A Systematic Mapping Study on Privacy by Design in Software Engineering

Erick Orlando Matla-Cruz,Mario Piattini,Miguel Ehecatl Morales-Trujillo,Gabriel Alberto García-Mireles

doi:10.19153/cleiej.22.1.4

Abstract

Protecting personal data in current software systems is a complex issue that requires legal regulations and constraints to manage personal data as well as a methodological support to develop software systems that would safeguard data privacy of their respective users. Privacy by Design (PbD) approach has been proposed to address this issue and has been applied to systems development in a variety of application domains. The aim of this work is to determine the presence of PbD and its extent in software development efforts. A systematic mapping study was conducted in order to identify relevant literature that collects PbD principles and goals in software development as well as methods and/or practices that support privacy aware software development. 53 selected papers address PbD mostly from a theoretical perspective with proposals validation based primarily on experiences or examples. The findings suggest that there is a need to develop privacy-aware methods to be integrated at all stages of software development life cycle and validate them in industrial settings.

Highlights

According to Warren and Brandeis [1], privacy is a state of social withdrawal or the right to be ‘left alone’
Given that privacy requirements are treated in a narrow perspective as security requirements [23], and in order to determine the extent to which privacy is addressed in software engineering (SE) literature, we focused only on the perspective of “privacy by design” proposed by Cavoukian, since it is recognized as an approach with which to address privacy in software systems [83]
This paper presents a mapping study that has been conducted in order to determine the State of the Art as regards Privacy by Design (PbD) in software development

Summary

Introduction

According to Warren and Brandeis [1], privacy is a state of social withdrawal or the right to be ‘left alone’. Altman [2], Nissenbaum [3], Palen and Dourish [4] state that privacy is not just a state of withdrawal, and a contextual, situated, practically achieved matter of boundary management. This means that the context in which information is disclosed and the mechanisms employed to handle it are essential as regards determining the extent to which privacy is addressed in a particular situation [5]. The protection of data is usually resolved through the use of encryption and security application frameworks.

Objectives

Methods

Results

Discussion

Conclusion