Conceptual Framework and Architecture for Privacy Audit.

Many ICT applications involve the collection of personal information or information on the behaviour of customers, users, employees, citizens, or patients. The organisations that collect this data need to manage the privacy of these individuals. In many organisations there are insufficient data protection measures and a low level of trust among those whose data are concerned. It is often difficult and burdensome for organisations to prove privacy compliance and accountability especially in situations that cross national boundaries and involve a number of different legal systems governing privacy. In response to these obstacles, we describe instruments facilitating accountability, audit, and meaningful certification. These instruments are based on a set of fundamental data protection goals DPG: availability, integrity, confidentiality, transparency, intervenability, and unlinkability. By using the data protection goals instead of focusing on fragmented national privacy regulations, a well defined set of privacy metrics can be identified recognising privacy by design requirements and widely accepted certification criteria. We also describe a novel conceptual framework and architecture for defining comprehensive privacy compliance metrics and providing assessment tools for ICT applications and services using as much automation as possible. The proposed metrics and tools will identify gaps, provide clear suggestions and will assist audit and certification to support informed decisions on the trustworthiness of ICT for citizens and businesses.