Applying Contextual integrity to Open Data Publishing

Open data publishing by both corporate and public bodies has increased significantly in recent years and this type of data could soon be developing into a real commodity. However, not all organisations pay sufficient heed to privacy as part of the decision-making process around open data publication, leaving both the organisation and the users whose data they handle vulnerable to privacy breaches. We present a case study in which we applied contextual integrity in practice, working with a UK local authority using real data. This illustrated how privacy can be incorporated into the decision-making process prior to publication taking place. Our results illustrate the application of Nissenbaum's Contextual Integrity Framework (CI) to the open data domain, and shows that CI is usable in practice

DPIA in Context: Applying DPIA to Assess Privacy Risks of Cyber Physical Systems

Cyber Physical Systems (CPS) seamlessly integrate physical objects with technology, thereby blurring the boundaries between the physical and virtual environments. While this brings many opportunities for progress, it also adds a new layer of complexity to the risk assessment process when attempting to ascertain what privacy risks this might impose on an organisation. In addition, privacy regulations, such as the General Data Protection Regulation (GDPR), mandate assessment of privacy risks, including making Data Protection Impact Assessments (DPIAs) compulsory. We present the DPIA Data Wheel, a holistic privacy risk assessment framework based on Contextual Integrity (CI), that practitioners can use to inform decision making around the privacy risks of CPS. This framework facilitates comprehensive contextual inquiry into privacy risk, that accounts for both the elicitation of privacy risks, and the identification of appropriate mitigation strategies. Further, by using this DPIA framework we also provide organisations with a means of assessing privacy from both the perspective of the organisation and the individual, thereby facilitating GDPR compliance. We empirically evaluate this framework in three different real-world settings. In doing so, we demonstrate how CI can be incorporated into the privacy risk decision-making process in a usable, practical manner that will aid decision makers in making informed privacy decisions

Modeling of open government data for public sector organizations using the potential theories and determinants-A systematic review

Open government data (OGD) has huge potential to increase transparency, accountability, and participation while improving effciency in operations, data-driven and evidence-based policymaking, and trust in government institutions. Despite its potential benefits, OGD has not been widely and successfully adopted in public sector organizations, particularly in developing countries. Therefore, the purpose of this study is to explore the theories/frameworks and potential determinants that influence the OGD adoption in public sector organizations. To ascertain the various determinants of OGD adoption in public sector organizations, this study involved a systematic review of already established theories and determinants addressed in the public sector open data domain. The review revealed that the TOE (technology, organization, environment) framework was dominantly employed over theories in the earlier studies to understand organizational adoption to OGD followed by institutional theory. The results, concerning potential determinants, revealed that some of the most frequently addressed determinants are an organization's digitization/digitalization capacity, compliance pressure, financial resources, legislation, policy, regulations, organizational culture, political leadership commitment, top-management support, and data quality. The findings will enrich researchers to empirically investigate the exposed determinants and improve the understanding of decision-makers to leverage OGD adoption by taking relevant measures

Privacy Risk Assessment in Context: A Meta-Model based on Contextual Integrity

Publishing data in open format is a growing trend, particularly for public bodies who have a legal obligation to make data available as open data. We look at the privacy implications of publishing open data and, in particular, how organisations can make informed decisions around privacy risks in relation to open data publishing before publication occurs. Using a well established theoretical privacy assessment framework, Contextual Integrity, we illustrate how this can be translated into a practical metamodel that can assist public bodies in assessing what privacy implications or risks might be associated with making a particular dataset available as open data. We validate the metamodel by providing a worked example and illustrate the effectiveness of this by reference to a case study application where the metamodel was successfully applied in practice

Incorporating contextual integrity into privacy decision making: a risk based approach.

This work sought to create a privacy assessment framework that would encompass legal, policy and contextual considerations to provide a practical decision support tool or prototype for determining privacy risks, thereby integrating the privacy decision-making function into organisational decision-making by default. This was achieved by way of a meta-model from which two separate privacy assessment frameworks were derived, each represented as a stand-alone prototype spreadsheet tool for privacy assessment before being amalgamated into the main contribution of this work, the PACT (PrivACy Throughout) framework, also presented as a prototype spreadsheet. Thus, this work makes four contributions. First, a meta-model of Contextual Integrity (CI) (Nissenbaum 2010) is presented, where CI has been broken down into its component parts to provide an easy to interpret visual representation of CI. Second, a practical privacy decision support framework for assessing data suitability for publication as open data, the ContextuaL Integrity For Open Data (CLIFOD) questionnaire is presented. Third, the scope of the framework is expanded upon to include other industry sectors or domains. To this end, a data protection impact assessment (DPIA), the DPIA Data Wheel, is exhibited that integrates the provisions brought in by the General Data Protection Regulation (GDPR) with CI and a revised version of CLIFOD. This framework is applied and evaluated in the charity sector to demonstrate the applicability of the concepts derived in CLIFOD to any domain where data is processed or shared. Finally, this work culminates with the main contribution of this work, one overarching framework, PrivACy Throughout (PACT). PACT is a privacy decision framework for assessing privacy risks throughout the data lifecycle. It has been derived and underpinned by existing theory though the amalgamation of CLIFOD and the DPIA Data Wheel and extended upon to include a privacy lifecycle plan (PLAN) for managing the data throughout its data life cycle. PACT, incorporates context (using CI), with contemporary legislation, in particular, the General Data Protection Regu- lation (GDPR), to facilitate consistent and repeatable privacy risk assessment from both the perspective of the data subject and the organisation, thereby supporting organisational decision making around privacy risk for both existing and new projects, systems, data and processes