Abstract
Privacy Impact Assessments (PIA) are recognized as a key step to enhance privacy protection in new information systems and services. They will be required in Europe when the new General Data Protection Regulation becomes effective. From a technical perspective, the core of a PIA is a Privacy Risk Analysis (PRA), which has received relatively less attention than organizational and legal aspects of PIAs. In this work, we propose a rigorous and systematic PRA methodology. We illustrate it with a quantified self use-case in the extended paper [9].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In order to err on the safe side in terms of privacy protection, we consider dependent nodes such that one node may potentially imply all other nodes.
- 2.
In order to err on the safe side in terms of privacy protection, we consider dependent nodes such that each node may exclude all other nodes. Hence the use of the sum.
References
Privacy Risk Management for Federal Information Systems (2015). http://csrc.nist.gov/publications/drafts/nistir-8062/nistir-8062-draft.pdf
European Commission. General Data Protection Regulation (2016)
Antignac, T., Le Métayer, D.: Trust driven strategies for privacy by design. In: Damsgaard Jensen, C., Marsh, S., Dimitrakos, T., Murayama, Y. (eds.) IFIPTM 2015. IFIP AICT, vol. 454, pp. 60–75. Springer, Heidelberg (2015)
Baringer, F.: New Electricity Meters Stir Fear (2011). www.nytimes.com
Calo, R.: The Boundaries of Privacy Harm. Ind. LJ 86, 1131 (2011)
CNIL. Privacy Impact Assessment (PIA) Methodology (2015)
CNIL. Privacy Impact Assessment (PIA) Tools (2015)
De, S.J., Le Métayer, D.: Privacy harm analysis: a case study on smart grids. In: International Workshop on Privacy Engineering, IEEE (2016)
De, S.J., Le Métayer, D.: PRIAM: A Privacy Risk Analysis Methodology. INRIA Research Report, (RR-8876), July 2016
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfilment of privacy requirements. Requirements Eng. 16(1), 3–32 (2011)
Friginal, J., Guiochet, J., Killijian, M.-O.: Towards a privacy risk assessment methodology for location-based systems. In: Stojmenovic, I., Cheng, Z., Guo, S. (eds.) MindCare 2014. LNICSSITE, vol. 131, pp. 748–753. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11569-6_65
Hill, K.: Fitbit moves quickly after users’ sex stats exposed. Forbes 26, 515–519 (2011)
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2014)
Lisovich, M., Mulligan, D.K., Wicker, S.B., et al.: Inferring personal information from demand-response systems. Secur. Priv. IEEE 8(1), 11–20 (2010)
Oetzel, M.C., Spiekermann, S.: A systematic methodology for privacy impact assessments: a design science approach. Eur. J. Inf. Syst. 23(2), 126–150 (2014)
Oetzel, M.C., Spiekermann, S., Grüning, I., Kelter, H., Mull, S.: Privacy Impact Assessment Guideline for RFID Applications (2011). www.bsi.bund.de
SGTF. Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems (2014). http://ec.europa.eu/
Solove, D.J.: A taxonomy of privacy. U. Pa. L. Rev. 154, 477–564 (2006)
Wright, D.: Making privacy impact assessment more effective. Inf. Soc. 29(5), 307–315 (2013)
Wright, D., Finn, R., Rodrigues, R.: A comparative analysis of privacy impact assessment in six countries. J. Contemp. Eur. Res. 9(1), 160–180 (2013)
Zwingelberg, H., Hansen, M.: Privacy protection goals and their implications for eID systems. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity Management for Life. IFIP AICT, vol. 375, pp. 245–260. Springer, Heidelberg (2012)
Acknowledgements
This work has been partially funded by the French ANR-12-INSE-0013 project BIOPRIV and Inria Project Lab CAPPRIS.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
De, S.J., Le Métayer, D. (2016). PRIAM: A Privacy Risk Analysis Methodology. In: Livraga, G., Torra, V., Aldini, A., Martinelli, F., Suri, N. (eds) Data Privacy Management and Security Assurance. DPM QASA 2016 2016. Lecture Notes in Computer Science(), vol 9963. Springer, Cham. https://doi.org/10.1007/978-3-319-47072-6_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-47072-6_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47071-9
Online ISBN: 978-3-319-47072-6
eBook Packages: Computer ScienceComputer Science (R0)