Systematic Identification of Information Flows from Requirements to Support Privacy Impact Assessments

Rene Meis, Maritta Heisel

Abstract

Several countries prescribe or advise government departments and organizations to perform a privacy impact assessment (PIA) if these prepare new projects or change existing ones that involve personal information. A PIA shall summarize what personal information is collected, processed, stored, and distributed in the context of the project. But there is only little support for undertaking a PIA and to create a PIA report, most countries only provide vague guidelines and simple templates. We present in this paper an extension of the problem-based privacy analysis (ProPAn) method that derives information needed to conduct a PIA from a requirements model in problem frame notation. We provide a formally specified method with well-defined steps and tool support to reduce the effort to be spent for eliciting the needed information and to ensure that the needed information is as complete and coherent as possible to form an adequate basis for the creation of a PIA report.

References

  1. Beckers, K., Faßbender, S., Heisel, M., and Meis, R. (2014). A problem-based approach for computer aided privacy threat identification. In Privacy Technologies and Policy, LNCS 8319, pages 1-16. Springer.
  2. Cavoukian, A. (2011). Privacy by design - the 7 foundational principles. https://www.ipc.on.ca/images/resources/ 7foundationalprinciples.pdf.
  3. Coˆ té, I., Hatebur, D., Heisel, M., and Schmidt, H. (2011). UML4PF - a tool for problem-oriented requirements analysis. In Proc. of RE, pages 349-350. IEEE Computer Society.
  4. Deng, M., Wuyts, K., Scandariato, R., Preneel, B., and Joosen, W. (2011). A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. RE.
  5. European Commission (2012). Proposal for a regulation of the european parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (general data protection regulation). http://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=CELEX: 52012PC0011.
  6. Howard, M. and Lipner, S. (2006). The Security Development Lifecycle. Microsoft Press, Redmond, WA, USA.
  7. ISO/IEC (2011). ISO 29100 Information technology - Security techniques - Privacy Framework.
  8. Jackson, M. (2001). Problem Frames. Analyzing and structuring software development problems. AddisonWesley.
  9. Kalloniatis, C., Kavakli, E., and Gritzalis, S. (2008). Addressing privacy requirements in system design: the PriS method. RE, 13:241-255.
  10. Liu, L., Yu, E., and Mylopoulos, J. (2003). Security and privacy requirements analysis within a social setting. In Requirements Engineering Conf., 2003. Proc.. 11th IEEE Int., pages 151-161.
  11. Meis, R. (2014). Problem-based consideration of privacyrelevant domain knowledge. In Privacy and Identity Management for Emerging Services and Technologies 8th IFIP Int. Summer School Revised Selected Papers, IFIP AICT 421. Springer.
  12. Oetzel, M. and Spiekermann, S. (2014). A systematic methodology for privacy impact assessments: A design science approach. European Journal of Information Systems, 23(2):126-150.
  13. Omoronyia, I., Cavallaro, L., Salehie, M., Pasquale, L., and Nuseibeh, B. (2013). Engineering adaptive privacy: On the role of privacy awareness requirements. In Proc. of the 2013 Int. Conf. on SE, ICSE 7813, pages 632-641, Piscataway, NJ, USA. IEEE Press.
  14. Tancock, D., Pearson, S., and Charlesworth, A. (2010). A privacy impact assessment tool for cloud computing. In IEEE 2nd Int. Conf. on Cloud Computing Technology and Science (CloudCom), pages 667-676.
  15. Wright, D., Wadhwa, K., Hert, P. D., and Kloza, D. (2011). A privacy impact assessment framework for data protection and privacy rights - Deliverable D1. Technical report, PIAF consortium.
  16. Yu, E. (1997). Towards modeling and reasoning support for early-phase requirements engineering. In Proc. of the 3rd IEEE Int. Symposium on RE, pages 226-235, Washington, DC, USA. IEEE Computer Society.
Download


Paper Citation


in Harvard Style

Meis R. and Heisel M. (2015). Systematic Identification of Information Flows from Requirements to Support Privacy Impact Assessments . In Proceedings of the 10th International Conference on Software Paradigm Trends - Volume 1: ICSOFT-PT, (ICSOFT 2015) ISBN 978-989-758-115-1, pages 43-52. DOI: 10.5220/0005518500430052


in Bibtex Style

@conference{icsoft-pt15,
author={Rene Meis and Maritta Heisel},
title={Systematic Identification of Information Flows from Requirements to Support Privacy Impact Assessments},
booktitle={Proceedings of the 10th International Conference on Software Paradigm Trends - Volume 1: ICSOFT-PT, (ICSOFT 2015)},
year={2015},
pages={43-52},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005518500430052},
isbn={978-989-758-115-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 10th International Conference on Software Paradigm Trends - Volume 1: ICSOFT-PT, (ICSOFT 2015)
TI - Systematic Identification of Information Flows from Requirements to Support Privacy Impact Assessments
SN - 978-989-758-115-1
AU - Meis R.
AU - Heisel M.
PY - 2015
SP - 43
EP - 52
DO - 10.5220/0005518500430052