Use this URL to cite or link to this record in EThOS: http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.683387
Title: Design and implementation of a privacy impact assessment tool
Author: Tancock, David
ISNI:       0000 0004 5916 2522
Awarding Body: University of Bristol
Current Institution: University of Bristol
Date of Award: 2015
Availability of Full Text:
Access through EThOS:
Abstract:
A Privacy Impact Assessment (PIA) is a systematic process for evaluating the possible future effects that a particular activity or proposal may have on an individual's privacy. It focuses on understanding the system, initiative or scheme, identifying and mitigating adverse privacy impacts and informing decision makers who must decide whether the project should proceed and in what form. A PIA, as a proactive business process, is thus properly distinguished from reactive processes, such as privacy issue analysis, privacy audits and privacy law compliance checking, applied to existing systems to ensure their continuing conformity with internal rules and external requirements. Typically, in most of the major jurisdictions (i.e. Canada, United States (US) etc.) that conduct PIAs, PIA tools and document templates are used by organisations for project compliance/analysis in relation to their own national, state or sector-specific requirements. However, in the United Kingdom (UK) organisations typically use manual documents in one form or another (i.e. ranging from un-systematised documentation sets to organised Microsoft Templates) to undertake PIAs, which are usually based upon the advice given by the Information Commissioner's Office (lCO) and its UK PIA Handbook, or upon their own organisational rules and procedures. Therefore, while manual documents provide some benefits with regard to user comprehension and ease of use, there are some disadvantages in using them including: human error, data duplication, and time consumption. The research described in this thesis focuses upon demonstrating and exploring the extent to which an automated tool might assist in the process of carrying out PIAs in the UK, and thereby improve PIA uptake. Such a PIA tool may set the bar higher for the process itself, help organisations in carrying out PIAs more easily in the UK, facilitate comparison and improve standardisation. A PIA tool is developed and described, in the form of a software prototype based upon a Decision Support System (DSS), that is a type of expert system that addresses the complexity of privacy compliance requirements for organisations (in both public and private sectors). More specifically, the developed automated PIA tool may help decision makers within organisations decide whether a new project (where "project" is defined in a broad sense, encompassing a scheme, notion, or product etc.), should go ahead and if so, in what form (i.e. what restrictions there are, what additional checks should be made, etc.). Therefore, techniques outlined in this thesis for the development of the PIA tool include: requirements elicitation; stakeholder mapping; data collection; data analysis; UML (Unified Modelling Language) modelling, and the software implementation of an expert system. In addition, Artificial Intelligence (AI)techniques are assessed with regards to how these can be used to enhance the PIA process, and a technique is developed to incorporate expression of belief. Stakeholders outlined in this thesis are anyone with an interest in such a PIA tool. For example, the intended users of the tool are stakeholders, as they have an interest in having a product that addresses the complexity of privacy compliance requirements for organisations (in both public and private sectors). In addition, stakeholders were mapped into a number of stakeholder groups including: privacy, data protection, computer security, records management, PIA consultants, and software development. Thus stakeholders were selected to provide requirements for the PIA tool (i.e. functional and non-functional requirements), and also to participate in the PIA tools validation process (i.e. a judgement on the functionality, usability, and portability of the PIA tool). The outcomes of the research include both a proof of concept implementation of a PIA tool, and analysis of a stakeholder-derived validation process for that tool
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID: uk.bl.ethos.683387  DOI: Not available
Share: