Identifying undefined risks: A risk model and a privacy risk identification measure in the privacy impact assessment process
研究了隐私影响评估中风险识别步骤的两个关键要素:一个能捕捉多种隐私风险实现过程的风险模型,以及一套结合合规检查和风险因素列表的风险识别方法。
Privacy impact assessment (PIA) has attracted the attention of privacy watchdogs and researchers for decades. This study focuses on a risk model and risk identification method, which are two crucial elements of the risk identification step in the PIA process. As a preparatory work, this article reviews national and international organizations’ current templates and guidelines and finds that PIA guidance includes multiple domains but rarely provide a risk model or a systematic risk identification method. Based on the analysis, our study offers a risk model that can capture various privacy risk realization processes. It further proposes a combination of risk identification methods that correspond to the main target domains in the PIA and the proposed risk model. This combination consists of privacy principles of a given personal information or privacy rule to check compliance with the rule, and our suggested list of risk factors is useful in inductively finding potential risk scenarios that violate social expectations of privacy.