Desarrollo moral de Lawrence Kohlberg 32

Privacy by Design (PbD) is a concept that has recently been embraced by privacy regulators as a solution for privacy problems in the digital world [69]. PbD is a term developed by Ann Cavoukian, the Information and Privacy Commissioner in Ontario, Canada [12]. PbD is defined as "an engineering and strategic management approach that commits to selectively and sustainably minimize information systems' privacy risks through technical and governance controls" [69]. The philosophy behind the PbD approach is that privacy must be embedded directly into the design specification of technologies being developed [12]. The PbD approach says privacy should be considered from the creation of software, and not added on as an afterthought when the software is complete. In order to take privacy protection into consideration when software is still in its design phase, it is important to have a set of guidelines and approaches that can be followed.

In order to discover guidelines for PbD, in 2011 a first of its kind report prepared for the European Commission's Directorate-General Justice reviewed the privacy impact assessment (PIA) methodologies of seven countries and ten PIA case studies [84]. This report created a Privacy Impact Assessment Framework (PIAF) that has been hailed as a "landmark for PbD" [69] because of the solutions it provides to the challenges of designing privacy solutions. In this section, these solutions are discussed along with how they are addressed in the collaborative privacy architecture presented in this thesis.

2.7.1 Domain Specific Legislation

The PIAF suggests utilizing any available specific legislation and/or privacy principles of the domain for which the software is being developed, as privacy goals when designing a

privacy solution. This domain specific legislation can be rules created internally within an organization, or created externally through government regulation. When domain specific privacy legislation is not available, the PIAF suggests using the FIP of the OECD as the starting point for determining privacy protection goals.

In the collaborative privacy architecture presented in this thesis, privacy policies are created to define how private information can be shared between individuals in collaborative environments. These privacy policies are founded on a set of generic concepts that are common to all domains that use the collaborative privacy architecture. This generic privacy policy is based on the FIP of the OECD, therefore providing a baseline level of privacy protection even if no domain specific principles are introduced. However, the privacy policies used in the privacy architecture presented in this thesis are defined within an ontology that is designed to be extendable with domain specific concepts. This allows any domain specific legislation that may be required to be included in the privacy policies.

2.7.2 Safeguarding Personal Information

The PIAF also suggests that personal information should be provided safeguards through the usage of data avoidance and purpose-specific processing. Data avoidance suggests that private information should only be used when it is required and should be isolated from other pieces of private information. Purpose-specific processing suggests that personal information should only be used for a specific reason, and not all reasons are valid excuses to use personal information.

To address these concerns, each piece of information within the collaborative privacy architecture presented in this thesis that wishes to be accessed is provided a privacy rule

that addresses how this access may be done. This privacy rule requires a purpose to be given for the allowable use of the information. This ensures that a record exists stating what purposes for information use the information owner has permitted, and that the information provider is informed how their information will be used by others.

2.7.3 Providing Transparency

Another suggestion of the PIAF is that PbD solutions should include the goal of providing transparency regarding information subjects. The idea is that it should be clear who has been provided with someone else's private information. This idea is of particular concern in the CWE domain, as the environment requires individual interactions between many different people.

This concept is a goal of this thesis and is addressed through the use of ontologies to define the privacy policies of collaborating individuals. The ontology allows for the relationships between private information providers and collectors according to which privacy rules to be inferred. This ability allows for an information provider to be aware of who has access to their information, and for what reasons, at all times during collaboration. This ability is particularly useful during collaboration where new individuals can leave and enter the system during runtime.

2.7.4 The Right to be Informed

The PIAF also suggests PbD solutions comply with the right of information owners to be informed, to object to the processing of their data, and to access, correct, and erase personal data. This right to be informed is a type of transparency provided to information owners, and like the transparency provided over who has access to one's personal information as discussed in Section 2.8.3, this ability is provided within our architecture

through the relationships within the privacy ontology. The ability of an ontology to determine information allows for an information provider to make requests about the current use and status of their information. The architecture relies on Privacy Administrators (PAs) who exert a level of control over the collaborative environment. If conflicts or issues arise over the status or modification of personal information, a PA can be notified to rectify the issue.