Abstract
In their daily practice, most enterprises collect, store, and manage personal information for customers in order to deliver their services. In such a setting, privacy has emerged as a key concern as companies often neglect or even misuse personal data. In response to this, governments around the world have enacted laws and regulations for privacy protection. These laws dictate privacy requirements for any system that acquires and manages personal data. Unfortunately, these requirements are often incomplete and/or inaccurate as many RE practitioners might be unsure of what exactly are privacy requirements and how are they different from other requirements, such as security. To tackle this problem, we developed a comprehensive ontology for privacy requirements. To make it comprehensive, we base our ontology on a systematic review of the literature on privacy requirements. The contributions of this work include the derivation of an ontology from a previously conducted systematic literature review, an implementation using an ontology definition tool (Protégé), a demonstration of its coverage through an extensive example on Ambient Assisted Living, and a validation through a competence questionnaire answered by lexical semantics experts as well as privacy and security researchers.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
A detailed version of the systematic literature review can be found at [14].
- 2.
The Ontology has been extended with Collect and Describes to capture situations when information describing some activities performed by a data subject (personal information) is being collected by others.
- 3.
We treat “information owner” and “data subject” as synonyms.
- 4.
The right to erasure (right to be forgotten) is essential in several privacy laws, yet we did not consider it since the use of information is limited to a specific, explicit, legitimate purpose (a goal), i.e., information will not be kept after achieving the goal.
- 5.
The COPri ontology is available in OWL formal at https://goo.gl/AaqUxx.
- 6.
- 7.
Note that the main focus of the CQs is privacy requirements, not goal analysis.
- 8.
If an actor is not playing any role, it will be impossible to authenticate it.
- 9.
- 10.
- 11.
Evaluation with OOPS! has been performed after evaluating the ontology with Protégé & HermiT, i.e., several pitfalls have been already detected and corrected.
- 12.
The experts evaluation template can be found at https://goo.gl/ZEhLnN.
- 13.
The survey template can be found at https://goo.gl/bro8nG.
References
General Data Protection Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and repealing Directive 95/46. Official J. Eur. Union (OJ) 59, 1–88 (2016)
Gharib, M., et al.: Privacy requirements: findings and lessons learned in developing a privacy platform. In: Proceedings - 24th International Requirements Engineering Conference, RE, pp. 256–265. IEEE (2016)
Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the PriS method. Requir. Eng. 13(3), 241–255 (2008). https://doi.org/10.1007/s00766-008-0067-3
Labda, W., Mehandjiev, N., Sampaio, P.: Modeling of privacy-aware business processes in BPMN to protect personal data. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1399–1405. ACM (2014)
Gharib, M., Giorgini, P., Mylopoulos, J.: Towards an ontology for privacy requirements via a systematic literature review. In: Mayr, H.C., Guizzardi, G., Ma, H., Pastor, O. (eds.) ER 2017. LNCS, vol. 10650, pp. 193–208. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69904-2_16
Solove, D.J.: A taxonomy of privacy. Univ. PA Law Rev. 154(3), 477 (2006)
Pfitzmann, A., Hansen, M.: A terminology for talking about privacy by data minimization: anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management, pp. 1–98. Dresden University (2010)
Krasnova, H., Spiekermann, S., Koroleva, K., Hildebrand, T.: Online social networks: why we disclose. J. Inf. Technol. 25(2), 109–125 (2010)
Awad, K.: The personalization privacy paradox: an empirical evaluation of information transparency and the willingness to be profiled online for personalization. MIS Q. 30(1), 13 (2006)
Souag, A., Salinesi, C., Mazo, R., Comyn-Wattiau, I.: A security ontology for security requirements elicitation. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 157–177. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15618-7_13
Uschold, M.: Building ontologies: towards a unified methodology. In: Proceedings Expert Systems 1996, The 16th Annual Conference of the British Computer Society Specialist Group on Expert Systems, pp. 1–18 (1996)
Fernández-López, M., Gómez-Pérez, A., Juristo, N.: Methontology: from ontological art towards ontological engineering. In: AAAI-97 Spring Symposium Series SS-97-06, pp. 33–40 (1997)
Dong, H., Hussain, F.K., Chang, E.: Application of Protégé and SPARQL in the field of project knowledge management. In: Second International Conference on Systems and Networks Communications, ICSNC 2007 (2007)
Gharib, M., Giorgini, P., Mylopoulos, J.: Ontologies for privacy requirements engineering: a systematic literature review. preprint arXiv:1611.10097 (2016)
Dritsas, S., et al.: A knowledge-based approach to security requirements for e-health applications. J. E-Commer. Tools Appl. 2, 1–24 (2006)
Turn, R.: Classification of personal information for privacy protection purposes, p. 301 (1976)
Gharib, M., Giorgini, P.: Modeling and reasoning about information quality requirements. In: Fricker, S.A., Schneider, K. (eds.) REFSQ 2015. LNCS, vol. 9013, pp. 49–64. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16101-3_4
Gharib, M., Giorgini, P.: Analyzing trust requirements in socio-technical systems: a belief-based approach. In: Ralyté, J., España, S., Pastor, Ó. (eds.) PoEM 2015. LNBIP, vol. 235, pp. 254–270. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25897-3_17
Mayer, N.: Model-based management of information system security risk. Ph.D. thesis, University of Namur (2009)
Mouratidis, H., Giorgini, P.: Secure Tropos: a security-oriented extension of the Tropos methodology. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)
Gharib, M., Lollini, P., Bondavalli, A.: A conceptual model for analyzing information quality in System-of-Systems. In: 12th System of Systems Engineering Conference, SoSE 2017, pp. 1–6. IEEE (2017)
Gharib, M., Mylopoulos, J.: A Core Ontology for Privacy Requirements Engineering. preprint arXiv:1811.12621 (2018)
Poveda, M., Suárez-Figueroa, M.C., Gómez-Pérez, A.: A double classification of common pitfalls in ontologies. In: OntoQual 2010 - Workshop on Ontology Quality. CEUR Workshop Proceedings, Lisbon, Portugal, pp. 1–12 (2010). ISBN: ISSN 1613-0073
Palmirani, M., Martoni, M., Rossi, A., Bartolini, C., Robaldo, L.: PrOnto: privacy ontology for legal reasoning. In: Kő, A., Francesconi, E. (eds.) EGOVIS 2018. LNCS, vol. 11032, pp. 139–152. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98349-3_11
Oltramari, A., et al.: PrivOnto: a semantic framework for the analysis of privacy policies. Semant. Web 9(2), 185–203 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Gharib, M., Mylopoulos, J., Giorgini, P. (2020). COPri - A Core Ontology for Privacy Requirements Engineering. In: Dalpiaz, F., Zdravkovic, J., Loucopoulos, P. (eds) Research Challenges in Information Science. RCIS 2020. Lecture Notes in Business Information Processing, vol 385. Springer, Cham. https://doi.org/10.1007/978-3-030-50316-1_28
Download citation
DOI: https://doi.org/10.1007/978-3-030-50316-1_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-50315-4
Online ISBN: 978-3-030-50316-1
eBook Packages: Computer ScienceComputer Science (R0)