Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform

Information practices and systems that make use of personal and health-related information are governed by European laws and regulations to prevent unauthorized use and disclosure. Failure to comply with these laws and regulations results in huge monetary sanctions, which both private companies and public administrations want to avoid. How to comply with these laws, requires understanding the privacy requirements imposed on information systems. A holistic approach to privacy requirements specification calls for understanding not only the requirements derived from law, but also citizens' needs with respect to privacy. In this paper, we report on our experience in conducting privacy requirements engineering as part of a H2020 European Project, namely VisiOn (Visual Privacy Management in User Centric Open Requirements) for the development of a privacy platform to improve the interaction between Public Administrations (PA) and citizens, while guarding the privacy of the latter. Specifically, we present the process for eliciting, classifying, prioritizing, and validating privacy requirements for the two types of users, namely PA and citizen. The process is applied to different cases spanning from healthcare to other e-governmental initiatives, with the active involvement of the corresponding PAs. We report on findings and lessons learned from this experience.