Cloud Privacy Audit Framework: A Value-Based Design

Coss, David

01 January 2013

The rapid expansion of cloud technology provides enormous capacity, which allows for the collection, dissemination and re-identification of personal information. It is the cloud’s resource capabilities such as these that fuel the concern for privacy. The impetus of these concerns are not too far removed from those expressed by Mason in 1986, when he identified privacy as one of the biggest ethical issues facing the information age. There seems to be continuous ebb and flow relationship with respect to privacy concerns and the development of new information communication technologies such as cloud computing. Privacy issues are a concern to all types of stakeholders in the cloud. Individuals using the cloud are exposed to privacy threats when they are persuaded to provide personal information unwantedly. An Organization using a cloud service is at risk of non-compliance to internal privacy policies or legislative privacy regulations. The cloud service provider has a privacy risk of legal liability and credibility concerns if sensitive information is exposed. The data subject is at risk of having personal information exposed. In essence everyone who is involved in cloud computing has some level of privacy risk that needs to be evaluated before, during and after they or an organization they interact with adopts a cloud technology solution. This resonates a need for organizations to develop privacy practices that are socially responsible towards the protection of their stakeholders’ information privacy. This research is about understanding the relationship between individual values and their privacy objectives. There is a lack of clarity in organizations as to what individuals consider privacy to be. Therefore, it is essential to understand an individual’s privacy values. Individuals seem to have divergent perspectives on the nature and scope of how their personal information is to be kept private in different modes of technologies. This study is concerned with identifying individual privacy objectives for cloud computing. We argue that privacy is an elusive concept due to the evolving relationship between technology and privacy. Understanding and identifying individuals’ privacy objectives are an influential step in the process of protecting the privacy in cloud computing environments. The aim of this study is to identify individual privacy values and develop cloud privacy objectives, which can be used to design a privacy audit for cloud computing environments. We used Keeney’s (1992) value focused thinking approach to identify individual privacy values with respect to emerging cloud technologies, and to develop an understanding of how cloud privacy objectives are shaped by the individual’s privacy values. We discuss each objective and how they relate to privacy concerns in cloud computing. We also use the cloud privacy objectives in a design science study to design a cloud privacy audit framework. We then discuss the how this research helps privacy managers develop a cloud privacy strategy, evaluate cloud privacy practices and develop a cloud privacy audit to ensure privacy. Lastly, future research directions are proposed.

Cloud Computing

Design Science

Privacy

Privacy Audit

Privacy Objectives

Value Focused Thinking

Business

Technology and Innovation

DSAP: Data Sharing Agreement Privacy Ontology / Privacy Ontology for Health Data Sharing in Research

Li, Mingyuan

January 2018

Medical researchers utilize data sharing agreements (DSA) to communicate privacy policies that govern the treatment of data in their collaboration. Expression of privacy policies in DSAs have been achieved through the use of natural and policy languages. However, ambiguity in natural language and rigidness in policy languages make them unsuitable for use in collaborative medical research. Our goal is to develop an unambiguous and flexible form of expression of privacy policies for collaborative medical research. In this thesis, we developed a DSA Privacy Ontology to express privacy policies in medical research. Our ontology was designed with hierarchy structure, lightweight in expressivity, closed world assumption in interpretation, and the reuse of other ontologies. The design allows our ontology to be flexible and extensible. Being flexible allows our ontology to express different types of privacy policies. Being extensible allows our ontology to be mapped to other linkable ontologies without the need to change our existing ontology. We demonstrate that our ontology is capable of supporting the DSA in a collaborative research data sharing scenario through providing the appropriate vocabulary and structure to log privacy events in a linked data based audit log. Furthermore, through querying the audit log, we can answer privacy competency questions relevant to medical researchers. / Thesis / Master of Science (MSc)

Privacy

Health Research

Medical Research

Ontology

Data Sharing

Data Sharing Agreements

Linked Data

Privacy Audit Log

Health Information Sharing

Health Information