Sâmmara Éllen Renner Ferrão,Geovana Ramos Sousa Silva,Edna Dias Canedo,Fabiana Freitas Mendes

DOI: https://doi.org/10.1016/j.infsof.2024.107396

IF: 3.9

2024-01-07

Information and Software Technology

Abstract:Context: Ensuring compliance with current data privacy legislation poses a significant challenge for software development teams, demanding adaptations to processes in order to align with legal requirements. Objective: This study proposes a comprehensive taxonomy of privacy requirements, drawing from the Brazilian General Data Protection Law (LGPD) and ISO/IEC 29100. The aim is to assist software development teams in navigating the complexities of legal compliance. Method: To define the research gap, we conducted a systematic literature review (SLR) initially, identifying existing taxonomies of privacy requirements. Subsequently, we applied the Goal-Based Requirements Analysis Method (GBRAM) to extract privacy requirements from LGPD and ISO/IEC 29000. Finally, we implemented the proposed taxonomy in the privacy policies of Brazil's three largest banks. Results: The taxonomy comprises 129 requirements, categorized into 10 distinct groups across 5 contexts. In applying the taxonomy to ISO/IEC 29100, analysis of 63 statements for GDPR+ISO/IEC 29100 yielded 33 requirements, whereas for LGPD+ISO/IEC 29100, 58 statements resulted in 57 requirements. Application of the taxonomy revealed adherence percentages ranging from 40% to 71% concerning the evaluated solutions. Conclusions: The outcomes strongly suggest that major corporations are yet to achieve full LGPD compliance. We posit that the proposed taxonomy offers a valuable industry tool for validating LGPD compliance within implemented systems, as exemplified by our successful use case with Brazilian banks.

computer science, information systems, software engineering

Olalekan S. Akinola,Adenike O. Osofisan

DOI: https://doi.org/10.48550/arXiv.0909.4260

2009-10-02

Abstract:Software inspection is a necessary and important tool for software quality assurance. Since it was introduced by Fagan at IBM in 1976, arguments exist as to which method should be adopted to carry out the exercise, whether it should be paper based or tool based, and what reading technique should be used on the inspection document. Extensive works have been done to determine the effectiveness of reviewers in paper based environment when using ad hoc and checklist reading techniques. In this work, we take the software inspection research further by examining whether there is going to be any significant difference in defect detection effectiveness of reviewers when they use either ad hoc or checklist reading techniques in a distributed groupware environment. Twenty final year undergraduate students of computer science, divided into ad hoc and checklist reviewers groups of ten members each were employed to inspect a medium sized java code synchronously on groupware deployed on the Internet. The data obtained were subjected to tests of hypotheses using independent T test and correlation coefficients. Results from the study indicate that there are no significant differences in the defect detection effectiveness, effort in terms of time taken in minutes and false positives reported by the reviewers using either ad hoc or checklist based reading techniques in the distributed groupware environment studied.

Other Computer Science

Pedro Delfino,Bruno Cuconato,Edward Hermann Haeusler,Alexandre Rademaker

DOI: https://doi.org/10.48550/arXiv.1712.05128

2017-12-14

Abstract:In Brazil, all legal professionals must demonstrate their knowledge of the law and its application by passing the OAB exams, the national bar exams. The OAB exams therefore provide an excellent benchmark for the performance of legal information systems since passing the exam would arguably signal that the system has acquired capacity of legal reasoning comparable to that of a human lawyer. This article describes the construction of a new data set and some preliminary experiments on it, treating the problem of finding the justification for the answers to questions. The results provide a baseline performance measure against which to evaluate future improvements. We discuss the reasons to the poor performance and propose next steps.

Computation and Language

Feiyang Tang,Bjarte M. Østvold,Magiel Bruntink

DOI: https://doi.org/10.3233/FAIA230228

2023-06-20

Abstract:Ensuring compliance with the General Data Protection Regulation (GDPR) is a crucial aspect of software development. This task, due to its time-consuming nature and requirement for specialized knowledge, is often deferred or delegated to specialized code reviewers. These reviewers, particularly when external to the development organization, may lack detailed knowledge of the software under review, necessitating the prioritization of their resources. To address this, we have designed two specialized views of a codebase to help code reviewers in prioritizing their work related to personal data: one view displays the types of personal data representation, while the other provides an abstract depiction of personal data processing, complemented by an optional detailed exploration of specific code snippets. Leveraging static analysis, our method identifies personal data-related code segments, thereby expediting the review process. Our approach, evaluated on four open-source GitHub applications, demonstrated a precision rate of 0.87 in identifying personal data flows. Additionally, we fact-checked the privacy statements of 15 Android applications. This solution, designed to augment the efficiency of GDPR-related privacy analysis tasks such as the Record of Processing Activities (ROPA), aims to conserve resources, thereby saving time and enhancing productivity for code reviewers.

Software Engineering

Flávia Xavier Macedo de Azevedo,Rüdiger Heimgärtner,Karsten Nebe

DOI: https://doi.org/10.1080/00140139.2022.2127920

IF: 2.5612

Ergonomics

Abstract:The DIN 92419 defines six principles for assistive systems' ergonomic design. There is, however, a lack of measurement tools to evaluate assistive systems considering these principles. Consequently, this study developed a measurement tool for the quantitative evaluation of the fulfilment of each principle for assistive systems. A systematic literature review was performed to identify dimensions belonging to the principles, identify how previous research evaluated these dimensions, and develop a measurement tool for assistive systems. Findings show that scales commonly used for evaluating assistive systems disregard several aspects highlighted as relevant by research, implying the need for considering the DIN 92419 principles. Based on established scales and theoretical findings, a questionnaire, and a checklist for evaluating assistive systems were developed. The work provides a grounding for measuring relevant aspects of assistive systems. Further development is needed to substantiate the reliability and validity of the proposed questionnaire scales and items. Practitioner Summary: Responding to the gap of a holistic measurement tool to evaluate assistive systems, a systematic literature review was performed considering the DIN 92419 principles. This resulted in a comprehensive summary of relevant aspects of assistive systems that were made numerically measurable, which proposes better criteria to assess assistive systems. Abbreviations: IoT: internet of things; RQ: research question; TAM: technology acceptance model; UTAUT: unified theory of acceptance and use of technology; AaaS: adaptivity as a service; SAR: socially assistive robots; SEEV: salience, effort, expectancy, and value; PRISMA: preferred reporting items for systematic reviews and meta-analyses; HMI: human-machine interaction; HRI: human-robot interaction; BCI: brain-computer interface; QUEST: Quebec user evaluation of satisfaction with assistive technology; SUS: system usability scale; NASA-TLX: NASA task load index; ATD PA: assistive technology device predisposition assessment; Wheel Con: wheelchair use confidence scale; CATOM: caregiver assistive technology outcome measure; CBI: caregiver burden inventory; RoSAS: robotic social attributes scale; WheelCon: wheelchair use confidence scale; IMI: intrinsic motivation inventory; ATD PA: assistive technology device predisposition assessment; UEQ: User experience questionnaire; USEUQ: usefulness satisfaction and ease of use questionnaire; USPW: usability scale for power wheelchairs; UES: user engagement scale; SUTAQ: service user technology acceptability questionnaire; QUEAD: questionnaire for the evaluation of physical assistive devices; FATCAT: functional assessment tool for cognitive assistive technology; SE-HRI: human-robot interaction scale; SART: situation awareness rating technique; TSQ;WT: tele-healthcare satisfaction questionnaire-wearable technology; PAIF: participants' assessment of the intervention's feasibility; SWAT: subjective workload assessment technique; MARS-HA: measure of audiologic rehabilitation self-efficacy for hearing aids; IOI-HA: International outcome inventory for hearing aids; FMA: functional mobility assessment; FBIS: familiarity and behavioural intention survey; CSQ: client satisfaction questionnaire; COPM: canadian occupational performance measure; ATCS: assistive technology confidence scale; ACC: acceptance; SSP: safety, security and privacy; OPT: optimisation of resultant internal load; CTRL: controllability; ADAPT: adaptability; P&I: perceptibility and identifiability; AAL: ambient assisted living; VR: virtual reality; AS: assistive system; WEIRD: Western, educated, industrialised, rich, and democratic; HEART: horizontal european activities of rehabilitation technology; AAATE: advancement of assistive technology in Europe's; GATE: global collaboration on assistive technology; ATA-C: assistive technology assessment toolkit.

Orlando Amaral,Muhammad Ilyas Azeem,Sallam Abualhaija,Lionel C Briand

DOI: https://doi.org/10.1109/tse.2023.3288901

IF: 7.4

2023-01-01

IEEE Transactions on Software Engineering

Abstract:When the entity processing personal data (the processor) differs from the one collecting personal data (the controller), processing personal data is regulated in Europe by the General Data Protection Regulation (GDPR) through data processing agreements (DPAs). Checking the compliance of DPAs contributes to the compliance verification of software systems as DPAs are an important source of requirements for software development involving the processing of personal data. However, manually checking whether a given DPA complies with GDPR is challenging as it requires significant time and effort for understanding and identifying DPA-relevant compliance requirements in GDPR and then verifying these requirements in the DPA. Legal texts introduce additional complexity due to convoluted language and inherent ambiguity leading to potential misunderstandings. In this paper, we propose an automated solution to check the compliance of a given DPA against GDPR. In close interaction with legal experts, we first built two artifacts: (i) the “shall” requirements extracted from the GDPR provisions relevant to DPA compliance and (ii) a glossary table defining the legal concepts in the requirements. Then, we developed an automated solution that leverages natural language processing (NLP) technologies to check the compliance of a given DPA against these “shall” requirements. Specifically, our approach automatically generates phrasal-level representations for the textual content of the DPA and compares them against predefined representations of the “shall” requirements. By comparing these two representations, the approach not only assesses whether the DPA is GDPR compliant but it further provides recommendations about missing information in the DPA. Over a dataset of 30 actual DPAs, the approach correctly finds 618 out of 750 genuine violations while raising 76 false violations, and further correctly identifies 524 satisfied requirements. The approach has thus an average precision of 89.1%, a recall of 82.4%, and an accuracy of 84.6%. Compared to a baseline that relies on off-the-shelf NLP tools, our approach provides an average accuracy gain of $\approx$20 percentage points. The accuracy of our approach can be improved to $\approx$94% with limited manual verification effort.

engineering, electrical & electronic,computer science, software engineering

Orlando Amaral,Sallam Abualhaija,Damiano Torre,Mehrdad Sabetzadeh,Lionel C. Briand

DOI: https://doi.org/10.48550/arXiv.2106.05688

2021-10-06

Abstract:Technological advances in information sharing have raised concerns about data protection. Privacy policies contain privacy-related requirements about how the personal data of individuals will be handled by an organization or a software system (e.g., a web service or an app). In Europe, privacy policies are subject to compliance with the General Data Protection Regulation (GDPR). A prerequisite for GDPR compliance checking is to verify whether the content of a privacy policy is complete according to the provisions of GDPR. Incomplete privacy policies might result in large fines on violating organization as well as incomplete privacy-related software specifications. Manual completeness checking is both time-consuming and error-prone. In this paper, we propose AI-based automation for the completeness checking of privacy policies. Through systematic qualitative methods, we first build two artifacts to characterize the privacy-related provisions of GDPR, namely a conceptual model and a set of completeness criteria. Then, we develop an automated solution on top of these artifacts by leveraging a combination of natural language processing and supervised machine learning. Specifically, we identify the GDPR-relevant information content in privacy policies and subsequently check them against the completeness criteria. To evaluate our approach, we collected 234 real privacy policies from the fund industry. Over a set of 48 unseen privacy policies, our approach detected 300 of the total of 334 violations of some completeness criteria correctly, while producing 23 false positives. The approach thus has a precision of 92.9% and recall of 89.8%. Compared to a baseline that applies keyword search only, our approach results in an improvement of 24.5% in precision and 38% in recall.

Cryptography and Security,Artificial Intelligence,Software Engineering

Ze Shi Li,Colin Werner,Neil Ernst,Daniela Damian

DOI: https://doi.org/10.48550/arXiv.2002.06830

2020-02-17

Abstract:The enactment of the General Data Protection Regulation (GDPR) in 2018 forced any organization that collects and/or processes EU-based personal data to comply with stringent privacy regulations. Software organizations have struggled to achieve GDPR compliance both before and after the GDPR deadline. While some studies have relied on surveys or interviews to find general implications of the GDPR, there is a lack of in-depth studies that investigate compliance practices and compliance challenges of software organizations. In particular, there is no information on small and medium enterprises (SMEs), which represent the majority of organizations in the EU, nor on organizations that practice continuous integration. Using design science methodology, we conducted an in-depth study over the span of 20 months regarding GDPR compliance practices and challenges in collaboration with a small, startup organization. We first identified our collaborator's business problems and then iteratively developed two artifacts to address those problems: a set of operationalized GDPR principles, and an automated GDPR tool that tests those GDPR-derived privacy requirements. This design science approach resulted in four implications for research and for practice. For example, our research reveals that GDPR regulations can be partially operationalized and tested through automated means, which improves compliance practices, but more research is needed to create more efficient and effective means to disseminate and manage GDPR knowledge among software developers.

Software Engineering

Shuang Liu,Baiyang Zhao,Renjie Guo,Guozhu Meng,Fan Zhang,Meishan Zhang

DOI: https://doi.org/10.1145/3442381.3450022

2021-04-19

Abstract:With the rapid development of web and mobile applications, as well as their wide adoption in different domains, more and more personal data is provided, consciously or unconsciously, to different application providers. Privacy policy is an important medium for users to understand what personal information has been collected and used. As data privacy protection is becoming a critical social issue, there are laws and regulations being enacted in different countries and regions, and the most representative one is the EU General Data Protection Regulation (GDPR). It is thus important to detect compliance issues among regulations, e.g., GDPR, with privacy policies, and provide intuitive results for data subjects (i.e., users), data collection party (i.e., service providers) and the regulatory authorities. In this work, we target to solve the problem of compliance analysis between GDPR (Article 13) and privacy policies. We format the task into a combination of a sentence classification step and a rule-based analysis step. We manually curate a corpus of 36,610 labeled sentences from 304 privacy policies, and benchmark our corpus with several standard sentence classifiers. We also conduct a rule-based analysis to detect compliance issues and a user study to evaluate the usability of our approach. The web-based tool AutoCompliance is publicly accessible 1.

Ze Shi Li,Colin Werner,Neil Ernst,Daniela Damian

DOI: https://doi.org/10.1016/j.infsof.2022.106868

IF: 3.9

2022-06-01

Information and Software Technology

Abstract:Context: Complying with privacy regulations has taken on new importance with the introduction of the EU’s General Data Protection Regulation (GDPR) and other privacy regulations. Privacy measures are becoming a paramount requirement demanding software organizations’ attention as recent privacy breaches such as the Capital One data breach affected millions of customers. Software organizations, however, struggle with achieving privacy compliance. In particular, there is a lack of research into the organizational practices and challenges involved in compliance, particularly for small and medium enterprises (SMEs), which represent a sizeable portion of organizations. Many SMEs use a continuous software engineering (CSE) approach, which introduces additional adoption and application challenges. For example, the fast pace of CSE makes it harder for SMEs that are already more resource constrained to prioritize non-functional requirements such as privacy. Objective: This paper aims to fill a gap in the under-researched area of continuous compliance with privacy requirements in practice, by investigating how a continuous practicing SME dealt with GDPR compliance. Method: Using design science, we conducted an in-depth ethnographically informed study over the span of 16 months and iteratively developed two artifacts to help address the organization’s challenges in addressing GDPR compliance. Results: We identified 3 main challenges that our collaborating organization experienced when trying to comply with the GDPR. To help mitigate the challenges, we developed two design science artifacts, which include a list of privacy requirements that operationalized the GDPR principles for automated verification, and an automated testing tool that helps to verify these privacy requirements. We validated these artifacts through close collaboration with our partner organization and applying our artifacts to the partner organization’s system. Conclusions: We conclude with a discussion of opportunities and obstacles in leveraging CSE to achieve continuous compliance with the GDPR. We also highlight the importance of building a shared understanding of privacy non-functional requirements and how risk management plays an important role in an organization’s GDPR compliance.

computer science, information systems, software engineering

Oleksandra Klymenko,Oleksandr Kosenkov,Stephen Meisenbacher,Parisa Elahidoost,Daniel Mendez,Florian Matthes

DOI: https://doi.org/10.1145/3544902.3546234

2022-08-18

Abstract:Modern privacy regulations, such as the General Data Protection Regulation (GDPR), address privacy in software systems in a technologically agnostic way by mentioning general "technical measures" for data privacy compliance rather than dictating how these should be implemented. An understanding of the concept of technical measures and how exactly these can be handled in practice, however, is not trivial due to its interdisciplinary nature and the necessary technical-legal interactions. We aim to investigate how the concept of technical measures for data privacy compliance is understood in practice as well as the technical-legal interaction intrinsic to the process of implementing those technical measures. We follow a research design that is 1) exploratory in nature, 2) qualitative, and 3) interview-based, with 16 selected privacy professionals in the technical and legal domains. Our results suggest that there is no clear mutual understanding and commonly accepted approach to handling technical measures. Both technical and legal roles are involved in the implementation of such measures. While they still often operate in separate spheres, a predominant opinion amongst the interviewees is to promote more interdisciplinary collaboration. Our empirical findings confirm the need for better interaction between legal and engineering teams when implementing technical measures for data privacy. We posit that interdisciplinary collaboration is paramount to a more complete understanding of technical measures, which currently lacks a mutually accepted notion. Yet, as strongly suggested by our results, there is still a lack of systematic approaches to such interaction. Therefore, the results strengthen our confidence in the need for further investigations into the technical-legal dynamic of data privacy compliance.

Software Engineering

Luiz Paulo Carvalho,Jonice Oliveira,Flávia Maria Santoro,Claudia Cappelli

DOI: https://doi.org/10.5753/isys.2021.1235

2021-08-20

Abstract:Data protection and data-driven solutions are two progressing areas permeating Brazilian society. This work presents an interdisciplinary theoretical approach related to Ethics, from the ethics in computing perspective; the LGPD, from the Law studies perspective; and the Social Network Analysis in Brazil, from the Informatics perspective. This research area utilizes personal data extensively for knowledge construction, with semantic contributions, analyzing the reality; or pragmatic, building artifacts. Challenges and inseparable issues are observed, exposed, and debated in this work. We present considerations combining the three topics, personal data in the research field of social networks in Brazil respecting the LGPD and ethics precepts.

Bruno Pedraca de Souza,Guilherme Horta Travassos

DOI: https://doi.org/10.48550/arXiv.2107.13597

2021-07-29

Abstract:Software systems on the Internet of Things have driven the world into a new industrial revolution, bringing with it new features and concerns such as autonomy, continuous device connectivity, and interaction among systems, users, and things. Nevertheless, building these types of systems is still a problematic activity due to their specific features. Empirical studies show the lack of technologies to support the construction of IoT software systems, in which different software artifacts should be created to ensure their quality. Thus, software inspection has emerged as an alternative evidence-based method to support the quality assurance of artifacts produced during the software development cycle. However, there is no knowledge of inspection techniques applicable to IoT software systems. Therefore, this research presents SCENARIOTCHECK, a Checklist-based Reading Technique for the Verification of IoT Scenarios. The checklist has been evaluated with experimental studies. This research shows that the technique has good results regarding cost-efficiency, efficiency, and IoT software system development effectiveness.

Software Engineering

Jefferson Seide Molléri,Kai Petersen,Emilia Mendes

DOI: https://doi.org/10.1016/j.infsof.2019.106240

IF: 3.9

2020-03-01

Information and Software Technology

Abstract:<p><strong>Context:</strong> Over the past decade Software Engineering research has seen a steady increase in survey-based studies, and there are several guidelines providing support for those willing to carry out surveys. The need for auditing survey research has been raised in the literature. Checklists have been used both to conduct and to assess different types of empirical studies, such as experiments and case studies.</p><p><strong>Objective:</strong> To operationalize the assessment of survey studies by means of a checklist. To fulfill such goal, we aim to derive a checklist from standards for survey research and further evaluate the appropriateness of the checklist in the context of software engineering research.</p><p><strong>Method:</strong> We systematically aggregated knowledge from 12 methodological studies supporting survey-based research in software engineering. We identified the key stages of the survey process and its recommended practices through thematic analysis and vote counting. We evaluated the checklist by applying it to existing surveys and analyzed the results. Thereafter, we gathered the feedback of experts (the surveys' authors) on our analysis and used the feedback to improve the survey checklist.</p><p><strong>Results:</strong> The evaluation provided insights regarding limitations of the checklist in relation to its understanding and objectivity. In particular, 19 of the 38 checklist items were improved according to the feedback received from experts.</p><p><strong>Conclusion:</strong> The proposed checklist is appropriate for auditing survey reports as well as a support tool to guide ongoing research with regard to the survey design process. A discussion on how to use the checklist and what its implications are for research practice is also provided.</p>

computer science, information systems, software engineering

Luca Verderame,Davide Caputo,Andrea Romdhana,Alessio Merlo

DOI: https://doi.org/10.1109/IJCNN48605.2020.9206660

2020-04-18

Abstract:Access to privacy-sensitive information on Android is a growing concern in the mobile community. Albeit Google Play recently introduced some privacy guidelines, it is still an open problem to soundly verify whether apps actually comply with such rules. To this aim, in this paper, we discuss a novel methodology based on a fruitful combination of static analysis, dynamic analysis, and machine learning techniques, which allows assessing such compliance. More in detail, our methodology checks whether each app i) contains a privacy policy that complies with the Google Play privacy guidelines, and ii) accesses privacy-sensitive information only upon the acceptance of the policy by the user. Furthermore, the methodology also allows checking the compliance of third-party libraries embedded in the apps w.r.t. the same privacy guidelines. We implemented our methodology in a tool, 3PDroid, and we carried out an assessment on a set of recent and most-downloaded Android apps in the Google Play Store. Experimental results suggest that more than 95% of apps access user's privacy-sensitive information, but just a negligible subset of them (around 1%) fully complies with the Google Play privacy guidelines.

Cryptography and Security

Ayesha Qamar,Tehreem Javed,Mirza Omer Beg

DOI: https://doi.org/10.48550/arXiv.2102.12362

2021-02-21

Abstract:Privacy Policies are the legal documents that describe the practices that an organization or company has adopted in the handling of the personal data of its users. But as policies are a legal document, they are often written in extensive legal jargon that is difficult to understand. Though work has been done on privacy policies but none that caters to the problem of verifying if a given privacy policy adheres to the data protection laws of a given country or state. We aim to bridge that gap by providing a framework that analyzes privacy policies in light of various data protection laws, such as the General Data Protection Regulation (GDPR). To achieve that, firstly we labeled both the privacy policies and laws. Then a correlation scheme is developed to map the contents of a privacy policy to the appropriate segments of law that a policy must conform to. Then we check the compliance of privacy policy's text with the corresponding text of the law using NLP techniques. By using such a tool, users would be better equipped to understand how their personal data is managed. For now, we have provided a mapping for the GDPR and PDPA, but other laws can easily be incorporated in the already built pipeline.

Cryptography and Security,Computation and Language

Raúl Pardo,Daniel Le Métayer

2024-09-18

Abstract:Privacy policies define the terms under which personal data may be collected and processed by data controllers. The General Data Protection Regulation (GDPR) imposes requirements on these policies that are often difficult to implement. Difficulties arise in particular due to the heterogeneity of existing systems (e.g., the Internet of Things (IoT), web technology, etc.). In this paper, we propose a method to refine high level GDPR privacy requirements for informed consent into low-level computational models. The method is aimed at software developers implementing systems that require consent management. We mechanize our models in TLA+ and use model-checking to prove that the low-level computational models implement the high-level privacy requirements; TLA+ has been used by software engineers in companies such as Microsoft or Amazon. We demonstrate our method in two real world scenarios: an implementation of cookie banners and a IoT system communicating via Bluetooth low energy.

Cryptography and Security,Software Engineering

Yuri R. Ladeia,David M. Pereira

2024-09-18

Abstract:Background: The integration of the General Data Protection Regulation (GDPR) and the Medical Device Regulation (MDR) creates complexities in conducting Data Protection Impact Assessments (DPIAs) for medical devices. The adoption of non-binding standards like ISO and IEC can harmonize these processes by enhancing accountability and privacy by design. Methods: This study employs a multidisciplinary literature review, focusing on GDPR and MDR intersection in medical devices that process personal health data. It evaluates key standards, including ISO/IEC 29134 and IEC 62304, to propose a unified approach for DPIAs that aligns with legal and technical frameworks. Results: The analysis reveals the benefits of integrating ISO/IEC standards into DPIAs, which provide detailed guidance on implementing privacy by design, risk assessment, and mitigation strategies specific to medical devices. The proposed framework ensures that DPIAs are living documents, continuously updated to adapt to evolving data protection challenges. Conclusions: A unified approach combining European Union (EU) regulations and international standards offers a robust framework for conducting DPIAs in medical devices. This integration balances security, innovation, and privacy, enhancing compliance and fostering trust in medical technologies. The study advocates for leveraging both hard law and standards to systematically address privacy and safety in the design and operation of medical devices, thereby raising the maturity of the MedTech ecosystem.

Computers and Society

Concetta Tania Di Iorio,Fabrizio Carinci,Jillian Oderkirk,David Smith,Manuela Siano,Dorotea Alessandra de Marco,Simon de Lusignan,Paivi Hamalainen,Massimo Massi Benedetti

DOI: https://doi.org/10.1136/medethics-2019-105948

2020-03-27

Journal of Medical Ethics

Abstract:Background Data processing of health research databases often requires a Data Protection Impact Assessment to evaluate the severity of the risk and the appropriateness of measures taken to comply with the European Union (EU) General Data Protection Regulation (GDPR). We aimed to define and apply a comprehensive method for the evaluation of privacy, data governance and ethics among research networks involved in the EU Project Bridge Health. Methods Computerised survey among associated partners of main EU Consortia, using a targeted instrument designed by the principal investigator and progressively refined in collaboration with an international advisory panel. Descriptive measures using the percentage of adoption of privacy, data governance and ethical principles as main endpoints were used for the analysis and interpretation of the results. Results A total of 15 centres provided relevant information on the processing of sensitive data from 10 European countries. Major areas of concern were noted for: data linkage (median, range of adoption: 45%, 30%–80%), access and accuracy of personal data (50%, 0%–100%) and anonymisation procedures (56%, 11%–100%). A high variability was noted in the application of privacy principles. Conclusions A comprehensive methodology of Privacy and Ethics Impact and Performance Assessment was successfully applied at international level. The method can help implementing the GDPR and expanding the scope of Data Protection Impact Assessment, so that the public benefit of the secondary use of health data could be well balanced with the respect of personal privacy.

ethics,medical ethics,social issues,social sciences, biomedical

Leticia Dávila-Nicanor,Pedro Mejía-Alvarez

DOI: https://doi.org/10.5121/cseij.2012.2402

2012-09-13

Abstract:In diverse industrial and academic environments, the quality of the software has been evaluated using different analytic studies. The contribution of the present work is focused on the development of a methodology in order to improve the evaluation and analysis of the reliability of web-based software applications. The Personal Software Process (PSP) was introduced in our methodology for improving the quality of the process and the product. The Evaluation + Improvement (Ei) process is performed in our methodology to evaluate and improve the quality of the software system. We tested our methodology in a web-based software system and used statistical modeling theory for the analysis and evaluation of the reliability. The behavior of the system under ideal conditions was evaluated and compared against the operation of the system executing under real conditions. The results obtained demonstrated the effectiveness and applicability of our methodology.

Software Engineering