Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform

Information practices and systems that make use of personal and health-relatedinformation are governed by European laws and regulations to preventunauthorized use and disclosure. Failure to comply with these laws andregulations results in huge monetary sanctions, which both private companiesand public administrations want to avoid. How to comply with these laws,requires understanding the privacy requirements imposed on informationsystems. A holistic approach to privacy requirements specification calls forunderstanding not only the requirements derived by law, but also citizens'needs with respect to privacy. In this paper, we report on our experience inconducting privacy requirements engineering as part of a H2020 EuropeanProject, namely VisiOn (Visual Privacy Management in User Centric OpenRequirements) for the development of a privacy platform to improve theinteraction between Public Administrations (PA) and citizens, while guardingthe privacy of the latter. Specifically, we present the process for eliciting,classifying, prioritizing, and validating privacy requirements for the twotypes of users, namely PA and citizen. The process is applied to differentcases spanning from healthcare to other e-governmental initiatives, with theactive involvement of the corresponding PAs. We report on findings and lessonslearned from this experience.