Conceptual Framework and Architecture for Privacy Audit

  • Ksenya Kveler
  • Kirsten Bock
  • Pietro Colombo
  • Tamar Domany
  • Elena Ferrari
  • Alan Hartman
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8319)


Many ICT applications involve the collection of personal information or information on the behaviour of customers, users, employees, citizens, or patients. The organisations that collect this data need to manage the privacy of these individuals. In many organisations there are insufficient data protection measures and a low level of trust among those whose data are concerned. It is often difficult and burdensome for organisations to prove privacy compliance and accountability especially in situations that cross national boundaries and involve a number of different legal systems governing privacy. In response to these obstacles, we describe instruments facilitating accountability, audit, and meaningful certification. These instruments are based on a set of fundamentaldata protection goals (DPG): availability, integrity, confidentiality, transparency, intervenability, and unlinkability. By using the data protection goals instead of focusing on fragmented national privacy regulations, a well defined set of privacy metrics can be identified recognising privacy by design requirements and widely accepted certification criteria. We also describe a novel conceptual framework and architecture for defining comprehensive privacy compliance metrics and providingassessment tools for ICT applications and services using as much automation as possible. The proposed metrics and tools will identify gaps, provide clear suggestions and will assist audit and certification to support informed decisions on the trustworthiness of ICT for citizens and businesses.


Privacy Policy Data Protection Object Constraint Language Access Control Policy Privacy Requirement 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [AAL]
    Unabhaengiges Landeszentrum fuer Datenschutz (ULD). Juristische Fragen im Bereich Altersgerechter Assistenzsysteme, pre-study on behalf of VDI/VDE-IT, funded by the German Bundesministerium fuer Bildung und Forschung,
  2. [Acunetix]
    Acunetix Web Vulnerability Scanner,
  3. [AppScan]
  4. [Article29]
    The Article 29 Data Protection Working Party was set up under Article 29 of Directive 95/46/EC,
  5. [Bezzi2010]
    Bezzi, M.: Expressing privacy metrics as one-symbol information. In: Proc. of the 2010 EDBT/ICDT Workshops (2010)Google Scholar
  6. [BL08]
    Byun, J.-W., Li, N.: Purpose based access control for privacy protection in relational database systems. VLDB J. 17(4), 603–619 (2008)CrossRefGoogle Scholar
  7. [BM2012]
    Bock, K., Meissner, S.: Datenschutz-Schutzziele im Recht. DuD – Datenschutz und Datensicherheit 36(6), 425–431 (2012)CrossRefGoogle Scholar
  8. [BSI]
    German Federal Office for Information Security,
  9. [CAT]
    Xiao, X., Wang, G., Gehrke, J.: Interactive Anonymization of Sensitive Data. In: SIGMOD 2009 (2009)Google Scholar
  10. [COBIT]
    ISACA: COBIT Framework for IT Governance and Control,
  11. [CompMeter]
  12. [CF2012]
    Colombo, P., Ferrari, E.: Towards a modeling and analysis framework for privacy aware systems. Technical report, University of Insubria (2012) (submitted for publication)Google Scholar
  13. [Datta2011]
    Datta, A., et al.: Understanding and Protecting Privacy: Formal Semantics and Principled Audit Mechanisms. In: Proc. of the International Conference on Information Systems Security (2011)Google Scholar
  14. [DFGK09]
    Datta, A., Franklin, J., Garg, D., Kaynar, D.K.: A Logic of Secure Systems and its Application to Trusted Computing. In: Proc. of the IEEE Symposium on Security and Privacy (2009)Google Scholar
  15. [DGLKD10]
    DeYoung, H., Garg, D., Jia, L., Kaynar, D., Datta, A.: Experiences in the Logical Specification of the HIPAA and GLBA Privacy Laws. In: Proc. of 9th ACM Workshop on Privacy in the Electronic Society (October 2010)Google Scholar
  16. [DSK]
    Ein modernes Datenschutzrecht fuer das 21. Jahrhundert, Eckpunkte; Konferenz der Datenschutzbeauftragten des Bundes und der Laender, (presented on March 18, 2010)
  17. [Dwork2008]
    Dwork, C.: Differential Privacy: A Survey of Results. In: Agrawal, M., Du, D.-Z., Duan, Z., Li, A. (eds.) TAMC 2008. LNCS, vol. 4978, pp. 1–19. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. [EOS09]
    Evesti, A., Ovaska, E., Savola, R.: From Security Modelling to Run-time Security Monitoring. In: Proc. of the Fifth European Conference on Model-driven Architecture Foundations and Applications, Enchede, The Netherlands (June 2009)Google Scholar
  19. [EuroPriSe]
    EuroPriSe, the European Privacy Seal for IT Products and IT-Based Services,
  20. [GB2012]
    Geisberger, E., Broy, M. (eds.): AgendaCPS, Integrierte Forschungsagenda Cyber-Physical Systems, acatech Studie, Deutsche Akademie der Technikwissenschaften (2012)Google Scholar
  21. [HDB]
    IBM Hippocratic Database (HDB) Technology Projects,
  22. [Herrmann07]
    Herrmann, D.S.: Complete guide to security and privacy metrics – measuring regulatory compliance, operational resilience and ROI. Auerbach Publications (2007)Google Scholar
  23. [HSHJ08]
    Heyman, T., Scandariato, R., Huygens, C., Joosen, W.: Using security patterns to combine security metrics. In: Proc. of the 3rd Int. Conf. on Availability, Reliability and Security (ARES) (2008)Google Scholar
  24. [InfoShield]
  25. [ITIL]
    Arraj, V.: ITIL - IT Infrastructure Library, The Basics, White Paper, (downloaded January 1, 2012)
  26. [Jaquith2007]
    Jaquith, A.: Security metrics: replacing fear, uncertainty and doubt. Addison-Wesley (2007)Google Scholar
  27. [JABK2008]
    Jouault, F., Allilaire, F., Bézivin, J., Kurtev, I.: Atl: A model transformation tool. Science of Computer Programming 72(1-2) (2008)Google Scholar
  28. [LDSG-SH]
    Schleswig-Holstein Act on the Protection of Personal Information of February 9, 2000 last amended by Article 1 of the Act to amend the State Data Protection Act (January 11, 2012) (GVOBl. Schl.-H. p. 78)Google Scholar
  29. [LTV07]
    Li, N., Li, T., Venkatasubramanian, S.: t-closeness: Privacy beyond k-anonymity and l-diversity. In: Proc. of the 23rd IEEE International Conference on Data Engineering (ICDE 2007). IEEE Computer Society (April 2007)Google Scholar
  30. [Martin07]
    Martin, E.: Testing and Analysis of Access Control Policies. In: ICSE 2007 (2007)Google Scholar
  31. [MASTER]
    Managing Assurance, Security and Trust for Services, European research project,
  32. [MGKV06]
    Machanavajjhala, A., Gehrke, J., Kifer, D., Venkitasubramaniam, M.: l-diversity: Privacy beyond k-anonymity. In: Proc. of the 22nd IEEE International Conference on Data Engineering (ICDE 2006). IEEE Computer Society, Washington, DC (2006)Google Scholar
  33. [OCL]
    OMG, Object Constraint Language (OCL) (2012),
  34. [PARAT]
  35. [PIA]
    European Commission (EC): The Privacy Impact Assessment Framework for RFID Applications: PIA Framework (January 2011),
  36. [PICOS]
    Privacy and Identity Management for Community Services, European research project,
  37. [PRBAC]
    Ni, Q., Bertino, E., Lobo, J., Brodie, C., Karat, C.-M., Karat, J., Trombeta, A.: Privacy-aware role-based access control. ACM Trans. Inf. Syst. Secur. 13(3), Article 24 (July 2010)Google Scholar
  38. [Probst 2012]
    Generische Schutzmassnahmen für Datenschutz-Schutzziele. DuD – Datenschutz und Datensicherheit 36(6), 439–444 (2012),
  39. [QVT]
    OMG, Meta Object Facility (MOF) 2.0 Query/View/Transformation (QVT) (2011),
  40. [RFD09]
    Rebollo-Monedero, D., Forne, J., Domingo-Ferrer, J.: From t-closeness-like privacy to postrandomization via information theory. IEEE Transactions on Knowledge and Data Engineering 99(1) (2009)Google Scholar
  41. [RP2009]
    Rost, M., Pfitzmann, A.: Datenschutz-Schutzziele – revisited. DuD – Datenschutz und Datensicherheit 33(6), 353–358 (2009)CrossRefGoogle Scholar
  42. [Rost2011]
    Rost, M.: Datenschutz in 3D. DuD – Datenschutz und Datensicherheit 35(5), 351–353 (2011)CrossRefGoogle Scholar
  43. [RB2011]
    Rost, M., Bock, K.: Privacy by Design und die neuen Schutzziele. DuD – Datenschutz und Datensicherheit 35(1), 30–35 (2011)CrossRefGoogle Scholar
  44. [SA2009]
    Savola, R., Abie, H.: Development of Measurable Security for a Distributed Messaging System. International Journal on Advances in Security 2(4), 358–380 (2010) ISSN 1942-2636Google Scholar
  45. [Savola2006]
    Savola, R.: A Requirement Centric Framework for Information Security Evaluation. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S.-i. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 48–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  46. [Savola2010]
    Savola, R.: Towards a Risk-Driven Methodology for Privacy Metrics Development. In: Proc. of the Symposium on Privacy and Security Applications (PSA 2010) (August 2010)Google Scholar
  47. [Schmidt2006]
    Schmidt, D.C.: Model-Driven Engineering. IEEE Computer 39(2) (2006)Google Scholar
  48. [SPMNLH04]
    Seddigh, N., Pieda, P., Matrawy, A., Nandy, B., Lambadaris, J., Hatfield, A.: Current trends and advances in information assurance metrics. In: Proc. of the 2nd Annual Conference on Privacy Security and Trust (2004)Google Scholar
  49. [Sweeney2002]
    Sweeney, L.: k-anonymity: a model for protecting privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems 10(5), 557–570 (2002)CrossRefzbMATHMathSciNetGoogle Scholar
  50. [TRUSTe]
  51. [UML]
    OMG, Unified Modeling Language, v2.4.1 (2011),
  52. [UTDToolBox]
  53. [Vaniea08]
    Vaniea, K., Ni, Q., Cranor, L., Bertino, E.: Access control policy analysis and visualization tools for security professionals. In: USM 2008: Workshop on Usable IT Security Management (2008)Google Scholar
  54. [XACML]
    OASIS eXtensible Access Control Markup Language (XACML),
  55. [ZH2012]
    Zwingelberg, H., Hansen, M.: Privacy Protection Goals and Their Implications for eID Systems. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity Management for Life – 7th IFIP WG 9.2, 9.6/11.7, 11.4, 11.6 International Summer School Trento, Italy (September 2011); Revised Selected Papers. Springer, Boston (2012) (to appear)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Ksenya Kveler
    • 2
  • Kirsten Bock
    • 1
  • Pietro Colombo
    • 3
  • Tamar Domany
    • 2
  • Elena Ferrari
    • 3
  • Alan Hartman
    • 2
  1. 1.Unabhaengiges Landeszentrum fuer Datenschutz (ULD)Germany
  2. 2.Science and Technology LTDIBM IsraelIsrael
  3. 3.Department of Theoretical and Applied ScienceUniversity of InsubriaItaly

Personalised recommendations