A Model Enabling Law Compliant Privacy Protection through the Selection and Evaluation of Appropriate Security Controls

  • E. S. Siougle
  • V. C. Zorkadis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2437)


The broad adoption and increasing reliance on computing and communication systems in applications domains such as health services, insurance, telecommunication and direct marketing leads to the creation, collection and processing of enormous amounts of personal data. Responding to this development, international bodies, the European Union and various countries established personal data protection laws and Authorities to regulate and control their application. The legal framework imposes the taking of appropriate security measures, that may be different compared with those specified by data controllers based on their business needs, since personal data are assets with, possibly, different values for the data subjects and the controllers. In this paper, we propose a security controls selection model, that supports data controllers in their effort to methodologically choose security measures compliant to privacy protection laws being in force. Also, we propose a process to assess (methodologically) the privacy protection requirements according to the related legal provisions and the selected and implemented security controls.


Personal Data Privacy Protection Security Measure Data Controller Security Control 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    C. Pounder, ‘Security And The New Data Protection Law’, J. Computers & Security, 17 (1998), pp. 124–128.CrossRefGoogle Scholar
  2. [2]
    Institute for Certification of Information Technology (ICIT), ‘Scheme for self-assessment and certification of information security against BS 7799’, 1997.Google Scholar
  3. [4]
    OECD, Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, Paris, 1980.Google Scholar
  4. [5]
    Lynette Barnard and Prof. Rossuw von Solms, ‘A Formalized Approach to the Effective Selection and Evaluation of Information Security Controls’, J. Computers & Security, Vol. 19, No. 2, pp. 185–194, 2000.CrossRefGoogle Scholar
  5. [6]
    V. C. Zorkadis, E. Siougle, Ph. Mitletton, ‘Technical and Legal Reports on Evaluation of Security and Privacy Protection’, Hellenic Data Protection Authority, 1999–2000.Google Scholar
  6. [7]
    V. Zorkadis, E. Siougle, ‘Information Security and Privacy Audit Modeling’, Proc. of the 5 th World Multiconference on Circuits, Systems, Communications and Computers, Crete, July 2001Google Scholar
  7. [8]
    A. Jones, ‘Penetration testing and system audit-Experience gained during the investigation the investigation of systems within the UK’, J. Computers & Security, 16 (1997), pp. 595–602.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • E. S. Siougle
    • 1
  • V. C. Zorkadis
    • 1
  1. 1.Hellenic Data Protection AuthorityAthensGreece

Personalised recommendations