Nissenbaum introduces the Contextual Integrity (CI) framework and considers the impor- tance of putting privacy into context. This involves considering all the nuances of privacy including:
• Access - how data is accessed (”Access Definitions” );
• Control - how data is controlled by those public body who collate the information and the surrounding legal and policy frameworks (”Source of Prescriptive Power” ); • Context - consideration of what privacy is within a given context (the ”normative and
descriptive conceptions” ).
Privacy in relation to data and information is described as; ”a right to appropriate flow of information”. Thus, to apply this to information and navigate the information flows, CI asks practitioners to consider the information flow, looking at it from three perspectives; Actors; Attributes and Transmission Principles.
Actors, are the; ”subjects, senders and receivers” of the data. This refers to the people that are the subjects of the data itself (”the information subjects” ) and those who handle the data (the ”data senders” and the ”data receivers” ). The attributes refer to the individual elements that make up the data, this can be described as the rows and columns within a database, each containing pockets of information (attributes). Finally, the transmission principles refer to how the data is conveyed and shared, i.e. the data flow between the actors.
Different actors will view the information from different perspectives. What is considered sensitive by an individual may not be considered so by the data controller within the public
body. For example, the type of ailment a person has may not be considered sensitive by the data controller when collating information about types of diseases in a particular area. However, for the individual who perhaps is one of only a few people with that ailment who resides in that area, this information can lead to them being re-identified or even refused health insurance. Thus, the individual may consider such information very sensitive and, by the same logic, similar arguments can then be derived around attributes and transmission principles.
For the data itself, this is defined as attributes. Attributes are the individual information elements that make up the data, this can be described as a table, containing rows and columns within a database. Each column will contain pockets of a specific type of information (attributes, for a more detailed description see Section 2.4.3). Finally, the transmission principles refer to how the data is conveyed and shared, i.e. the data flow between the actors.
Further, to cover the context, each actor also needs to be considered in context. This means that each actor will need to be considered in relation to the role the play. Thus, the data controller will need to be evaluated in relation to their job role, e.g. a data analyst, or social role such as student. CI then considers the activities those roles may carry out, e.g. analysing data, being taught, what duties, prerogatives or obligations are associated with each role, what defines the norms (behaviours), their trustworthiness etc.. Norms may be implicit or explicit, so they may be prescribed norms or established customary etiquette. Finally, the values, purposes, goals and ends of the particular surrounding setting or situation are considered.
Existing Applications of the CI Framework
There are examples of how the CI framework can be applied in the literature. For example, (Barth et al. 2006) sought to incorporate context into privacy decision making by devising a framework for controlling data based on CI, that will compute what information users can access and/or share with others. The framework seeks to achieve this based on system settings and access controls. The framework focuses on the flow of information between roles, taking into consideration the attributes within the data relating to a particular individual (data subject), and the role played by the actor who handles the data at that time. Values and norms are incorporated into what values and/or norms a particular role will hold, rather than the values and norms of the actor who performs that role.
To do so, Barth et al. (2006) incorporates the values and norms of CI into the roles of the individuals (such as doctor, lecturer and any derivative or associated roles) by pre-setting or computing into the framework the values (aims, ends and goals) which that particular role is expected to hold in relation to the information they handle. This association is then used as one of the considerations that sets appropriate access controls for that role. The
other controls set by the framework seek to incorporate controls that will allow any policy and legal constraints that could influence whether role A can share particular data with role B to also be taken into account. Thus, arguably, while Barth consider values and norms at an organisational (policy) and governmental (legal constraints) level, they do not sufficiently consider the wider context or the multiple values and norms that each actor will hold. To illustrate, an actor is a human being who will, in relation to handling the data be; the subject of (data subject); the sender; or the receiver of information. The actor will perform one or more roles and bear different responsibilities for each role. Thus, the actor will perform an action with the data (subject, sender or receive) and as part of that performance, be attributed to a role which holds certain values and norms. However, the actor will also hold values and norms as a person and this aspect should not be ignored. For example, an actor may be the sender of information in their work role as a doctor. The same actor may also be a patient, friend and/or colleague to the data subject at the same time and this may alter the context of the data flow depending on the setting. These nuances also need to be allowed for and considered as part of any application of CI.
It is argued, that in trying to box CI into a computational environment, the Barth framework considers CI in-depth at too early a stage. Before controls can be computed and set, a holistic privacy assessment needs to be conducted. The Barth framework considers the data relating to one individual’s information, rather than for a group of individuals. Moreover, it considers this information based on the information flows (transmission principles) between the roles that handle the information, setting appropriate controls derived from access rights and any policy or legal restrictions that may apply, thereby failing to sufficiently consider the contextual nuances between actors and their multiple roles. Further, while Barth’s framework enables roles to collect and share an individual’s data with known third parties (roles), it does not allow for data being published or shared openly with unknown third parties (Barth et al. 2006).
Other applications of CI consider applying CI through tags attached in the message headers (Krupa and Vercouter 2012) or have applied CI to a particular question or problem and, in doing so these studies discuss whether privacy is preserved in that scenario. For example, the CI framework has been applied to cloud storage and social networking sites to determine whether these sites provide sufficient privacy protection (Sar and Al-Saggaf 2013, Grodzinsky and Tavani 2011). What these studies all have in common is that they have been applied to scenarios where all the elements of the framework are present, i.e. the roles, context and transmission principles can be specifically defined. Moreover, these have been considered either without input from the data controller/processor and/or sending party, or, they have been applied on a to a theoretical problem.
Another study (Conley et al. 2012), sought to apply CI to the open data publishing domain, the area of focus for the first case study of this work (see Section 1.1.1). This study reviewed the merits of making court records available online by comparing a manual
search of the records with an online search. The study did not seek to systematically apply CI, rather it discussed the different aspects of CI in the context of making the data available in open format. The study concluded that the data should be either anonymised or restricted access should be applied in light of the privacy implications found. However, whilst this study considered the domain of open data publishing, it did so from a case study perspective considering the merits of making data publicly available rather than guide practitioners through the process of applying CI to the decision-making process, which is the focus of this work, starting with making privacy decision for open data (see Chapters 5 and 6).
Thus, on a theoretical level, it appears that the CI methodology enables an organisation to strategically consider the privacy implications of a dataset both from an individual attribute level and from a contextual perspective. It therefore offers an excellent basis from which a more detailed model can be created based on the principles of CI.
To this end, it is contended that the contextual integrity (CI) framework can be adapted to provide the solution. CI combines the holistic overview of PbD with context and, as such, lends itself well to be adapted for practical use in organisational decision making around privacy risks. Further, by incorporating context into the privacy consideration, the CI framework ensures any contextual interference or influence is also accounted for to make the assessment reflective of life and how context can influence our behaviours and actions, and thus, any resulting privacy assessment will be more through. For those reasons, the initial choice that made CI appear ideal and suitable for adaptation for this work have been verified and thus, CI has been chosen as the framework of choice to be adapted for the privacy-specific assessment framework that will be created in this thesis.