Visual Privacy Management in User-Centric Open Environments (VisiOn)

Description

Open and dynamic online services, such as those created in the context of Cloud Computing, Big Data and the Internet of Things provide benefits, such as easy exchange of information, faster processing of data and 24/7 access. However, potential users of online services are still reluctant to outsource sensitive data to these services, mainly due to lack of control over management of their data and privacy issues. For example, cloud users may have concerns about what Cloud Service Providers intend to do with their data. In fact, users may have little or no information as to when and how their data is used.

Similar scenarios can be identified in the case of Public Administration (PA), since PAs collect, transmit, share and collate huge amounts of personal data. In the case of Public Administration, the issue of privacy plays a much more important role as citizens do not have, in many cases, the option of refusing to provide their data (as is the case with commercial services) but are obliged in many cases by law to do so. For example, citizens who have to submit their self-assessment tax returns must provide their tax office with their private information (e.g. personal details). Any solution that reassures citizens that their data are being used correctly will increase their trust in online PA services.

The VisiOn project developed a visual privacy platform to help public entities deliver safe and privacy-enhanced e-government services that meet the highest privacy standards and nowadays necessities, and offer citizens greater and personalised control over their data.

The VisiOn project extended, developed and provided a hybrid valuation methodology of personal data, based on audience and affinity indicators. This method will help users to increase their awareness about how their data are used as well as their ability to assess and control the level of risk for their privacy. Users will gain useful insights on the value and potential monetisation of their digital personal data and will manage the use of their personal data in a transparent way. All involved entities, citizens and public administrators, will benefit from loyalty and trust that is built for their transactions. This methodology will vastly improve users decision-making when it comes to the specification of Privacy Level Agreements (PLAs).

This project received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 653642

The main aim of the VisiOn project was to deliver a high Technology Readiness Level (TRL) Privacy Management Platform, which will facilitate the visual analysis of privacy needs of citizens and Public Administrations and assist in the creation, monitoring and enforcement of PLAs to strengthen the transparency and trustworthiness of Public Administration online services in modern societies.

To achieve the above aim, the project focused on two different but very relevant perspectives, that of citizens and that of Public Administrations. From a citizen’s perspective the project empowered citizens to set desired levels of privacy and create and monitor a personal Privacy Level Agreement, based on a clear visualisation of their privacy preferences, relevant threats and trust issues along with an indication of the economic value of their data. From a Public Administration perspective, the project provided the necessary tools to improve citizens’ trust and transparency by supporting the visual analysis of privacy issues at different levels and perspectives in the context of (i) related directives and regulations; (ii) business/operational processes; and (iii) accountability.

In a nutshell, the platform achieved these goals by enabling the creation of custom-made Privacy Level Agreements (PLAs) that must be compliant with European Laws and Legislations. The platform monitored the state of this compliance at all times and it provided the necessary PLA enforcement when this state does not meet the pre-defined agreement. The VisiOn project achieved the above aim through a set of clear and measurable objectives listed below:

Specification of Privacy Level Agreements (PLAs) for different types of users (i.e. citizen, Public Administration)
Visual management of Privacy Level Agreements of different stakeholders (i.e. citizens, Public Administration, third parties) and at different perspectives (e.g. design and run-time).
Validation of the VisiOn Privacy Platform (VPP) at operational environment.
Definition of a clear business strategy for the commercial roll out of the VisiOn project results.

"The VisiOn platform provides support towards GDPR compliance through the creation of tailored Privacy Level Agreements, which take into account citizens' privacy needs and provides them with control over their data, and provides organisations with methods and tools to achieve a privacy-by-design approach for their digital services."
Professor Haris Mouratidis, Director, Centre for Secure, Intelligent and Usable Systems, University of Brighton

Key findings

The outcomes of the project produced:

Methods and tools integrated into the appropriate VisiOn platform components, which support a simple and effective way to elicit privacy needs and accordingly specify Privacy Level Agreements by taking into account the differences between user types (for example citizens are not expected to have any technical knowledge).
A platform that empowers users to set and analyse their preferred privacy levels through an easy to understand visualisation of their needs and relevant visual warnings regarding conflicts and inconsistencies.
A tested and validated VisiOn Privacy Platform (VPP), at two different types of pilots across four different pilot sites, including two types of public administration departments (municipalities and health care departments) and using various stakeholders (i.e. public administration, citizens, third parties).
A validated set of business plans and models for the commercial exploitation of the project results (tools, services, platform), along with strategies of reaching potential customers.
The solution, which was successfully trialled through a series of different pilot tests (Italian ministry of economic development, Spanish and Italian hospitals, etc.), empowers citizens themselves by enabling them to create and monitor a personal Privacy Level Agreement. This provides a clear visualisation of privacy preferences about how their data can be managed by public institutions, relevant threats and trust issues along with a high level insight into the economic value of their data. Results obtained from the pilots have confirmed that the developed platform improves citizen awareness of privacy and data protection issues and increases their level of control on data management.

During the pilot tests, for public authorities, the VisiOn Privacy Platform (VPP) was shown to be an effective tool for strengthening the transparency and accountability of their operations, and ensuring that they are in full compliance with online data privacy laws. The platform helps public authorities to exchange information with citizens with a clearer understanding and agreement of data usage and sharing.

Reviewers of the project (appointed by the EU) and the project officer recognised and congratulated the consortium on the technical results of the project and in particular the definition and development of the Privacy Level Agreement, which was a technical aspect that the University of Brighton led. They also recognised the importance and the relevance of the project results in relation to new Privacy regulations such as the General Data Protection Regulation (GDPR) coming into effect in 2018. The GDPR impacts every organisation holding EU citizen information – whether located in the EU or not – as well as the opportunities for commercialisation of the final platform. Due to the positive outcome of the project evaluation, the project coordinator has received invitations from the EU to run some short features on the project, highlighting key impacts and successes.

The University of Brighton research team:

led the development of the various platform components
contributed significantly on the definition of the platform requirements and specification
defined and formalised the Privacy Level Agreement
made a major contribution to the application of the platform to the pilots
represented the consortium in major events including the European Annual Privacy Forum, the major annual event on Data Privacy organised by the European Union Agency for Network and Information Security (ENISA), where they presented a major outcome of the project and demonstrated the platform.
A major research output was also the development of a novel methodology for the modelling and analysis of security and privacy requirements together with the corresponding tool. The methodology is key to the threat analysis of the platform. The team also produced seven publications, and parts of the work influenced other research work (further five publications). Moreover, the pilots were used as case studies in two PhD theses. Research-informed teaching was also achieved through the use of case studies used in MSc Information Security coursework to give students realistic scenarios for their work.
AcronymVisiOn
StatusFinished
Effective start/end date1/07/1530/06/17