A Model Enabling Law Compliant Privacy Protection through the Selection and Evaluation of Appropriate Security Controls
The broad adoption and increasing reliance on computing and communication systems in applications domains such as health services, insurance, telecommunication and direct marketing leads to the creation, collection and processing of enormous amounts of personal data. Responding to this development, international bodies, the European Union and various countries established personal data protection laws and Authorities to regulate and control their application. The legal framework imposes the taking of appropriate security measures, that may be different compared with those specified by data controllers based on their business needs, since personal data are assets with, possibly, different values for the data subjects and the controllers. In this paper, we propose a security controls selection model, that supports data controllers in their effort to methodologically choose security measures compliant to privacy protection laws being in force. Also, we propose a process to assess (methodologically) the privacy protection requirements according to the related legal provisions and the selected and implemented security controls.
KeywordsPersonal Data Privacy Protection Security Measure Data Controller Security Control
Unable to display preview. Download preview PDF.
- Institute for Certification of Information Technology (ICIT), ‘Scheme for self-assessment and certification of information security against BS 7799’, 1997.Google Scholar
- OECD, Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, Paris, 1980.Google Scholar
- V. C. Zorkadis, E. Siougle, Ph. Mitletton, ‘Technical and Legal Reports on Evaluation of Security and Privacy Protection’, Hellenic Data Protection Authority, 1999–2000.Google Scholar
- V. Zorkadis, E. Siougle, ‘Information Security and Privacy Audit Modeling’, Proc. of the 5 th World Multiconference on Circuits, Systems, Communications and Computers, Crete, July 2001Google Scholar