Privacy by Design : Developing a Tool For Risk Assessment in a Data Protection Context

Nyberg, Samuel

January 2022

Privacy by design is one of the core principles of GDPR, but what role does design really serve here? This thesis project explores how interaction design methods can affect data privacy by prototyping a tool for risk assessment in a data protection context. With basis in user research, prototyping and usability testing, a design prototype is built as a suggestion for a new way to work with risk assessments. Findings show that there is a need for better usability when assessing risk in data protection, and that tools shaped according to user needs benefit risk assessments. At stake is our data privacy.

interaction design

user experience

software design

general data protection regulation

risk

risk management

risk assessment

dpia

Engineering and Technology

Teknik och teknologier

Sociální sítě a ochrana soukromí uživatelů / Social Networks and User's Privacy

Gallíková, Lucia

January 2010

This diploma thesis is focused on current phenomenon of online social networks, especially on problems regarding users' privacy protection. Theoretical base of the thesis consist of basic explanation of key terms, particularly social networks and security perception. Practical part contains analysis of the currently most widespread social network Facebook with emphasis on user's data protection a its security. This part is completed with comparison of the Facebook with other examples of selected social networks. Final part of the thesis consist a summary of positive aspects as well as risk of using social networks. It also presents a concept of a social network that respects user's privacy. key words: social networks, security, data protection, Facebook, user

Dohled a etika / Surveillance and Ethics

Slavíček, Daniel

January 2012

The theme of the dissertation is surveillance. Its aim is to answer the following question: up to what extend do we live in a society, which may be described as a surveillance society. For this purpose it defines, what is meant by surveillance, how surveillance evolved through history, which theories relevantly describe this phenomenon and in which spheres surveillance is notable. The dissertation introduces the main theories of the multi-disciplinary field of surveillance studies, which has been developing over the last twenty years. Special attention is focused on CCTV systems. At the same time, the thesis focuses on ethical problems of surveillance, i.e. privacy, discrimination, social exclusion, transparency and responsibility.

Vad innebär GDPR för e-handlare? En studie om GDPR och dess påverkan på svenska e-handelsföretag / What does the GDPR mean for e-commerce businesses? A study of GDPR and its effect on swedish e-commerce businesses

Hellstrand, Malin, Putnoki, Lilla

January 2018

The aim of this bachelor thesis is to examine which adaptions Swedish e-commerce businesses have done to prepare for the new General Data Protection Regulation (GDPR). Using a qualitative method this study investigates how these companies have prepared themselves and what they have done to get their digital platforms such as websites, email and social media in order to be GDPR proof. The method which is used is semi structured interviews. The result of the study shows that the companies have been missing concrete guidelines on how the adaptions should be done from the Swedish government. The majority of the adaptions are therefor built on the businesses own adaptions of the new regulation. The conclusion reached in this thesis is that it has been hard for the companies to convert the law’s requirements into practical technical solutions.

Informationsarkitektur (IA)

digitala plattformar

Privacy by Design (PbD)

e-handel

Information Studies

Biblioteks- och informationsvetenskap

En undersökning av förändringar som behöver införas för att överensstämma med GDPR - I utveckling och drift av smarta kameror

Lukacs, Andrea, Szczurek, Malgorzata

January 2018

Konceptet av sakernas internet handlar om att datorer ska kunna agera utan mänsklig interaktion. Detta gör att smarta larm med kameror själva kan avgöra när ett larm ska utlösas och kan då ta åtgärder som att ta bilder på hemmet som kameror är installerade i samt på individer. Detta skapar vissa etiska frågor kopplade till dataintegriteten. För att kunna kontrollera företagens användning av mängder data som kan genereras idag och för att ge individer rättigheter över hur deras data behandlas har EU tagit fram en förordning kallad General Data Protection Regulation (GDPR). Denna kommer att förändra utveckling och drift av smarta kameror, eftersom bilder är personuppgifter som omfattas av förordningen. Därför är tydliga strategier kring vilka förändringar företag som utvecklar eller driftar kameror behöver införa för att uppfylla GDPR kraven nödvändiga för att upprätthålla användarnas dataintegritet. Projektets syfte är därför att redogöra för huvudsakliga förändringar som behöver införas hos företag identiska till studieobjekten samtidigt som inställningen till förändringen beaktas, vilket är en nyckelfaktor till en lyckad implementering. Detta uppnås genom datainsamling via intervjuer som utfördes hos företag ledande inom utveckling och drift av smarta kameror. Resultatet bekräftar hypotesen om att kamera och säkerhetsföretag är sakkunniga inom säkerhet och integritet, samt visar att företag handskas med fem, följande, huvudsakliga förändringar: finna lösningar på insamling av informerade samtycken, dokumentation som måste bli mer utförlig, kontraktskrivning med leverantörer måste ges mer uppmärksamhet, att möjliggöra framförallt i backenden när en kund begär ut all data, samt privacy by design och ett helhetsperspektiv som behöver implementeras mer under utvecklingsprocessen. Vidare kan arbetet användas som beslutsunderlag i liknande organisationer som studieobjekten, eftersom det ger även förslag på förbättringsområden vilka har för avsikt att förstärka möjligheten till en lyckad tillfredsställelse av GDPR kraven. / The concept of the Internet of Things is about computers being able to act without human interaction. This allows smart alarms with cameras to determine themselves when an alarm is triggered and can take action like taking pictures at home that cameras are installed in as well as on individuals. This creates some ethical issues related to data privacy. In order to control companies' use of amounts of data that can be generated today and to give individuals rights over how their data is processed, the EU has developed a regulation called the General Data Protection Regulation (GDPR). This will change the development and operation of smart cameras, as images are personal data that are covered by the regulation. Therefore, clear strategies about the changes that needs to be implemented to meet the GDPR requirements is necessary to maintain users' data privacy. The purpose of the project is therefore to account for major changes that need to be introduced to companies identical to the study objects while taking into account the attitude towards the change, which is a key factor for successful implementation. This is achieved through data acquisition through interviews conducted by companies leading in the development and operation of smart cameras. The result confirms the hypothesis that camera and security companies are experts in security and integrity, as well as demonstrating that companies are dealing with five, the following major changes: finding solutions for collecting informed consent, documentation that needs to be more detailed, contracting with suppliers must be paid more attention to, make it technically possible for a customer to request and get all data, as well as Privacy by Design and an overall perspective that needs to be implemented during the development process. In addition, the work can be used as a basis for decision making in similar organizations as the study objects who develop IoT products, as it also provides suggestions for improvement areas that intend to enhance the possibility of a successful satisfaction of the GDPR requirements.

Internet of things

General Data Protection Regulation

smarta larm

smarta kameror

förändring

säkerhet

integritet

Engineering and Technology

Teknik och teknologier

EU’s Proposed AI Regulation in the context of Fundamental Rights : Analysing the Swedish approach through the lens of the principles of good administration

Yıldız, Melih Burak

January 2021

AI has become one of the most powerful drivers of social change, transforming economies, impacting politics and wars, and reshaping how citizens live and interact. Nevertheless, the implementation of AI can have adverse effects on peoples’ lives. This dissertation first examines the relationship between artificial intelligence and public law, mainly in two domains, administrative law and criminal law. It also provides a clear insight into the potential impact of AI applications on fundamental rights in the legal context of the European Union. Four selected fundamental rights, Human Dignity, Data Protection and Right to Privacy, Equality and Non-discrimination, and Access to Justice, are examined. The dissertation further explores the European Commission's new proposed AI regulation, which was proposed in April 2021. The proposal aims to put forward a risk- based approach for a harmonized EU legislation by considering the ethical and human sides and without unnecessarily restricting the development of AI technologies. The study focuses on examples from Sweden throughout the study and lastly, examines the Swedish approach in the context of the principles of good administration.

artificial intelligence

artificial intelligence regulation

trustworthy artificial intelligence

data protection principles

fundamental rights

good administration

Sweden.

Law

Juridik

Essential Healthcare Services and Cloud Computing

Hourani, Osama

January 2021

Like many organizations, critical infrastructures and essential services are adopting cloud computing. The many benefits are however clouded with security concerns. These types of organizations and services are associated with severe societal and individual consequences from failures or incidents. They are naturally subject to strict regulations and requirements. Even if critical and essential services are adopting and utilizing cloud computing, organizations hesitate due to unsolved challenges with cloud computing for critical and essential services. To mitigate such unnecessary impediments and to enhance secure Health-CC, there is a need for an exploration of existing solutions for Health-CC, as well as investigating gaps, to provide improving considerations. To address this problem, the thesis investigated existing challenges and solutions for cloud computing security, regarding cloud computing within essential healthcare. Here, called “Health-CC”, and encompasses settings and processes where cloud computing is highly involved and where system, assets, and data protection are intensively actualized. The research question required the author to identify cloud computing challenges, thematize related solutions, patterns, gaps, and laying a basis for a well-based discussion on possible improving considerations – from a pertinent critical infrastructure protection perspective, for essential healthcare services. The chosen research question necessitated a problem-driven mixed methods approach, where a systematic literature review was utilized for the overall research guidance and selection procedures. Selection criteria were formulated to capture the mentioned Health-CC security settings. An integrated traditional literature review was added for the purpose of the scientific base. At the analysis level, the mixed methods approach facilitated a thematic synthesis analysis – to identify themes, patterns, and gaps or shortcomings, as well as lay the basis for following discussion of improving security considerations. Three solution groups were identified: specific techniques, software architecture, and assessment models. Further analysis of their solution types from a pertinent critical infrastructure protection perspective, identified multiple patterns: from recurring techniques or administrative components, targeted security issues, Health-CC environment focus, framework coverage, to the type of aspects and perspectives involved. This resulted in general patterns of solution components and perspectives, although revealing several shortcomings and possible improving considerations for enhanced Health-CC security: explicit critical infrastructure protection perspective; focus on continuity aspects; multi-party and multi-actor nature of Health-CC arrangement deserves more focus; system protection emphasis; availability concept and deterring properties highly considered; cloud environment specified when possible; data protection concerns only crucial and sensitive data required by law. Its conclusions on the exploration of solutions as well as improving considerations contribute to the HealthCC security field, to a satisfying degree.

cloud computing

essential healthcare

cloud security

critical infrastructure protection

system protection

data protection.

Computer Sciences

Datavetenskap (datalogi)

Dohled a etika / Surveillance and Ethics

Slavíček, Daniel

January 2012

The theme of the dissertation is surveillance. Its aim is to answer the following question: up to what extend do we live in a society, which may be described as a surveillance society. For this purpose it defines, what is meant by surveillance, how surveillance evolved through history, which theories relevantly describe this phenomenon and in which spheres surveillance is notable. The dissertation introduces the main theories of the multi-disciplinary field of surveillance studies, which has been developing over the last twenty years. Special attention is focused on CCTV systems. At the same time, the thesis focuses on ethical problems of surveillance, i.e. privacy, discrimination, social exclusion, transparency and responsibility.

Understanding Data Practices in Private Corporations : Analysis of Privacy Policies, Cookies Statements and “Dark Patterns”

Mendes, Débora

January 2022

Introduction: We analyse the privacy policies of 15 private corporations to understand if the data handling practices – data collection, storage, and sharing –described in the policies are ethical or unethical. The data we leave behind when we use the Internet are crucial for corporations. The data provides valuable insights into our lives, thus helping corporations improve targeted marketing campaigns and increase their revenue. Method: Extensive literature review of peer-reviewed articles, written between1993 and 2021, to examine how theoretical perspectives and empirical findings evolved over time; combined with empirical research to analyse the privacy policies and “dark patterns” of 15 companies. The companies were chosen at random and belong to different sectors to give a broader understanding of the current privacy and data handling practices. Analysis: Discourse analysis of the privacy policies to evaluate the type of language used, if it is clear, easy to understand, and if the policy informs users about how their data are collected, shared, and stored. But also, a visual analysis to understand if the company is implementing “dark patterns”. Results: The results indicate that most privacy policies use misleading terms, are not fully transparent about the company’s data handling practices, and often implement “dark patterns” to try to influence the users’ decisions. Conclusion: Most companies have privacy policies available on their websites due to a clear influence from the GDPR legislation, however, there appears to be a conflicting relationship between wanting to comply with the GDPR and wanting to gather as much information as possible.

Ethics

Etik

Compliance with the General Data Protection Regulation: an exploratory case study on business systems’ adaptation / Medgörlighet med Dataskyddsförordningen: en undersökande fallstudie av affärssystems anpassning

Knutsson, Mikael

January 2017

Current moves into a heavily digitalized era has led to a phase where our privacy is being eroded as we hand over our personal data to organizations and their systems. At the same time, the applicable laws to give security to the individuals have failed to incorporate these legal developments. However, in April 2016 the European Union proposed a change to a new regulation called the General Data Protection Regulation (GDPR). The GDPR will be implemented and start to apply in May 2018, thus the main purpose of this study was to investigate how organizations can adapt to changing regulations on how personal data should be stored and managed, and what the key tension points are within specifically closed IT-systems. The goal of the GDPR and this study on its feature implementation is to guarantee the EU citizens their right to privacy. Through an exploratory case study involving an in-depth analysis of two closed IT-systems this study develops a broader understanding on how organizations should adapt their daily businesses in order to be fully compliant with the new bylaws. This study identifies four critical issues which are used to discuss how the new bylaws could affect the EU citizens’ privacy. To accomplish this and open up for further investigation within the field of data privacy laws - four different propositions to modifications were suggested. / Den aktuella övergången till en omfattande digitaliserad tid har lett till en fas där vår integritet går förlorad då vi överlämnar vår personliga information till organisationer och deras system. Samtidigt har de tillämpade datalagarna med syfte att skydda individen misslyckats med att införliva denna utveckling. Därför har den Europeiska Unionen i april 2016 föreslagit en förändring till en ny reglering som får namnet Dataskyddsförordningen. Dataskyddsförordningen kommer blir implementerad och börja gälla i maj 2018 och därav var huvudsyftet med den här studien att undersöka hur organisationer bör anpassa sig till de nya riktlinjerna för hur personlig information bör lagras och hanteras samt vilka spänningspunkterna är för slutna IT-system. Målet med Dataskyddsförordningen och vad den här studien beaktade i dess kommande utförande är att garantera EU-medborgare rätten till sin integritet. Genom att utföra en undersökande fallstudie innehållandes en djupgående analys av två slutna IT-system har den här studien bidragit med en bredare förståelse för hur organisationer bör anpassa sina dagliga verksamhet för att vara helt medgörliga med Dataskyddsförordningen. Studien har identifierat fyra kritiska problem som har legat till grund för att diskutera hur den nya förordningen kommer påverka EU-medborgarnas rätt till sin integritet. För att göra det möjligt samt öppna upp för framtida undersökningar inom ramen för dataskyddslagar föreslogs fyra förslag på generella förändringar.

Data protection laws

GDPR

privacy

the right to be forgotten

IT safety

data minimization

Media and Communication Technology

Medieteknik