Monday, 19 September 2016

Requirements Engineering and Privacy

A lot of travelling this month to conferences and speaking about privacy engineering (as usual). I just spent a week in Beijing at RE'16 (Requirements Engineering 2016) where I both presented a paper on privacy requirements and participated in a panel session on digitalisation and telecommunications - more on that later.

Anyway, here are the slides from the privacy paper:

And here is the abstract:

"Any reasonable implementation of privacy requirements can not be made through legal compliance alone. The belief that a software system can be developed without privacy being an integral concept, or that a privacy policy is sufficient as requirements or compliance check is at best dangerous for the users, customers and business involved. While requirements frameworks exist, the specialisation of these into the privacy domain have not been made in such a manner that they unify both the legal and engineering domains. In order to achieve this one must develop ontological structures to aid communication between these domains, provide a commonly acceptable semantics and a framework by which requirements expressed at different levels of abstractness can be linked together and support refinement. An effect of this is to almost completely remove the terms ‘personal data’ and ‘PII’ from common usage and force a deeper understanding of the data and information being processed. Once such a structure is in place - even if just partially or sparsely populated - provides a formal framework by which not only requirements can be obtained, their application (or not) be justified and a proper risk analysis made. This has further advantages in that privacy requirements and their potential implementations can be explored through the software development process and support ideas such as agile methods and ‘DevOps’ rather than being an ‘add-on’ exercise - a privacy impact assessment - poorly executed at inappropriate times."

Ian Oliver (2016) Experiences in the Development and Usage of a Privacy Requirements Framework. Requirements Engineering 2016 (RE'16), Beijing, China, September 12-17, 2016

No comments: