Log in / Register
Home arrow Computer Science arrow The Privacy Engineer’s Manifesto
< Prev   CONTENTS   Next >

The Use of Models within the Methodology

The methodology utilizes a series of interrelated UML models, as shown in Figure 6-5.

Figure 6-5. Architectural model relationships

Models and modeling best practices[1] focus first on the progression from an enterprise view of the business data model, through the more detailed logical data model, and finally to a database design based on these models. Likewise, from the business data model, a reporting model is derived for the reporting database.

Requirements models: Input and output data requirements gathered from a system interface, from a web site, or from a mobile source, together with the big data requirements must be modeled within the business data model, here using the UML class modeling diagram.[2] Figure 6-5 shows how the need for information from a document, from a video, from an audio file, from an e-mail, or from any other big data source comes together as big data requirements.

Business data model: The business data model is an integrated view of all of the data requirements within the enterprise. The business data model contains business-level (not necessarily normalized[3]) data classes. It may contain many-to-many data relationships and may not contain information about the optionality of data relationships. It should contain all super-type data classes but not necessarily all subtype data classes.[4] It will contain only those data attributes that are easy to find and define that are particularly interesting or important. It will refer to corporate data classes and relationships where possible and will raise data issues and ambiguities early.

Operational (logical) data model: The logical data model (see Figure 6-9 as an example) should contain all of the business data requirements within the problem domain under study (here, privacy information data processing). The conceptual data model subject areas, high-level data classes, and high-level relationships are used as the starting point for developing the logical data model. More detailed data classes are developed as well as data classes, which are the product of normalization. Subtype classes will also be derived from the high-level business data classes.

The logical data model is different from the less-detailed business data model in that the former is normalized and does not contain many-to-many data relationships.

Instead, it contains information about the optionality of data relationships and contains both super-type data classes and subtype data classes. It contains all data attributes relevant to the enterprise and refers to corporate data classes and relationships as much as possible.

As part of the data modeling process, the enterprise data model as well as legacy databases not represented in the enterprise data model will be examined to ensure that redundant data are not created and that the enterprise data models are complete.

Operational database: The detailed operational data model is used to develop the actual operational database. The reporting data models are used to develop the reporting databases, which could be the data warehouse, one or more data marts, or one or more big data analytic data structures. Big data requirements may also contribute to any required content handling or presentation.

Metadata models: All modeling metadata are based on a series of metadata models.[5] To ensure that models and modeling best support the corporate enterprise, best privacy engineering practices require that all models and modeling metadata

be readily available to business users and to information technology personnel. All data administrators and database administrators should collaborate to ensure an enterprise view of all information required by the enterprise and to ensure that the best practices concerning shared data are followed.[6]

Best practices that support data sharing include data naming and data identification standards, the collection of integrity rules, the collection of security rules, and management of information in all of its forms. One way that works well in gaining collaboration among businesspeople, the privacy team, and the information technology development team is to hold Agile scrums. These scrums are often called first thing in the morning for the very detail-oriented people. Management scrums would be held weekly in some cases and biweekly in others.

Activity diagram, sequence model, and component model: The activity diagram showing the business process combines with the various data models to define a sequence within the system and then to the component design. The component design model and supporting metadata will contribute to the component design. Therefore, the various models and modeling efforts interact to provide a well-engineered, data-centric design.

Content Design: The user experience of the system and its user interface are based on the content design that takes inputs from the visualization aspects of the big data requirements and the business data model. The content design also impacts the actual operational database design and the component models by determining how users interact with them.

The steps of the methodology are described in detail in the following sections to illustrate how the system engineering lifecycle applied to privacy is effectively deployed.

By dawn n. Jutla, Phd, Board director, oASiS, and Professor, Sobey School of Business, Saint Mary's University, Halifax, nova Scotia, Canada

Consumer and privacy legislators are working to understand new online business environments that exploit personal data outside of citizens' working knowledge and control. The office of the Privacy Commissioner of Canada, the 27 different data protection agencies in the European Union, the US federal Trade Commission, and senators in the US Congress now regularly question major innovators about their business practices concerning their handling of personal data. Associations such as the Electronic frontiers foundation and the Electronic Privacy information Center also regularly highlight new online privacy violations. Media reports openly criticize marketers, raising awareness of personal data collection practices, as in the Wall Street Journal's “What They Know Series”: “Marketers are spying on internet users—observing and remembering people's clicks, and building and selling detailed dossiers of their activities and interests.”[7] ventureBeat, a technology news website, identifies a key privacy issue:

The fact of the matter is that most end users are ignorant of how much they expose about themselves when they authorize through facebook or Twitter or any other sign-on process—and that this information would be shared to entities outside just the app developer.[8]

To respond to this situation, can companies integrate privacy standards into internet products and services to achieve an online environment that both protects privacy (as with user-permission-based models) and allows for commerce? oASiS (organization for the Advancement of Structured information Standards) is a leader in the internet identity management and trust elevation standards space. its oASiS Privacy Management Reference Model and Methodology[9] (PMRM) Technical Committee (TC) has created a committee specification draft as a standards track product.

The advantages of privacy standards are manifold. They include building a common and widespread understanding of privacy governance among adopting organizations at an international level and creating consistent compliance, auditing criteria, and user expectations across industries. Privacy standards can promote better system design, facilitate information interchange and interoperability, and foster innovation through multi-stakeholder collaboration. Some organizations may leverage the resulting privacy-enhanced products and services for market differentiation.

However, people don't usually think of standards as vehicles of innovation, even though numerous examples exist of new standards leading to new markets and technologies. Rather, standards are sometimes seen as the outcome of long political processes that are way too slow for young internet innovators. These same innovators are busy with the newest commercial technologies, such as Big data plays, the emerging internet of Things, and attendant new business models focused on aggregating, interlinking, and monetizing personal data. Meanwhile, the tension between these new business models and the user's privacy rights is increasing with each passing day. indeed, there is a growing sense among experts that many internet companies, renowned for innovation and high levels of experimentation with new services, are not well versed in best practices for privacy governance. These relatively young companies, and many others, would benefit from more comprehensive privacy governance guidelines from the executive to the unit software testing levels. Here is where the patient process of standards can pay off to play a catalyst role in spurring responsible innovation and competitive advantage for many.

Upcoming privacy standards should foster another entire level of protection for consumer rights, as well. Privacy consultants praise the oASiS PMRM standards-track specification for codifying the processes for specifying privacy requirements. one excitedly said, “. . . it's better than the ad-hoc processes that are in my head. now i have an explicit reference methodology that my clients are willing to invest in.”

Certainly, the PMRM is valuable for its step-by-step guidelines and clear and concise identification of privacy domains, controls, and critical touch points—or leakage points—through which data flow. Privacy stewards and other stakeholders may use the PMRM to create a privacy management analysis for use cases. PMRM's methodology extends to helping software engineers understand complex privacy requirements inherent in today's collaborative web-based systems. indeed, stakeholders can use the methodology to perform thorough privacy management analyses in a wide variety of contexts, from executive management to unit-level software testing for privacy compliance.

focusing entirely on the software engineering space is the work of an even newer standards committee, the oASiS Privacy-by-design documentation for Software Engineers Technical Committee[10] (Pbd-SE TC), which i convened and co-chair with dr. Ann Cavoukian, the founder of Privacy by design, and ontario's information and Privacy Commissioner. The Pbd-SE TC members are collaborating on a future standard that will help software engineers visualize privacy requirements and operationalize Privacy by design principles. As a first step, the Pbd-SE TC has accepted the PMRM specification to help organizations create use cases that embed privacy requirements as functional requirements. in addition, this TC is currently debating a new hybrid method of using software engineering modeling languages and spreadsheets to represent integrated privacy requirements in tabular and diagrammatic forms. Together, these approaches represent richer privacy models for our increasingly socially responsible software engineers.

As shown in this timely book, professional software engineers in industry use Unified Modeling Language (UML) diagram models for sharing vision, giving visual representations of (sub)-systems, influencing code generation, and documenting software requirements and design. The object Management group (oMg)'s UML is an international Standards organization (iSo) software engineering industry modeling standard. Because of UML's ubiquity, oASiS Pbd-SE leverages UML and may offer new extensions to it to support privacy.

Software engineers use UML to understand and collaborate on building software. UML abstracts away confusing details and allows software developers to more easily examine a system's behavior, data, and process models more quickly compared to textual documentation. However, while UML is a commonly used communications medium, it has different degrees of adoption and use. for some large systems, UML use may be quite formal, while for users of agile methodologies, software engineers may sketch out a quick UML-like diagram that allows them to share and easily refer to requirements and design. Today, requirements analysis takes up the largest proportion of time in agile software engineering efforts. Any aid in reducing the amount of time an engineer spends in understanding and embedding privacy requirements is a bonus for productivity. Hence, the work of the oASiS Pbd-SE is positioned to provide such a productivity boost to the field. in summary, organizations participating in online privacy standardization efforts today provide valuable leadership in shaping tomorrow's privacy-preserving societies. Software engineers, from business analysts and software developers to unit testers, can use the current oASiS PMRM 2013 committee specification draft and the oASiS Pbd-SE standards-track approaches to promote high quality privacy engineering and responsible governance.

Author's note: The Privacy Engineering methodology described in this book is based on a system's engineering methodology used for over 30 years and therefore developed independently from PMRM and Pbd, but when we reviewed these approaches, we found that privacy engineering is consistent with these approaches. We have been using UML from its early days. When Jonathan and Michelle presented their privacy assessment approach, we adapted it to UML using existing UML icons without extending UML. dr. Jutla will be reviewing our proposed approaches as part of the oASiS Pbd-SE TC analysis.

  • [1] See Handbook of Relational Database Design by B. Van Halle & C. Fleming (Addison Wesley, 1989), pp. 18–24; Data Base Management by F. McFadden and J. Hoffer (Benjamin Cummings Publishing, 1985), pp. 272–299; “The Bottom Line: Data-oriented Deliverables,” by T. R. Finneran, in Handbook of Data Management (Auerbach Press, 1993), pp. 289–298.
  • [2] Other data modeling tools can be used. We recommend UML so that you can use one consistent toolset throughout the whole lifecycle.
  • [3] Normalization is a well-known data analysis process of organizing the data attributes to minimize redundancy and inconsistency. The business classes will not contain all of the data attributes and therefore normalization is not applicable. The logical data model will use normalization.
  • [4] Classes can be arranged in hierarchies so that concrete classes (subtypes such as persons or organizations) inherit attributes, relationships, and operations or methods from more abstract classes (super-types such as parties of interest).
  • [5] More than 20 metadata models comprise the database design of a typical metadata repository. Appendix A shows data attributes of some of these models.
  • [6] It must be noted that such collaboration does not require the mythical, monolithic data mapping and classification exercise of old where millions of dollars were expended, and consultants were sent swarming across the enterprise to arrive—perhaps—with a set of already outdated binders of data. Instead, data privacy principles define privacy information and a common understanding of how and where and by whom those data may be processed becomes a discovery methodology to evaluate existing data patterns.
  • [7] “What They Know” (November 25, 2013). Wall Street Journal. Retrieved from
  • [8] I. Mosquera (August 27, 2011). “Why Mobile Apps Need to Have Privacy Policies.” VentureBeat. Retrieved from privacy-policies/.
  • [9] Privacy Management Reference Model and Methodology (PMRM), Ver. 1.0, March 2012, OASIS Committee Specification Draft. Retrieved from csd01/PMRM-v1.0-csd01.pdf.
  • [10] OASIS Privacy by Design Documentation Technical Committee (PbD-SE) Charter. Retrieved from
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science