
Pleaseexpressyourinteresttoparticipateinthisstudyviaprivacypractice@sig.eu.Wewillcontactyoutomakeallnecessaryarrangements.
Wearelookingforwardtoyourcontribution!
Prof.dr.ir.JoostVisser(SoftwareImprovementGroup&RadboudUniversityNijmegen)
Dr.AmrAli-Eldin(LeidenInstituteofAdvancedComputerScience,LeidenUniversity)
58
AppendixC:TheMappingbetweenPbDActivitiesandQuestions
Thisparthasbeenremovedfromthethesisduetotheconcernofconfidentiality.Thisparthasbeenhandedinseparatelytothethesisadvisors.