Directions for Enhancing the Use of Personal Data Minimization Technology in Public Organizations
Authors: 
Mortaza S. Bargh, Hanne Vlietinck, Afshin Amighi, Ahmad Omar, Shengyun Yang, Nicky Daniels, Sunil ChoenniAuthors Info & Claims
Mortaza S. Bargh, Hanne Vlietinck, Afshin Amighi, Ahmad Omar, Shengyun Yang, Nicky Daniels, Sunil ChoenniAuthors Info & ClaimsPages 232 - 240
Abstract
A core principle of privacy protection is to minimize the amount of personal data in data sets to the level needed for the intended usage. The rapid growth of data and data-driven applications demands for using efficient software tools to minimize personal data to the needed level. However, applying Personal Data Minimization (PDM) tools into practice and embedding PDM technology within organizations are challenging tasks. These challenges stem from PDM complexity, context-dependency, multi-disciplinary nature, as well as liability and accountability burdens. This paper aims at enhancing the use of PDM technology within public organizations. To realize this enhancement, we identify three directions – namely, improving usability (efficiency and ease of use), improving trust in PDM tools, and identifying the other influential PDM technology adoption factors. These directions are based amongst others on a literature study and expert interviews. We conducted a questionnaire-based survey among academia and research institutions to investigate the need for PDM technology and the relevancy of the directions empirically. Based on the insights gained, the paper suggests several solution directions and/or avenues for future research. Specifically, we highlight the need for developing customized PDM tools and usage instructions for these tools in different data-sharing settings to facilitate the usability of PDM technology. For establishing trust in PDM technology, we highlight the need for employing various mechanisms such as certification, standardization, and open-source software tools. Thirdly, we call for investigating all factors that are influential in PDM technology adoption to set the usability and trust factors in perspective.
References
[1]
ARX. 2024. ARX data anonymization tool, v3.9.1. Retrieved on January 19, 2024 from: https://arx.deidentifier.org/.
[2]
ARXaaS. 2024. ARX as a Service. Retrieved on 19 January 2024 from https://navikt.github.io/arxaas/.
[3]
H.O. Awa, O.U. Oijabo and L.E. Orokor. 2016. Integrated technology-organization-environment (T-O-E) taxonomies for technology adoption. Journal of Enterprise Information Management, 30(6), 893-921.
[4]
H.S.A. AL Rahbi. 2017. Factors influencing social media adoption in Small and Medium Enterprises (SMEs), PhD Thesis, Brunel University London.
[5]
A. Amighi, M.S. Bargh and A. Omar. 2021. A distributed approach for SDC technologies. In Proceedings of the 17th International Conference on Information Systems Security (ICISS), December 10, IIT Patna, Bihar, India, LNCS, volume 13146.
[6]
J. Baker. 2012. The technology–organization–environment framework. In Information systems theory. Springer, 231-245.
[7]
M.S. Bargh, W. Janssen and A. Smit. 2002. Trust and security in e-business transactions. Technical Report: GigaTS project, Telematica Instituut, Enschede, The Netherlands.
[8]
M.S. Bargh, R. Meijer, S. Choenni, and P. Conradie. 2014. Privacy protection in data sharing: towards feedback based solutions. In Proceedings of the 8th International Conference on Theory and Practice of Electronic Governance (ICEGOV '14). Association for Computing Machinery, New York, NY, USA, 28–36. https://doi.org/10.1145/2691195.2691279
[9]
M.S. Bargh and S. Choenni. 2013. On preserving privacy whilst integrating data in connected information systems. In Proceedings of the International Conference on Cloud Security Management (ICCSM’13), October 17-18, Seattle, USA.
[10]
M.S. Bargh, R. Meijer and M. Vink. 2018. On statistical disclosure control technologies: For enabling personal data protection in open data settings. Technical Report, reeks Cahier 2018-20: PU-Tools project (nr. 2889) at Research and Documentation Center WODC, The Hague, The Netherlands. Retrieved on January 19, 2024 from http://hdl.handle.net/20.500.12832/215.
[11]
M.S. Bargh, R. Meijer, M. Vink, W. Schirm, S. van den Braak and S. Choenni. 2019. Opening privacy sensitive microdata sets in light of GDPR: The case of opening criminal justice domain microdata. In Proceedings of the 20th Annual International Conference on Digital Government Research (dg.o), June 18-20, Dubai, UAE.
[12]
M.S. Bargh, A. Latenko, S. van den Braak, M. Vink and R. Meije. 2020. On statistical disclosure control technologies for protecting personal data in tabular data sets: A state-of-the-art study. A Technical Report, reeks Cahier 2020-17: PU-Tools 2.0 project (nr. 3080) at Research and Documentation Center WODC, November 11, The Hague, The Netherlands. Retrieved on January 19, 2024 from http://hdl.handle.net/20.500.12832/215.
[13]
M.S. Bargh, A. Latenko, S. van den Braak, M. Vink and R. Meijer. 2021. Personal data protection in the justice domain: Guidelines for statistical disclosure control. Technical Report, reeks Cahier 2021-10: PU-Tools 2.0 project (nr. 3080a) at Research and Documentation Center WODC, 26 May 26, The Hague, The Netherlands. Retrieved on January 19, 2024 from http://hdl.handle.net/20.500.12832/3057.
[14]
M.S. Bargh, R. Meijer, S. van den Braak, A. Latenko, M. Vink and S. Choenni. 2021. Embedding personal data minimization technologies in organizations: Needs, vision and artifacts. In Proceedings of the 14th International Conference on Theory and Practice of Electronic Governance (ICEGOV), October 6-8, Athene, Greece.
[15]
T. Benschop, C. Machingauta and M. Welch. 2021. Statistical Disclosure Control: A Practice Guide. Technical report, 13 January. Retrieved on January 19, 2024 from https://readthedocs.org/projects/sdcpractice/downloads/pdf/latest/.
[16]
C. Bolan. November 2004. Need to Know: Security or Liability? In AISM, 125-128.
[17]
S. Choenni and C. Leijnse. 1999. A framework for the automation of air defence systems. NLR, Amsterdam.
[18]
S. Choenni, J. van Dijk and F. Leeuw, F. 2010. Preserving privacy whilst integrating data: Applied to criminal justice. Information Polity, 15(1-2), 125-138.
[19]
S. Choenni, N. Netten, M.S. Bargh and S. van den Braak. 2021. Exploiting big data for smart government: Facing the challenges. In Handbook of smart cities (pp. 1035-1057). Cham: Springer International Publishing
[20]
F. Du Pin Calmon and N. Fawaz. 2012. Privacy against statistical inference. In Proceedings of the 50th Annual Allerton Conference on Communication, Control, and Computing, 1401-1408, 1-5 October, Allerton House Monticello, Monticello, Illinois, USA
[21]
Y.K. Dwivedi, N.P. Rana, A. Jeyaraj, M. Clement and M.D. Williams. 2019. Re-examining the unified theory of acceptance and use of technology (UTAUT): Towards a revised theoretical model. Information Systems Frontiers, 21(3), 719-734.
[22]
EFPIA. 2024. European Federation of Pharmaceutical Industries and Associations (EFPIA) sharing clinical trial information website. Retrieved on January 19, 2024 from https://www.efpia.eu/about-medicines/development-of-medicines/regulations-safety-supply/clinical-trials/sharing-clinical-trial-information/
[23]
K. El Emam and B.A. Malin. 2015. Appendix B: Concepts and methods for de-identifying clinical trial data. In Committee on Strategies for Responsible Sharing of Clinical Trial Data; Board on Health Sciences Policy; Institute of Medicine, editor. Sharing clinical trial data: Maximizing benefits, minimizing risk, 1–290. Washington, DC: National Academies Press (US). Retrieved on January 19, 2024 from http://www.ncbi.nlm.nih.gov/books/NBK285994/.
[24]
M.J. Elliot and J. Domingo Ferrer. 2018. 'The future of statistical disclosure cont'ol'. Paper published as part of The National Statistic'an's Quality Review. London, December 2018.
[25]
M.J. Elliot, E. Mackey and K. O'Hara. 2020. The anonymisation decision-making framework 2nd Edition: European practition'rs' guide, Manchester. UKAN, 119 pages.
[26]
EMA. 2018. External guidance on the implementation of the European Medicines Agency policy on the publication of clinical data for medicinal products for human use, European Medicines Agency (EMA), technical report EMA/90915/2016 Version 1.4, https://www.ema.europa.eu/en/human-regulatory/marketing-authorisation/clinical-data-publication/support-industry/external-guidance-implementation-european-medicines-agency-policy-publication-clinical-data
[27]
GDPR. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[28]
J.H. Hoepman. 2014. Privacy design strategies. In IFIP International Information Security Conference. June 2014, pp. 446-459. Berlin, Heidelberg: Springer Berlin Heidelberg.
[29]
A. Hundepool, J. Domingo-Ferrer, L. Franconi, S. Giessing, E.S. Nordholt, K. Spicer and P.P. de Wolf. 2012. Handbook on statistical disclosure control. Statistical Disclosure Control, 1–288.
[30]
IPC. 2016. De-identification Guidelines for Structured Data, Information and Privacy Commissioner (IPC) of Ontario. Retrieved on January 19, 2024 from https://www.ipc.on.ca/wp-content/uploads/2016/08/Deidentification-Guidelines-for-Structured-Data.pdf
[31]
ISO/IEC 27559. 2022. Information security, cybersecurity and privacy protection – Privacy enhancing data de-identification framework, ISO/IEC 27559:2022, retrieved on January 19, 2024 from https://www.iso.org/standard/71677.html
[32]
LED. 2016. Law Enforcement Directive or Directive EU 2016/680. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
[33]
E. Mackey and M. Elliot. 2013. Understanding the Data Environment. XRDS: Cross- roads, The ACM Magazine for Students, 20(1), 36-39.
[34]
A. Makhdoumi, S. Salamatian, N. Fawaz and M. Medard. 2014. From the information bottleneck to the privacy funnel. In Proceedings of IEEE Information Theory Workshop (ITW), 501-505, 2-5 November, Hobart, TAS, Australia.
[35]
L. Rocher, J.M. Hendrickx and Y.-A. de Montjoye. 2019. Estimating the success of re-identifications in incomplete datasets using generative models. In Nature Communications, 10(1), 3069.
[36]
E. Rogers. 2003. Diffusion of Innovations, 5th ed. New York: The Free Press.
[37]
S. Salamatian, A. Zhang, F.D. Calmon, P. Bhamidipati, N. Fawaz, B. Kveton, P. Oliveira and N. Taft. 2013. How to hide the elephant – or the donkey – in the room: Practical privacy against statistical inference for large data. In Proceedings of IEEE Global Conference on Signal and Information Processing (GlobalSIP) 269-272, 3-5 December, Austin, Texas, USA.
[38]
L. Sankar, S. Rajagopalan and H. Poor. 2013. Utility-privacy trade-off in databases: An information-theoretic approach. IEEE Transactions on Information Forensics and Security, 8(6), 838-852.
[39]
L. Sweeney. 1997. Maintaining patient confidentiality when sharing medical data requires a symbiotic relationship between technology and policy, May 21, 1–21. Retrieved on January 19, 2024 from https://dataprivacylab.org/dataprivacy/projects/law/aiwp.pdf.
[40]
T&C. 2020. T&C Privacy- en gegevensbeschermingsrecht, commentaar op art. 82 AVG; Recht op schadevergoeding en aansprakelijkheid; Tjeenk Willink; Retrieved on January 19, 2024 from http://deeplinking.kluwer.nl/?param=00D04F88&cpid=WKNL-LTR-Nav2
[41]
M. Templ, A. Kowarik and B. Meindl. 2015. Statistical disclosure control for micro- data using the R package sdcMicro. Statistical Software, 67(4).
[42]
M. Templ, B. Meindl and A. Kowarik. 2018. Introduction to statistical disclosure control (SDC). International Household Survey Network, Vienna, 19 October, 2017. S.l.: S.n. Retrieved on January 19, 2024 from: http://cran.nexr.com/web/packages/sdcMicro/vignettes/sdc_guidelines.pdf
[43]
L.G. Tornatzky and M. Fleischer. 1990. The processes of technological innovation. Lexington Books, Lexington, Mass.
[44]
Utrecht University handbook. 2024. Data Privacy Handbook, Utrecht University, update of 2023-05-31. Retrieved on January 19, 2024 from https://utrechtuniversity.github.io/dataprivacyhandbook/
[45]
T.A. Wani and S.W. Ali. 2015. Innovation diffusion theory: Review & scope in the study of adoption of smartphones in India. Journal of General Management Research, 2(2), 98-115.
Index Terms
- Directions for Enhancing the Use of Personal Data Minimization Technology in Public Organizations
Recommendations
Embedding Personal Data Minimization Technologies in Organizations: Needs, Vision and Artifacts
ICEGOV '21: Proceedings of the 14th International Conference on Theory and Practice of Electronic GovernanceOften collected data sets contain more personal information than needed for a certain purpose. According to privacy laws and regulations the personal data in a data set should be minimized only to the data that are required and allowed for a chosen (...
New and Emerging Technology: Ownership and Adoption
SIGMIS-CPR '19: Proceedings of the 2019 on Computers and People Research ConferenceWhile new and emerging technology is popularly represented in media and online, this popularity has not translated to broader adoption and purchase by individuals. This paper explores this situation through the lens of individual ownership of computer ...
New directions in anonymization
There are currently two approaches to anonymization: "utility first" (use an anonymization method with suitable utility features, then empirically evaluate the disclosure risk and, if necessary, reduce the risk by possibly sacrificing some utility) or "...
Comments
Information & Contributors
Information
Published In
June 2024
1089 pages
ISBN:9798400709883
DOI:10.1145/3657054
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 11 June 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
dg.o 2024
dg.o 2024: 25th Annual International Conference on Digital Government Research
June 11 - 14, 2024
Taipei, Taiwan
Acceptance Rates
Overall Acceptance Rate 150 of 271 submissions, 55%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 35Total Downloads
- Downloads (Last 12 months)35
- Downloads (Last 6 weeks)5
Reflects downloads up to 06 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format