Preface [a: Visual Privacy Management]

Recent privacy scandals, such as Cambridge Analytica in 2018 or the Swedish data leakage in 2017, and the creation and enforcement of the new General Data Protection Regulation (GDPR) in Europe in 2018, have captured the attention of any entity that operates with data. The GDPR identifies European citizens as main stakeholders to be protected, creating powerful tools such as the consent mechanism and the right to be forgotten. Therefore, any organization that uses data of European citizens must adhere to the GDPR, otherwise heavy fines will be applied: up to 20 million euros, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. Private companies have already started to take actions in order to be compliant with the GDPR. But privacy is not only a concern for companies, Public Administrations (PAs), that constantly use data of citizens, must protect citizens’ data as well. Furthermore, dissimilar from private companies, citizens frequently have no option but to give their data to PAs in order to use essential public services. It is, therefore, a top priority for such organizations to give the feeling of protection and control of citizens’ data. Unfortunately, enforcing privacy requirements in PAs is no trivial task: PAs’ information systems are usually extremely complex, with legacy pieces of software that were developed when privacy was not a concern at all. Moreover, PA is a heterogeneous category that covers organizations with very different objectives, users, and market segment. Examples of PAs are hospitals, government bodies, and public companies; all of them with complex information systems that manage data of large quantities of citizens. The urgent need of public organizations is, therefore, to address privacy concerns being compliant with the GDPR and, in the meantime, to give the citizens the control of their data allowing them to specify privacy requirements. This book describes the outcome of a project called VisiOn, that lasted three years, and where four universities and seven companies collaborated to create a platform that can be used by PAs to design or to adapt their information following privacy laws and privacy requirements of citizens. We called it VisiOn Privacy Platform (VPP). The book is the result of the collective effort of all project participants that contributed to the success of VisiOn. Project participants acted as reviewers for book chapters, and each chapter was reviewed by at least two reviewers. The objective of this book is to provide readers a useful reference for the creation and validation of a software platform that enforces privacy in complex organizations such as PAs. This book is structured following the software engineering approach to the design of a complex software such as the VPP. Chapter 1 defines the conceptual framework we created to define privacy concepts. This chapter gives shape to privacy principles using European Union laws as a starting point. Moreover, the chapter describes the principle on which we based most of the platform, i.e., privacy by design and a type of agreement we created to specify a privacy contract between a citizen and the PA, called Privacy Level Agreement (PLA). Following that, in Chapter 2, requirements of the VPP are defined along with a method that we created and used for the elicitation, classification, prioritization, and validation of requirements for the VPP. Chapter 3 describes the software components that were developed for the platform, and compose the VPP and external software tools that were developed by the partners for the VisiOn project, and that we integrated into the platform in order to use their functionalities. In particular, the chapter describes the architecture of the components and how their functionalities are offered and used in the VPP. Chapter 4 focuses on the security and privacy analyses that can be executed using the VPP. It describes the two frameworks that compose the VPP, i.e., the desktop and the web framework. The former, dedicated to PA employees, that is used to perform privacy analyses, while the latter, dedicated mainly to the end users, i.e., the citizens, is used to elicit their privacy requirements and show them information about their sensitive data and how it is being used. Chapter 5 describes the validation of the platform using three real case studies: two hospitals, a government body, and a public company. In each case study the VPP has been integrated in real information systems, facing very pragmatic issues, such as the integration with the authentication system of the organization in charge of the case study. After the integration, the VPP was used by PA employees (the Desktop Framework) and by citizens (the Web Framework) in order to collect feedback and evaluate the platform. Each chapter of this book covers a part of the development and evaluation of VPP. Each of the chapters have two main contributions: one related to the platform, that delivers details on the platform, and one related to the abstract contribution that can be applied to other platforms as well. We believe that both contributions will help readers in other projects and research work. A number of innovative technical solutions have been proposed in this book; the interested readers are invited to read cited publications and technical reports for more details of specific aspects. In the present book, the emphasis is on the presentation of the global approach developed in the project. VPP sets the basis for an easier compliance of PA with GDPR and derived laws, while allowing citizens (users) to specify their privacy requirements, building their trust in the PAs they granted access to their sensitive data. However, we identified two main critical points that may weaken VPP positive impacts if not properly addressed when the platform is applied. The first critical point concerns the ambiguity of the GDPR: some of the concepts and the constraints defined in this regulation are ambiguous. This is because the GDPR is enforced with laws defined by local privacy authorities of each member state of the European Union (EU). We created the VPP in order to adapt to such local laws. Therefore, VPP is not an off-the-shelf software that can be immediately used, instead, local privacy laws must be analyzed by PAs that intend to use VPP in order to elicit the privacy requirements to be enforced. Furthermore, such mechanism gives the VPP the possibility to be used outside the boundaries of GDPR. The second critical point concerns the complexity of the organization to be protected. VPP, especially the Desktop Framework, has mechanisms to deal with such complexity, however, it is not only a matter of how large/wide an organization is, but also about the perspectives to be considered for the privacy analyses that will be performed by the VPP. Currently, the Desktop Framework considers social-organizational perspectives, business process perspectives, and security and privacy enforcement perspectives. Although we considered these perspectives to cover central assets of PA organizations, VPP may be extended to cover other perspectives such as threats or economic ones. The empirical experiments, reported in this book, show that VPP is an effective platform. During its design, we faced many challenges: the results and the methods we used to face them are reported in this book. Many people have contributed to the results of the project in many ways and their contribution has been essential in making VisiOn a successful project. We would like to thank for the hard work of all the participants of the project. In particular, we would like to thank the EU project officers who supported the project during its lifetime, and the reviewers who provided valuable feedback at the project reviews.