Privacy Experts Research Articles

A novel encryption protocol for facilitating de-identification of genomics health data

The exponential growth and affordability of genomics sequencing in the clinical landscape in recent years have intensified a challenge facing privacy experts. They grapple with how to evaluate and mitigate the significant risk of genomics data being used to re-identify individuals. The lack of clear genomics guidance in HIPAA has invited a wide spectrum of expert opinion from advocating for conservative limitations to be placed on genomics data sharing to ‘security’-based arguments that carefully calibrated technical, administrative, and legal safeguards may provide adequate protection in many cases. The need to weigh privacy concerns against the extraordinary value that genomics data offers to cancer and rare disease clinical research is compounded by the reality that conventional data modifications, such as redaction, aggregation, and perturbation, often critically undermine these important use cases. We present an innovative solution for de-identifying genomics data according to a conservative interpretation of HIPAA while still preserving maximal utility for clinical purposes. Our solution rejects the notion that privacy can be achieved directly via security. Instead, we introduce a reversible encryption protocol designed to be applied to specific combinations of genetic variants and their locations on the genome. The encrypted genomic data is fully de-identified, allowing researchers to perform analyses on the encrypted data in a secure Clean Room environment. The environment host is then able to decrypt and deliver variant-level summary statistics and aggregated outputs from the analysis to the recipient. As information in this format no longer links to patient-level data the solution remains de-identified end-to-end.

Building public trust and confidence in secondary use of health data for healthcare improvement and research: a qualitative study pre-protocol.

Background Secondary use of health data provides opportunities to drive improvements in healthcare provision, personalised medicine, comparative effectiveness research, health services innovation, and policy and practice. However, secondary data use requires compliance with relevant legislation, implementation of technical safeguards, ethical data management, and respect for data sharers. Existing evidence suggests widespread support for secondary use of health data among the public, which co-exists with concerns about privacy, confidentiality and misuse of data. Balancing the protection of individuals' rights against the use of their health data for societal benefits is of vital importance, and trust underpins this process. The study protocol explores how to build public trust and confidence in the secondary use of health data through all key stakeholder groups in Ireland, towards developing a culture that promotes a safe and trustworthy use of data. Methods This study will adopt a qualitative cross-sectional approach conducted in accordance with the Consolidated Criteria for Reporting Qualitative Research COREQ guidelines. Participants in the study will include academics and researchers; healthcare professionals, data protection, ethics and privacy experts and data controllers; pharmaceutical industry and patients and public. Purposive and convenience sampling techniques will be utilised to recruit the participants, and data will be collected utilizing focus groups that may be supplemented with semi-structured interviews. Data will be coded by themes using reflexive thematic analysis (TA) and collective intelligence (CI) will be convened post-analysis to explore the preliminary findings with the participants. Ethics and Dissemination Ethical approval was obtained from the Royal College of Surgeons in Ireland Research Ethics Committee (REC202208013). Final data analysis and dissemination is expected by Q1 2024. Findings will be disseminated through peer-reviewed journal publications, presentations at relevant conferences, and other academic, public and policy channels. Lay summaries will be designed for Public and Patient Involvement (PPI) contributors and general public.

Privacy Essentials

Following a series of legislative changes around privacy over the past 25 years, this study highlights data protection regulations and the complexities of applying these frameworks. To address this, we created a privacy framework to guide organisations in what steps they need to undertake to achieve compliance with the UK GDPR, highlighting the existing privacy frameworks for best practice and the requirements from the Information Commissioners Office. We applied our framework to a UK charity sector; to account for the specific nuances that working in a charity brings, we worked closely with local charities to understand their requirements, and interviewed privacy experts to develop a framework that is readily accessible and provides genuine value. Feeding the results into our privacy framework, a decision tree artefact has been developed for compliance. The artefact has been tested against black-box tests, System Usability Tests and UX Honeycomb tests. Results show that Privacy Essentials! provides the foundation of a data protection management framework and offers organisations the catalyst to start, enhance, or even validate a solid and effective data privacy programme.

Validation and extension of two domain-specific information privacy competency models

The purpose of this paper is to validate two domain-specific information privacy competency models (IPCMs); the first for online consumers and the second for users of mobile applications (apps). For the validation of the competency models, we conducted qualitative research, using interviews to collect feedback by a group of nine information privacy experts. Regarding the evaluation, the experts commented largely positively for the structure and content of the IPCMs, as well as for the extent to which they achieve the intended goals. They also provided several points for improvements, which resulted in enhancing the quality of both IPCMs. The validation of the domain-specific demonstrated that this is the first study to empirically examine the privacy competencies that users of specific technological contexts should hold. The IPCMs can be used not only by educators and privacy policy makers for the design of privacy interventions, but also by e-commerce and mobile-apps providers, who could gain important insights into the way that they can be more reliable for their users. Both consumers and users of mobile-apps could benefit from IPCMs by acquiring the necessary privacy competencies through training programs for the protection of their information privacy.

On Being an Expert: Habitus as a Lens for Understanding Privacy Expertise

How do privacy experts and lay persons differ? We investigate this question using data about the use of privacy-enhancing technologies and strategies from 128 surveys and 17 follow-up interviews with two populations: privacy experts (i.e., privacy researchers and professionals) and privacy laypersons. Findings reveal that both experts and laypersons use common privacy strategies, but experts employ a broader range of strategies, favor open source technologies, and possess a more technical understanding of internet privacy risks and technologies such as onion routing and tracking algorithms. We characterize these differences in terms of sociological habitus, where experts and laypersons differ not only in technical skill but also in broader conceptualizations and practices. From this characterization, we make recommendations for technology design practices, as well as legal and pedagogical implications, that can help decenter the experiences of privacy experts and accommodate privacy laypersons' preferences and habits.

The proposed Regulation to fight online child sexual abuse: an appraisal of privacy, data protection and criminal justice issues

ABSTRACT Protecting children online is a priority for the EU legislator. Since July 2021, an interim regulation allows service providers to derogate from confidentiality safeguards in the e-privacy Directive to fight child sexual abuse online. The European Commission aims to repeal this legislation with a proposal of May 2022. This Regulation will require providers to monitor users’ content communication for online child sexual abuse, among other things. Privacy experts worry that confidentiality standards (i.e. end-to-end encryption) will be weakened and that the Regulation will serve as a basis for indiscriminate interception of content communications. However, the implications of the proposal go beyond privacy and data protection and will impact criminal justice rights too. Therefore, this contribution presents a comprehensive analysis of the proposal from a privacy, data protection and criminal justice perspective. It examines the proportionality of the measure and its implications within the Area of Freedom, Security, and Justice (AFSJ). Specifically, it looks at purpose limitation issues in data exchanges and the admissibility of such evidence in criminal proceedings. The aim is to show that the EU, while aiming at increasing data circulation in the AFSJ, might not be ready for this challenge from an infrastructural and fundamental rights standpoint.

Comprehensive evaluation of privacy policies using the contextual integrity framework

AbstractOnline privacy policies are often lengthy and difficult to understand. This may lead many users to avoid reading them despite increasing concerns about how their personal information is managed. This article presents a structured approach to evaluate the transparency and comprehensiveness of privacy policies using a comprehensive set of evaluation questions within the contextual integrity (CI) framework. We use these questions to identify policies' responses to key privacy concerns. Applying the CI framework, we analyze the clarity and context of these responses, identifying any vagueness and contextual issues that could impede a user's understanding of the privacy policy. Using the CI analysis, we quantify the quality of policies' responses, thereby enabling users to make informed decisions about online services or products. We apply our methodology to two popular messaging apps, Telegram and WhatsApp, using them as case studies to systematically uncover the strengths and weaknesses of their privacy policies. The findings demonstrate that our proposed methodology can effectively identify transparency issues and assess the comprehensiveness of privacy policies. This suggests that our approach could serve as a practical alternative to subjective evaluations typically conducted by privacy experts.

Case study on communicating with research ethics committees about minimizing risk through software: an application for record linkage in secondary data analysis.

In retrospective secondary data analysis studies, researchers often seek waiver of consent from institutional Review Boards (IRB) and minimize risk by utilizing complex software. Yet, little is known about the perspectives of IRB experts on these approaches. To facilitate effective communication about risk mitigation strategies using software, we conducted two studies with IRB experts to co-create appropriate language when describing a software to IRBs. We conducted structured focus groups with IRB experts to solicit ideas on questions regarding benefits, risks, and informational needs. Based on these results, we developed a template IRB application and template responses for a generic study using privacy-enhancing software. We then conducted a three-round Delphi study to refine the template IRB application and the template responses based on expert panel feedback. To facilitate participants' deliberation, we shared the revisions and a summary of participants' feedback during each Delphi round. 11 experts in two focus groups generated 13 ideas on risks, benefits, and informational needs. 17 experts participated in the Delphi study with 13 completing all rounds. Most agreed that privacy-enhancing software will minimize risk, but regardless all secondary data studies have an inherent risk of unexpected disclosures. The majority (84.6%) noted that subjects in retrospective secondary data studies experience no greater risks than the risks experienced in ordinary life in the modern digital society. Hence, all retrospective data-only studies with no contact with subjects would be minimal risk studies. First, we found fundamental disagreements in how some IRB experts view risks in secondary data research. Such disagreements are consequential because they can affect determination outcomes and might suggest IRBs at different institutions might come to different conclusions regarding similar study protocols. Second, the highest ranked risks and benefits of privacy-enhancing software in our study were societal rather than individual. The highest ranked benefits were facilitating more research and promoting responsible data governance practices. The highest ranked risks were risk of invalid results from systematic user error or erroneous algorithms. These societal considerations are typically more characteristic of public health ethics as opposed to the bioethical approach of research ethics, possibly reflecting the difficulty applying a bioethical approach (eg, informed consent) in secondary data studies. Finally, the development of privacy-enhancing technology for secondary data research depends on effective communication and collaboration between the privacy experts and technology developers. Privacy is a complex issue that requires a holistic approach that is best addressed through privacy-by-design principles. Privacy expert participation is important yet often neglected in this design process. This study suggests best practice strategies for engaging the privacy community through co-developing companion documents for software through participatory design to facilitate transparency and communication. In this case study, the final template IRB application and responses we released with the open-source software can be easily adapted by researchers to better communicate with their IRB when using the software. This can help increase responsible data governance practices when many software developers are not research ethics experts.

“Those things are written by lawyers, and programmers are reading that.” Mapping the Communication Gap Between Software Developers and Privacy Experts

To ensure data-privacy compliance, it is common for companies to consult privacy experts for the identification and communication of privacy requirements to software developers. However, developers often fail to fulfill those requirements resulting in companies regularly being fined for violations due to non-compliance with privacy data regulations. To investigate why software developers struggle with the implementation of privacy requirements and explore their communication modality, we conducted a qualitative semi-structured interview study with 30 participants involving 10 software developers, 10 privacy experts, and 10 team coordinators with an average experience of nine years in the privacy communication and implementation process within a company context. We found a communication gap between software developers and privacy experts, suggesting a lack of proper procedural steps during the software development process to guarantee that the privacy requirements have been adequately addressed. We also uncovered that since privacy requirements were mostly communicated in a uni-directional manner, they were often perceived as a hindrance during software development, thus fostering an adversarial relationship between privacy experts and developers. Therefore, in order to fulfill the experts' requirements, software developers requested concrete steps to take during the software development process, as observed in the security field. However, privacy experts often lacked the technical knowledge to provide such instructions. This work contributes an explanatory theory on the communication gap between software developers and privacy experts. We discuss common obstacles in the communication of privacy experts and software developers and provide guidance on how to address them.

Integrated Interaction Journey and Privacy Risk Assessment: A Graph Model

Smart airports involve several applications and stakeholders to facilitate passenger journey. Passengers interact with those stakeholders and share their personal information using the smart airport applications. While the use of smart airport applications offers several benefits, it also puts passengers’ personal information at risk. This draws our attention to the need for identifying and understanding privacy risks with a view to protect passenger information at smart airports. Our earlier systematic literature review study revealed a gap in modelling passenger information privacy risks in the context of smart airports. This paper aims to address this gap by developing an ontology for interaction journey and privacy risk assessment modeling. The contribution of the proposed ontology is to bring new knowledge and understanding of privacy risks in the contemporary smart airport context. The development and evaluation of the proposed framework follows the Design Science Research (DSR) method along with the ontology development techniques. The proposed ontology aims to assist privacy experts in modelling and analyzing privacy risks relevant to passenger information in the smart airport context.

Techno-legal expertise and the datafication of the state: Big data, accountability and the value of a social license with institutional roots

As governments around the world become increasingly datafied, debates are emerging about the best ways to attend to the complex socio-political implications of big data and the datafication of the state. Drawing on semi-structured interviews with senior executives and data experts within Australian government agencies, high-level privacy experts, and other experts in public sector data integration, this article examines how a sociotechnical imaginary about data-driven, democratic government acts within and alongside routinely bureaucratised forms of techno-legal risk management to inform the work of Australia’s data integration experts. Notably, these techno-legal experts recognised the limitations of techno-legal data management, and mobilised notions of the social license when seeking to (re)orient the trajectories of data integration towards the democratic, data-driven government they envisage. Contributing to debates about the datafication of the state, we argue that while a social license will not be a panacea to all the complexities of datafication, a social license with institutional roots is essential to deepen accountability towards publics, and to help ensure that datafication can be co-produced by, and reflective of, the sociotechnical futures envisaged by a broader range of publics.

From Ethics to Execution: The Role of Academic Librarians in Artificial Intelligence (AI) Policy-Making at Colleges and Universities

This paper highlights the importance of involving academic librarians in the development of ethical AI policies. The Academic Librarian Framework for Ethical AI Policy Development (ALF Framework) is introduced, recognizing librarians’ unique skills and expertise. The paper discusses the benefits of their involvement, including expertise in information ethics and privacy, practical experience with AI tools, and collaborations. It also addresses challenges, such as limited awareness, institutional resistance, resource constraints, interdisciplinary collaboration, and evolving AI technologies, offering practical solutions. By actively involving librarians, institutions can develop comprehensive and ethical AI policies that prioritize social responsibility and respect for human rights.

Building public trust and confidence in secondary use of health data for healthcare improvement and research: a qualitative study pre-protocol

Background Secondary use of health data provides opportunities to drive improvements in healthcare provision, personalised medicine, comparative effectiveness research, health services innovation, and policy and practice. However, secondary data use requires compliance with relevant legislation, implementation of technical safeguards, ethical data management, and respect for data sharers. Existing evidence suggests widespread support for secondary use of health data among the public, which co-exists with concerns about privacy, confidentiality and misuse of data. Balancing the protection of individuals’ rights against the use of their health data for societal benefits is of vital importance, and trust underpins this process. The study protocol explores how to build public trust and confidence in the secondary use of health data through all key stakeholder groups in Ireland, towards developing a culture that promotes a safe and trustworthy use of data. Methods This study will adopt a qualitative cross-sectional approach conducted in accordance with the Consolidated Criteria for Reporting Qualitative Research COREQ guidelines. Participants in the study will include academics and researchers; healthcare professionals, data protection, ethics and privacy experts and data controllers; pharmaceutical industry and patients and public. Purposive and convenience sampling techniques will be utilised to recruit the participants, and data will be collected utilizing focus groups that may be supplemented with semi-structured interviews. Data will be coded by themes using reflexive thematic analysis (TA) and collective intelligence (CI) will be convened post-analysis to explore the preliminary findings with the participants. Ethics and Dissemination Ethical approval was obtained from the Royal College of Surgeons in Ireland Research Ethics Committee (REC202208013). Final data analysis and dissemination is expected by Q1 2024. Findings will be disseminated through peer-reviewed journal publications, presentations at relevant conferences, and other academic, public and policy channels. Lay summaries will be designed for Public and Patient Involvement (PPI) contributors and general public.

AMA House of Delegates amends policy on on charting SUDS

Last week physicians voted to keep some form of confidentiality in substance use disorder (SUD) treatment — or at least to involve privacy experts in making changes — while at the same time calling to make it easier for electronic medical records to include notating SUD issues. This and other votes came during the annual meeting of the American Medical Association's (AMA) House of Delegates.

Improving the Continuity of Care for People Living with HIV Experiencing Incarceration in North Carolina Jails: Stakeholder Perspectives.

BACKGROUND Jail detention can disrupt the continuity of care for people living with HIV/AIDS (PLWH). Using a state's "Data to Care" (D2C) program might help overcome this barrier, but raises important questions of data security, personal privacy, resource allocation, and logistics.METHODS As part of a study involving in-depth expert stakeholder interviews, a 1-day workshop was convened to identify and discuss potential ethical challenges in extending North Carolina's D2C program to jail settings. Workshop participants included public health officials, community advocates, HIV clinicians, jail administrators, privacy experts, criminal justice researchers, and a formerly incarcerated PLWH. Workshop participants discussed the results of earlier stakeholder interviews with the goal of identifying the most important points to consider in assessing the merits of extending D2C surveillance to jail settings.RESULTS Although the workshop participants expressed support for improving the continuity of HIV care for jail detainees, they had mixed perspectives on whether a jail-based D2C program should include in-jail or post-release follow-up interventions. Their positions were influenced by their views on 4 sets of implementation issues: privacy/data-sharing; government assistance/overreach; HIV criminalization/exceptionalism; and community engagement.LIMITATIONS The limitations of this stakeholder engagement exercise include its purposive recruitment, relatively small number of participants, and limited duration.CONCLUSIONS Improving the continuity of HIV care in particular jail settings will depend on a number of local considerations. In deciding between models featuring in-jail and post-release follow-up care, the most important of these considerations will be the possibility of establishing good partnerships between the jail, the health department, and the community. Additional research on the dynamics and impact of different models is needed.

Understanding Online Privacy—A Systematic Review of Privacy Visualizations and Privacy by Design Guidelines

Privacy visualizations help users understand the privacy implications of using an online service. Privacy by Design guidelines provide generally accepted privacy standards for developers of online services. To obtain a comprehensive understanding of online privacy, we review established approaches, distill a unified list of 15 privacy attributes and rank them based on perceived importance by users and privacy experts. We then discuss similarities, explain notable differences, and examine trends in terms of the attributes covered. Finally, we show how our results provide a foundation for user-centric privacy visualizations, inspire best practices for developers, and give structure to privacy policies.

Applicability of Different Electronic Record Types for Use in Patient Recruitment Support Systems: Comparative Analysis

BackgroundClinical trials constitute an important pillar in medical research. It is beneficial to support recruitment for clinical trials using software tools, so-called patient recruitment support systems; however, such information technology systems have not been frequently used to date. Because medical information systems' underlying data collection methods strongly influence the benefits of implementing patient recruitment support systems, we investigated patient recruitment support system requirements and corresponding electronic record types such as electronic medical record, electronic health record, electronic medical case record, personal health record, and personal cross-enterprise health record.ObjectiveThe aim of this study was to (1) define requirements for successful patient recruitment support system deployment and (2) differentiate and compare patient recruitment support system–relevant properties of different electronic record types.MethodsIn a previous study, we gathered requirements for patient recruitment support systems from literature and unstructured interviews with stakeholders (15 patients, 3 physicians, 5 data privacy experts, 4 researchers, and 5 staff members of hospital administration). For this investigation, the requirements were amended and categorized based on input from scientific sessions. Based on literature with a focus on patient recruitment support system–relevant properties, different electronic record types (electronic medical record, electronic health record, electronic medical case record, personal health record and personal cross-enterprise health record) were described in detail. We also evaluated which patient recruitment support system requirements can be achieved for each electronic record type.ResultsPatient recruitment support system requirements (n=16) were grouped into 4 categories (consent management, patient recruitment management, trial management, and general requirements). All 16 requirements could be partially met by at least 1 type of electronic record. Only 1 requirement was fully met by all 5 types. According to our analysis, personal cross-enterprise health records fulfill most requirements for patient recruitment support systems. They demonstrate advantages especially in 2 domains (1) supporting patient empowerment and (2) granting access to the complete medical history of patients.ConclusionsIn combination with patient recruitment support systems, personal cross-enterprise health records prove superior to other electronic record types, and therefore, this integration approach should be further investigated.

Catch a blowfish alive

Policy-aware differential privacy (DP) frameworks such as Blowfish privacy enable more accurate query answers than standard DP. In this work, we build the first policy-aware DP system for interactive data exploration, BlowfishDB, that aims to (i) provide bounded and flexible privacy guarantees to the data curators of sensitive data and (ii) support accurate and efficient data exploration by data analysts. However, the specification and processing of customized privacy policies incur additional performance cost, especially for datasets with a large domain. To address this challenge, we propose dynamic Blowfish privacy which allows for the dynamic generation of smaller privacy policies and their data representations at query time. BlowfishDB ensures same levels of accuracy and privacy as one would get working on the static privacy policy. In this demonstration of BlowfishDB, we show how a data curator can fine-tune privacy policies for a sensitive dataset and how a data analyst can retrieve accuracy-bounded query answers efficiently without being a privacy expert.

Envisioning Tool Support for Designing Privacy-Aware Internet of Thing Applications

The design and development process for Internet of Things (IoT) applications is more complicated than for desktop, mobile, or web applications. IoT applications require both software and hardware to work together across multiple different types of nodes (e.g., microcontrollers, system-on-chips, mobile phones, miniaturized single-board computers, and cloud platforms) with different capabilities under different conditions. IoT applications typically collect and analyze personal data that can be used to derive sensitive information about individuals. Without proper privacy protections in place, IoT applications could lead to serious privacy violations. Thus far, privacy concerns have not been explicitly considered in software engineering processes when designing and developing IoT applications, partly due to a lack of tools, technologies, and guidance. This article presents a research vision that argues the importance of developing a privacy-aware IoT application design tool to address the challenges mentioned above. This tool should not only transform IoT application designs into privacy-aware application designs, but also validate and verify them. First, we outline how this proposed tool should work in practice and its core functionalities. Then, we identify research challenges and potential directions for developing the proposed tool. We anticipate that this proposed tool will save many engineering hours which engineers would otherwise need to spend on developing privacy expertise and applying it. We also highlight the usefulness of this tool toward privacy education and privacy compliance.

IoT & Privacy – Issues in Modern World

IoT is considered a worldwide network of individually connected devices that communicate with each other, passing data across the internet. This data is collected about individual users and in some cases may contain very personal and private information about the user. Because this data can also be used for malicious purposes it presents security and Privacy Issues with the Internet of Things (IoT) devices. The number of IoT devices is quite large. IoT devices are typically dispersed across the globe, allowing for instant communication between connected devices. Domestic appliances, automobiles, TVs and other devices are collecting and transmitting their data across the internet in order to complete a variety of tasks. Users are typically unaware of how much data is actually collected and how the data is used or shared with others. As a result of the collecting, passing and sharing of data among these networked devices and data recipients there is a concern among security and privacy experts about how this data is collected, shared and used.