Application of Privacy Engineering Techniques in Software Development for the National Privacy Commission


Authors : Conrad D. Dela Cruz

Volume/Issue : Volume 9 - 2024, Issue 8 - August

Google Scholar : https://tinyurl.com/5cztj4fm

Scribd : https://tinyurl.com/5eauvbhh

DOI : https://doi.org/10.38124/ijisrt/IJISRT24AUG877

Abstract : The study investigated the implementation of privacy engineering in software development at the National Privacy Commission (NPC) with a specific focus on the Data Breach Notification Management System (DBNMS). Objectives include identifying the factors that contribute to the success or failure of privacy engineering in the NPC's software development context, to provide valuable insights into the integration of privacy measures. This includes the development of actionable guidance for the effective integration of privacy and security in software engineering at the NPC, tailored specifically for NPC engineers and encompassing methodologies for incorporating privacy engineering throughout the software development life cycle. This is to empower NPC software engineers with practical tools and strategies to create a secure and privacy-respecting environment. Qualitative methodology and thematic analysis approach were utilized to assess the effectiveness of privacy engineering techniques. To gather insights, semi structured interviews were conducted with both internal and external stakeholders composed of software developers, data protection officers, and other internal and external users of the DBNMS. Evaluation yielded positive remarks both from internal and external participants. Factors that contributed to the success and failure of privacy engineering techniques in software development include rapid evolution of technology, lack of funds, and stakeholder engagement, among others. Overall, the findings are expected to contribute to the broader discourse on privacy engineering and have implications for policymakers, software development practitioners, and organizations looking to enhance their privacy practices in the digital age.

Keywords : Privacy Engineering, Privacy Integration in Software Development.

References :

  1. Andrade, V. C., Gomes, R. D., Reinehr, S., Freitas, C. O., & Malucelli, A. (2022). Privacy by design and software engineering. Proceedings of the XXI Brazilian Symposium on Software Quality. https://doi.org/10.1145/3571473.3571480
  2. Ayton, D., Tsindos, T., & Berkovic, D. (2023). Qualitative research: A practical guide for health and social care researchers and practitioners. Council of Australian University Librarians, Open Educational Resources Collective.
  3. Barnes, J., Conrad, K., Demont-Heinrich, C., Graziano, M., Kowalski, D., Neufeld, J., Zamora, J., & Palmquist, M. (n.d.) (2005). Home. Generalizability and Transferability. https://writing.colostate.edu/ guides/guide.cfm?guideid=65
  4. Bhandari, P. (2022, December 05). Inductive Reasoning | Types, Examples, Explanation. Scribbr. Retrieved June 19, 2023, from https://www.scribbr.com/methodology/inductive-reasoning/.
  5. Billups, F. D. (2021). Qualitative data collection tools: Design, development, and applications. SAGE Publications.
  6. Britton, J. (2021, March 6). What is ISO 25010?. Perforce Software. https://www.perforce.com/blog/ qac/what-is-iso-25010
  7. Campanile, L., Iacono, M., & Mastroianni, M. (2022). Towards privacy-aware software design in small and Medium Enterprises. 2022 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/Pi Com/CBDCom/CyberSciTech). https://doi.org/ 10.1109/dasc/picom/cbdcom/cy55231.2022.9927958
  8. Caulfield, J. (2022, November 25). How to Do Thematic Analysis | Step-by-Step Guide & Examples. Scribbr. Retrieved June 24, 2023, from https://www.scribbr.com/methodology/thematic-analysis/
  9. Cavoukian, A., Shapiro, S., & Cronk, R. J., Privacy engineering: Proactively embedding privacy, by design (2014). Toronto; Information and Privacy Commissioner, Ontario.
  10. Cherry, C. (2022, May 20). What Is Naturalistic Observation? November 20, 2023, https://www.verywellmind.com/what-is-naturalistic-observation-2795391
  11. Dulberg, R. (2021, September 10). An Engineer’s Guide to Privacy by Design. medium. August 20, 2023, https://medium.com/codex/an-engineers-guide-to-privacy-by-design-f487d16dcbbc
  12. Falconer, S. (2022, January 27). Software Engineering’s Next Great Challenge: Data Privacy. www.Skyflow.com. https://www.skyflow.com/post/ software-engineerings-next-great-challenge-data-privacy
  13. George, T. (2022). Semi-Structured Interview | Definition, Guide & Examples. Scribbr. https://www.scribbr.com/methodology/semi-structured-interview/
  14. Ghosh, A. (n.d.). An insider look at real-world examples of cloud hacks. LinkedIn. https://www.linkedin.com/pulse/insider-look-real-world-examples-cloud-hacks-aritra-ghosh
  15. Irani E. The Use of Videoconferencing for Qualitative Interviewing: Opportunities, Challenges, and Considerations. Clinical Nursing Research. 2019
  16. King, N., Horrocks, C., & Brooks, J. (2019). 2nd Edition Interviews in Qualitative Research (2nd ed.). Sage.
  17. Leonhardt, M. (2019, July 23). Equifax to pay $700 million for massive data breach. here’s what you need to know about getting a cut. CNBC. https://www.cnbc.com/2019/07/22/what-you-need-to-know-equifax-data-breach-700-million-settlement. html
  18. Libguides: Qualitative Study Design: Sampling. Sampling - Qualitative study design - LibGuides at Deakin University. (2023, October 12). https://deakin.libguides.com/qualitative-study-designs/sampling#:~:text=While%20there%20are%20no%20hard,Creswell%20%26%20Creswell%2C%202018).
  19. Martin, Y.-S., & Kung, A. (2018). Methods and tools for GDPR compliance through privacy and Data Protection Engineering. 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). https://doi.org/10.1109/eurospw. 2018.00021
  20. Meem, M. I. (2020, June 19). Importance of Epistemology and Ontology in Research Design and Methodology Mahabuba Islam Meem Mahabuba Islam Meem Research Assistant. November 19, 2023, https://www.linkedin.com/pulse/importance-epistemology-ontology-research-design-mahabuba-islam-meem/
  21. Naidu, N. (2023, April 19). Software Engineering | Agile Software Development. geeksforgeeks. August 20, 2023, https://www.geeksforgeeks.org/software-engineering-agile-software-development/
  22. National Institute of Standards and Technology, Brooks, S., Garcia, M., Lefkovitz, N., Lightman, S., & Nadeau, E., An Introduction to Privacy Engineering and Risk Management in Federal Systems (2017). National Institute of Standards and Technology. Retrieved August 22, 2023, from https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf.
  23. Nowell, L. S., Norris, J. M., White, D. E., & Moules, N. J. (2017). Thematic Analysis: Striving to Meet the Trustworthiness Criteria. International Journal of Qualitative Methods, 16(1). https://doi.org/10.1177/ 1609406917733847
  24. Nurgalieva, L., Frik, A., & Doherty, G. (2021). Review of WiP: factors affecting the implementation of privacy and security practices in software development: a narrative review.  https://www.leysannurgalieva.com/publications. Retrieved 2023, from https://www.leysannurgalieva.com/publications.
  25. Nurgalieva, L., Frik, A., & Doherty, G. (2023). A narrative review of factors affecting the implementation of privacy and security practices in software development. ACM Computing Surveys, 55(14s). https://doi.org/10.1145/3589951
  26. Office, U. S. G. A. (n.d.). Data Protection: Actions taken by Equifax and federal agencies in response to the 2017 breach. Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach | U.S. GAO. https://www.gao.gov/ products/gao-18-559
  27. Park, C. (2020, March 20). How “Notice and Consent” Fails to Protect Our Privacy. New America. August 20, 2023, https://www.newamerica.org/ oti/blog/how-notice-and-consent-fails-to-protect-our-privacy/
  28. Politz, D. (2023, August 29). Member check and respondent validation in qualitative research. Delve. https://delvetool.com/blog/member-check-respondent-validation
  29. Queens University of Charlotte (2022, May 12). A guide to qualitative rigor in research: Queens University Online. Queens University of Charlotte. https://online.queens.edu/resources/article/guide-to-qualitative-rigor-in-research/
  30. Rebes, P. (2019, August 13). Software Quality Standards—How and Why We Applied ISO 25010. Retrieved August 12, 2023, from https://www.monterail.com/blog/software-qa-standards-iso-25010.
  31. Rocha, L. D., Caneda, E. D., & Sousa Silva, G. R. (2023). Privacy Compliance in Software Development: A Guide to Implementing the LGPD Principles (thesis). Association for Computing Machinery, New York.
  32. Sampath, S. (2022, February 11). What is Privacy Engineering and how does it act as an enabler of Digital Innovation? https://www.linkedin.com/pulse/ what-privacy-engineering-how-does-act-enabler-digital-sampath/
  33. Sangaroonsilp, P., Dam, H. K., & Ghose, A. (2022b). Common privacy weaknesses and vulnerabilities in software applications. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4025928
  34. Shenton, A. K. (2004). Strategies for ensuring trustworthiness in qualitative research projects. Education for Information, 22(2), 63–75. https://doi.org/10.3233/efi-2004-22201
  35. Spiekermann-Hoff, S. (2012). The Challenges of Privacy by Design. Communications of the ACM (CACM), 55(7), 34 - 37. https://doi.org/10.1145/ 2209249.2209263
  36. Stahl, N. A., & King, J. R. (2020). Expanding Approaches for Research: Understanding and Using Trustworthiness in Qualitative Research. Journal of Developmental Education, 44(1), 26–28. http://www.jstor.org/stable/45381095
  37. Stanke, B. (2022, December 18). Feature-Driven Development: The Pros, Cons, and How It Compares to Scrum. bobstanke. August 20, 2023, https://www.bobstanke.com/blog/feature-driven-development
  38. Tahaei, M., Vaniea, K., & Rashid, A. (2023). Embedding privacy into design through software developers: Challenges and solutions. IEEE Security & Privacy, 21(1). https://doi.org/10.1109/msec. 2022.3204364
  39. Thomas, F. B. (2022). The Role of Purposive Sampling Technique as a Tool for Informal Choices in a Social Sciences in Research Methods.
  40. Underwood, T. (2023, April 26). How to Choose a Sample Size in Qualitative Research. Retrieved August 12, 2023, from https://www.linkedin.com/ pulse/how-choose-sample-size-qualitative-research-focusinsite.
  41. Velimirovic, A. (2022, November 17). What is SDLC? Software Development Life Cycle Defined. PhoenixNap. August 20, 2023, https://phoenixnap.com/blog/software-development-life-cycl

The study investigated the implementation of privacy engineering in software development at the National Privacy Commission (NPC) with a specific focus on the Data Breach Notification Management System (DBNMS). Objectives include identifying the factors that contribute to the success or failure of privacy engineering in the NPC's software development context, to provide valuable insights into the integration of privacy measures. This includes the development of actionable guidance for the effective integration of privacy and security in software engineering at the NPC, tailored specifically for NPC engineers and encompassing methodologies for incorporating privacy engineering throughout the software development life cycle. This is to empower NPC software engineers with practical tools and strategies to create a secure and privacy-respecting environment. Qualitative methodology and thematic analysis approach were utilized to assess the effectiveness of privacy engineering techniques. To gather insights, semi structured interviews were conducted with both internal and external stakeholders composed of software developers, data protection officers, and other internal and external users of the DBNMS. Evaluation yielded positive remarks both from internal and external participants. Factors that contributed to the success and failure of privacy engineering techniques in software development include rapid evolution of technology, lack of funds, and stakeholder engagement, among others. Overall, the findings are expected to contribute to the broader discourse on privacy engineering and have implications for policymakers, software development practitioners, and organizations looking to enhance their privacy practices in the digital age.

Keywords : Privacy Engineering, Privacy Integration in Software Development.

Never miss an update from Papermashup

Get notified about the latest tutorials and downloads.

Subscribe by Email

Get alerts directly into your inbox after each post and stay updated.
Subscribe
OR

Subscribe by RSS

Add our RSS to your feedreader to get regular updates from us.
Subscribe