Evaluating and enriching information and communication technologies compliance frameworks with regard to privacy

Abstract

PurposeThe aim of the paper is to highlight gaps in compliance environments regarding information privacy and provide recommendations for global information privacy standards.Design/methodology/approachThe paper draws conceptually upon an existing security standard's framework and omissions in information privacy compliance frameworks are recognized. As a result, an extended framework of information security and privacy standards is developed. Moreover, taking into account the different attributes and focus of information privacy as compared to information security, the elicitation of usability criteria for web applications and interfaces that will assist users to protect their privacy, is being proposed.FindingsWithin ICT standards numerous information security standards exist, which enable a common understanding of security requirements and promote global rules and practices for security mechanisms. Through their usage, designed information systems ultimately reach a commonly accepted security level and interoperate with other systems in an efficient and secure way. Nevertheless, a similar compliance environment is missing with regard to information privacy. Often security controls are seen as the solution to privacy protection and security compliance frameworks are regarded as guidance to information privacy as well. This is clearly the wrong approach since the main security and privacy attributes are different; information security refers to information stored, processed and transmitted for completing the information system's functions and purpose, while information privacy is the protection of the information's subject identity.Research limitations/implicationsThe identified gaps in compliance environments are based on extensive literature review, while the proposed enhancements for the information privacy standards are, at this stage, an opinion‐based piece of work.Originality/valueCurrently, information privacy is treated mostly as a legal compliance requirement and thus is not adequately handled by security standards. The paper provides recommendations and further guidance in managerial, procedural and technical level for handling information privacy.