Abstract
Privacy-aware software development is gaining more and more importance for nearly all information systems that are developed nowadays. As a tool to force organizations and companies to consider privacy properly during the planning and the execution of their projects, some governments advise to perform privacy impact assessments (PIAs). During a PIA, a report has to be created that summarizes the consequence on privacy the project may have and how the organization or company addresses these consequences. As basis for a PIA, it has to be documented which personal data is collected, processed, stored, and shared with others in the context of the project. Obtaining this information is a difficult task that is not yet well supported by existing methods. In this paper, we present a method based on the problem-based privacy analysis (ProPAn) that helps to elicit the needed information for a PIA systematically from a given set of functional requirements. Our tool-supported method shall reduce the effort that has to be spent to elicit the information needed to conduct a PIA in a way that the information is as complete and consistent as possible.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cavoukian, A.: Privacy by design - the 7 foundational principles (2011). https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf
Wright, D., Wadhwa, K., Hert, P.D., Kloza, D.: A privacy impact assessment framework for data protection and privacy rights - Deliverable D1. Technical report, PIAF Consortium (2011)
European Commission: Proposal for a regulation of the european parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (general data protection regulation) (2012). http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52012PC0011
Beckers, K., Faßbender, S., Heisel, M., Meis, R.: A problem-based approach for computer-aided privacy threat identification. In: Preneel, B., Ikonomou, D. (eds.) APF 2012. LNCS, vol. 8319, pp. 1–16. Springer, Heidelberg (2014)
Jackson, M.: Problem Frames: Analyzing and Structuring Software Development Problems. Addison-Wesley, Boston (2001)
Côté, I., Hatebur, D., Heisel, M., Schmidt, H.: UML4PF - a tool for problem-oriented requirements analysis. In: Proceedings of RE, pp. 349–350. IEEE Computer Society (2011)
Meis, R.: Problem-based consideration of privacy-relevant domain knowledge. In: Hansen, M., Hoepman, J.-H., Leenes, R., Whitehouse, D. (eds.) Privacy and Identity 2013. IFIP AICT, vol. 421, pp. 150–164. Springer, Heidelberg (2014)
Meis, R., Heisel, M.: Systematic identification of information flows from requirements to support privacy impact assessments. In: ICSOFT-PT 2015 - Proceedings of the 10th International Conference on Software Paradigm Trends. SciTePress (2015)
ISO/IEC: ISO 29100 Information technology - Security techniques - PrivacyFramework (2011)
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. RE 16, 3–32 (2011)
Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond (2006)
Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the PriS method. RE 13, 241–255 (2008)
Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proceedings of 11th IEEE International Requirements Engineering Conference, pp. 151–161 (2003)
Yu, E.: Towards modeling and reasoning support for early-phase requirements engineering. In: Proceedings of the 3rd IEEE International Symposium on RE, pp. 226–235. IEEE Computer Society, Washington, DC (1997)
Omoronyia, I., Cavallaro, L., Salehie, M., Pasquale, L., Nuseibeh, B.: Engineering adaptive privacy: on the role of privacy awareness requirements. In: Proceedings of the 2013 International Conference on SE, ICSE 2013, pp. 632–641. IEEE Press, Piscataway (2013)
Oetzel, M., Spiekermann, S.: A systematic methodology for privacy impact assessments: a design science approach. Eur. J. Inf. Syst. 23, 126–150 (2014)
Tancock, D., Pearson, S., Charlesworth, A.: A privacy impact assessment tool for cloud computing. In: IEEE 2nd International Conference on Cloud Computing Technology and Science (CloudCom), pp. 667–676 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Meis, R., Heisel, M. (2016). Supporting Privacy Impact Assessments Using Problem-Based Privacy Analysis. In: Lorenz, P., Cardoso, J., Maciaszek, L., van Sinderen, M. (eds) Software Technologies. ICSOFT 2015. Communications in Computer and Information Science, vol 586. Springer, Cham. https://doi.org/10.1007/978-3-319-30142-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-30142-6_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30141-9
Online ISBN: 978-3-319-30142-6
eBook Packages: Computer ScienceComputer Science (R0)