ABSTRACT
Privacy as a human right has been in existence for decades, but its effects are accentuated in the information age. Data privacy compliance in modern information technology applications is important, unavoidable, but complex, even more so for technologies (such as cyber-physical systems (CPSs) and Internet of Things (IoT)) that are enablers of the fourth industrial revolution, because of the covert nature of data collection involved. Organisations are not always equipped to comply with privacy requirements in such environments. This paper proposes a list of privacy compliance guidelines aimed at making it practical for organisations to comply with privacy legislation in these domains. The proposed guidelines can provide direction to organisations when carrying out a data privacy compliance exercise for CPSs and IoT. The guidelines take into account technical, organisational and legal aspects of data privacy compliance. Legal aspects are primarily based on the South African Protection of Personal Information Act 4 of 2013. Design science research, using literature analysis and expert opinion as data collection methods, was used as research approach.
- I.D. Addo, S.I. Ahamed, S.S. Yau, and A. Buduru, 2014. A reference architecture for improving security and privacy in Internet of Things applications. In IEEE International Conference on Mobile Services IEEE 108 - 115. Google ScholarDigital Library
- R.F. Babiceanu and R. Seker, 2016. Big Data and virtualization for manufacturing cyber-physical systems: A survey of the current status and future outlook. Computers in Industry 81, 128 - 137. Google ScholarDigital Library
- G. Baldini, I. Kounelis, I.N. Fovino, and R. Neisse, 2013. Critical Information Infrastructures Security. Springer, Berlin, Germany.Google Scholar
- N. Baloyi. 2019. A Data Privacy Framework for Cyber-physical Systems and Internet of Things for Information Technology Professionals. (Philosophiae Doctor), University of Pretoria, Pretoria.Google Scholar
- N. Baloyi and P. Kotzé, 2018. A data privacy model based on Internet of Things and cyber-physical systems reference architectures. In Proceedings of the Annual conference of The South African Institute of Computer Scientists and Information Technologists: SAICSIT 2018 - Technology for Change ACM, 258 - 268. Google ScholarDigital Library
- F.H. Cate, 2006. The failure of fair information practice principles. In Proceedings of the Consumer Protection in the Age of the "Information Economy. " (Hampshire, UK2006), Ashgate Publishing, 341--378.Google Scholar
- A. Cavoukian and M. Dixon, 2013. Privacy and Security by Design: An Enterprise Architecture Approach. Information and Privacy Commissioner.Google Scholar
- A. Cavoukian, J. Stoddart, A. Dix, I. Nemec, V. Peep, and M. Shroff, 2010. Resolution on privacy by design. In 32nd International Conference of Data Protection and Privacy Commissioners.Google Scholar
- E. Colbert, 2017. Security of Cyber-Physical Systems. Journal of Cyber Security and Information Systems 5, 1.Google Scholar
- M. Deng, K. Wuyts, R. Scandariato, B. Preneel, and W. Joosen, 2011. A privacy threat analysis framework: Supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering 16, 1, 3 - 32. Google ScholarDigital Library
- DITAS. (2017). Data-Driven Applications in Manufacturing - Drowning in the Data Lake. https://www.ditas-project.eu/data-driven-applications-manufacturing-drowning-data-lake/Google Scholar
- European Union. (2016). GDPR Portal: Site Overview. https://www.eugdpr.org/eugdpr.org.htmlGoogle Scholar
- European Union, 2016. Regulation (EU) 2016/679.Google Scholar
- N. Foukia, D. Billard, and E. Solana, 2016. PISCES: A framework for privacy by design in IoT. In 2016 14th Annual Conference on Privacy, Security and Trust (PST) IEEE, 706 - 713.Google Scholar
- R. Gellman, 2012. Fair Information Practices: A Basic History.Google Scholar
- Government of South Africa, 2000. Promotion of Access to Information Act 2 of 2000 Government of South Africa.Google Scholar
- Government of South Africa, 2013. Protection of Personal Information Act 4 of 2013 Government Printing Works.Google Scholar
- Government of South Africa, 2013. Protection of Personal Information Act 4 of 2013.Google Scholar
- ICO, 2005. The Employment Practices Code: Supplementary Guidance. Information Commissioner's Office.Google Scholar
- ICO, 2010. Personal Information Online Code of Practice. Information Commissioner's Office.Google Scholar
- ICO, 2011. Data Sharing Code of Practice. Information Commissioner's Office.Google Scholar
- ICO, 2011. The Employment Practices Code. Information Commissioner's Office.Google Scholar
- ICO, 2012. Anonymisation: Managing Data Protection Risk Code of Practice. Information Commissioner's Office.Google Scholar
- ICO, 2013. Bring Your Own Device (BYOD). Information Commissioner's Office.Google Scholar
- ICO, 2013. Privacy impact assessment and risk management. Information Commissioner's Office, Wilmslow.Google Scholar
- ICO, 2014. Conducting Privacy Impact Assessments Code of Practice. Information Commissioner's Office.Google Scholar
- ICO, 2014. Data Protection and Journalism: A Guide for the Media Information Commissioner's Office.Google Scholar
- ICO, 2014. Protecting Personal Data in Online Services: Learning from the Mistakes of Others. Information Commissioner's Office.Google Scholar
- ICO, 2014. Subject Access Code of Practice Information Commissioner's Office.Google Scholar
- ICO, 2015. In the Picture: A Data Protection Code of Practice for Surveillance Cameras and Personal Information Information Commissioner's Office.Google Scholar
- ICO, 2016. Consultation on ICO's Privacy Notices Code of Practice: Summary of Responses. Information Commissioner's Office.Google Scholar
- ICO, 2016. A Practical Guide to IT Security Information Commissioner's Office.Google Scholar
- ICO, 2017. Big Data, Artificial Intelligence, Machine Learning and Data Protection. Information Commissioner's Office.Google Scholar
- ICO, 2017. The Guide to Data Protection. Information Commissioner's Office.Google Scholar
- Institute of Directors Southern Africa, 2016. King IV Report on Corporate Governance for South Africa 2016. Institute of Directors Southern Africa.Google Scholar
- ISACA, 2012. COBIT 5 for Information Security. Information Systems Audit and Control Association, Illinois.Google Scholar
- ISO/IEC, 2011. Information Technology - Security Techniques - Privacy Framework. In ISO/IEC 29100:2011 International Organization for Standardization, Geneva, 21.Google Scholar
- ISO/IEC, 2013. Information Technology - Security Techniques - Information Security Management Systems - Requirements. In ISO/IEC 27001:2013 International Organization for Standardization, Geneva, 23.Google Scholar
- ISO/IEC, 2013. Information Technology - Security Techniques - Privacy Architecture Framework International Organization for Standardization, Geneva, 45.Google Scholar
- I. Kabanov, 2016. Effective frameworks for delivering compliance with personal data privacy regulatory requirements. In 2016 14th Annual Conference on Privacy, Security and Trust (PST) IEEE, 551 - 554.Google ScholarCross Ref
- S.K. Khaitan and J.D. Mccalley, 2015. Design techniques and applications of cyberphysical systems: A survey. IEEE Systems Journal 9, 2, 350 - 365.Google ScholarCross Ref
- E.A. Lee and S.A. Seshia, 2017. Introduction to Embedded Systems, A Cyber-Physical Systems Approach. MIT Press. Google ScholarDigital Library
- L. Miclea and T. Sanislav, 2011. About dependability in cyber-physical systems. In EWDTS, 17 - 21. Google ScholarDigital Library
- R. Minerva, A. Biru, and D. Rotondi, 2015. Towards a Definition of the Internet of Things (IoT). IEEE.Google Scholar
- S. Nourse. (2017). What POPI Means for Cybersecurity. https://www.is.co.za/blog/articles/what-popi-means-for-cybersecurity/Google Scholar
- Nymity, 2018. Privacy Management Accountability Framework. Nymity Inc.Google Scholar
- OECD, 1980. Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. The Organisation for Economic Co-operation and Development.Google Scholar
- OECD, 1980. Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.Google Scholar
- C. Perera, C. Mccormick, A.K. Bandara, B.A. Price, and B. Nuseibeh, 2016. Privacy-by-design framework for assessing Internet of Things applications and platforms. In Proceedings of the 6th International Conference on the Internet of Things ACM, New York, USA, 83 - 92. Google ScholarDigital Library
- N.E. Petroulakis, I.G. Askoxylakis, A. Traganitis, and G. Spanoudakis, 2013. A privacy-level model of user-centric cyber-physical systems. In International Conference on Human Aspects of Information Security, Privacy, and Trust Springer, 338 - 347.Google Scholar
- P. Porambage, M. Ylianttila, C. Schmitt, P. Kumar, A. Gurtov, and A.V. Vasilakos, 2016. The quest for privacy in the Internet of Things. IEEE Cloud Computing 3, 2, 36 - 45.Google ScholarCross Ref
- H.J. Smith, S.J. Milberg, and S.J. Burke, 1996. Information privacy: measuring individuals' concerns about organizational practices. MIS Quarterly, 167 - 196. Google ScholarDigital Library
- D.J. Solove, 2002. Conceptualizing privacy. California Law Review 90, 4, 1087--1155.Google ScholarDigital Library
- S. Spiekermann and L.F. Cranor, 2009. Engineering privacy. Ieee Transactions on Software Engineering 35, 1, 67 - 82. Google ScholarDigital Library
- V. Vaishnavi, W. Kuechler, and S. Petter. (2004/17, 20 December 2017). Design Science Research in Information Systems. http://desrist.org/desrist/content/design-science-research-in-information-systems.pdfGoogle Scholar
- O. Vermesan, R. Bahr, S. Nakajima, B. Copigneaux, A. Van Der Wees, D. Stefanatou, J. Svorc, M. Van Den Ham, and J. Breeuwsma, 2017. IoT Data Value Chain Model. European Commission.Google Scholar
- L. Wang, M. Törngren, and M. Onori, 2015. Current status and advancement of cyber-physical systems inmanufacturing. Journal of Manufacturing Systems 37, 517--527.Google ScholarCross Ref
- R.H. Weber, 2010. Internet of Things - New security and privacy challenge. Computer Law & Security Review 26, 1, 23 - 30.Google ScholarCross Ref
- R.H. Weber, 2015. Internet of Things: Privacy issues revisited. Computer Law & Security Review 31, 5, 618 - 627.Google ScholarCross Ref
- B.D. Weinberg, G.R. Milne, Y.G. Andonova, and F.M. Hajjat, 2015. Internet of Things: Convenience vs. privacy and secrecy. Business Horizons 58, 615 - 624.Google ScholarCross Ref
- A.F. Westin, 1968. Privacy and freedom. Washington and Lee Law Review 25, 1, 166 - 170.Google Scholar
- J.H. Ziegeldorf, O.S. Morchon, and K. Wehrle, 2014. Privacy in the Internet of Things: Threats and challenges. Security Communication Networks 7, 2728 - 2742.Google ScholarCross Ref
Index Terms
- Guidelines for Data Privacy Compliance: A Focus on Cyber-physical Systems and Internet of Things
Recommendations
A data privacy model based on internet of things and cyber-physical systems reference architectures
SAICSIT '18: Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information TechnologistsData privacy concerns in the Internet of Things (IoT) and cyber - physical systems (CPS) are real, valid and accentuated. In this paper it is argued that data privacy compliance in IoT and CPS should be addressed at both technical and non-technical ...
Understanding the Level of Compliance by South African Institutions to the Protection of Personal Information (POPI) Act
SAICSIT '16: Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information TechnologistsPrivacy entails controlling the use and access to place, location and personal information. In South Africa, the first privacy legislation in the form of the Protection of Personal Information (POPI) Act was signed into law on 26 November 2013. The POPI ...
Data Capsule: A New Paradigm for Automatic Compliance with Data Privacy Regulations
Heterogeneous Data Management, Polystores, and Analytics for HealthcareAbstractThe increasing pace of data collection has led to increasing awareness of privacy risks, resulting in new data privacy regulations like General data Protection Regulation (GDPR). Such regulations are an important step, but automatic compliance ...
Comments