Next Article in Journal
Privacy-Preserving Object Detection with Secure Convolutional Neural Networks for Vehicular Edge Computing
Next Article in Special Issue
Review on Semantic Modeling and Simulation of Cybersecurity and Interoperability on the Internet of Underwater Things
Previous Article in Journal
Hate and False Metaphors: Implications to Emerging E-Participation Environment
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Future Internet
Volume 14
Issue 11
10.3390/fi14110315
Review Report
futureinternet-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Privacy Goals for the Data Lifecycle

Future Internet 2022, 14(11), 315; https://doi.org/10.3390/fi14110315
by Jane Henriksen-Bulmer *, Cagatay Yucel, Shamal Faily and Ioannis Chalkias
Reviewer 1:
Praveen Kumar Donta
Reviewer 2: Anonymous
Reviewer 3:
Eerke Boiten
Reviewer 4:
Bander A. Alzahrani
Future Internet 2022, 14(11), 315; https://doi.org/10.3390/fi14110315
Submission received: 26 September 2022 / Revised: 23 October 2022 / Accepted: 29 October 2022 / Published: 31 October 2022
(This article belongs to the Special Issue Security and Privacy Issues in the Internet of Cloud)

Round 1

Reviewer 1 Report

This paper is very well presented and informative. The content of this paper is roadmap for the young researchers who wish to choose this domain for their area of research. I strongly recommend this work for Future Internet journal.

Author Response

Thank you, we appreciate you taking the time to read our submission and your kind comments

Reviewer 2 Report

The authors present a work where they extend a prior framework to fit GDPR requirements, with the aim of producing a framework that can be used by businesses to assess data lifecycle and the relevant risks in a GDPR-compliant way. They then submit their extended framework for peer-review and test it against a practical example.

I found the work to be interesting and well-supported, but I think that the current presentation is not satisfactory at all, and also some contents could be improved.

CONTENTS

My major critic to the contents is that the mapping of GDPR to 7-DL and the Privacy Goals often ends up mapping stuff to "all", or most of the elements. While I understand that a real one-to-one mapping is probably never realistic, I think that some more courage could be used in focusing only on the most relevant elements of each 7-DL stage, leaving others present-but-less-relevant elements in the background.

Given the importance of the privacy goals (introduced at line 316) I would like to find a -even brief- definition into the paper.

In Step 4 - 8.1 Peer evaluation it should be made clear if each of the three groups was composed by people from the three backgrounds (thus having 18 peer-reviewers) or the three groups already grouped people by background (and there has been a total of 9 reviewers).

PRESENTATION

As a general observation I felt that, expecially in the first half, sentences are convoluted and redundant, and commas are laid in such a way that makes reading difficult. Sometimes these are in simply wrong places, too.

Furthermore there are many typos. Some examples with relevant lines numbers:
59 - "refsec:Data" should obviously be resolved
95 - it should be "data" and not "the data"
142 - missing ")"
291 - double "privacy"
308 - "of first looking" ? the whole sentence isn't clear

Also, as far as I know "data" should be singular (thus data is, and not are like is used in many many places).

On line 70 "classed" should be "classified", but most of all data collected by business and devices is not automatically classified like personal data: it really depends on various conditions which should at least be considered. (This wouldn't change the rest of the work, but that sentence isn't correct).

I assume there is some editing problem after section 6.6, and the current heading of section 7 is wrong, and most of the subsequent headings too. This should absolutely be corrected.

As a personal-taste note: I found worked example a really difficult label. I think something like "practical example" would be a more simple and fitting label.

Author Response

First of all, thank you for taking the time to read and review this submission, we appreciate your comments and take pleasure in responding as follows:

"CONTENTS

My major critic to the contents is that the mapping of GDPR to 7-DL and the Privacy Goals often ends up mapping stuff to "all", or most of the elements. While I understand that a real one-to-one mapping is probably never realistic, I think that some more courage could be used in focusing only on the most relevant elements of each 7-DL stage, leaving others present-but-less-relevant elements in the background."

Response: for anyone reading this from a legal perspective, the full explanation will be expected. Therefore, to ensure this is relevant to all potential readers, the full detail has been included

"Given the importance of the privacy goals (introduced at line 316) I would like to find a -even brief- definition into the paper."

Response: thank you, duly noted. Have added some background on privacy goal modelling in Section 2.3 to introduce the idea of privacy goals earlier in the paper (line 128)

In Step 4 - 8.1 Peer evaluation it should be made clear if each of the three groups was composed by people from the three backgrounds (thus having 18 peer-reviewers) or the three groups already grouped people by background (and there has been a total of 9 reviewers).

Response: noted, as per your suggestion, the evaluation has been updated and now states: "The format of the evaluation was to ask 9 evaluators, divided into three groups based on expertise, to review and comment on these. The format of the evaluation was to ask 9 evaluators, divided into three groups based on expertise, to review and comment on these."  (lines 579-582)

"PRESENTATION

As a general observation I felt that, especially in the first half, sentences are convoluted and redundant, and commas are laid in such a way that makes reading difficult. Sometimes these are in simply wrong places, too.

Response: Have updated punctuation

Furthermore there are many typos. Some examples with relevant lines numbers:

59 - "refsec:Data" should obviously be resolved done

95 - it should be "data" and not "the data" updated

142 - missing ")" inserted

291 - double "privacy" duplication removed

308 - "of first looking" ? the whole sentence isn't clear updated

Also, as far as I know "data" should be singular (thus data is, and not are like is used in many many places). corrected

On line 70 "classed" should be "classified", but most of all data collected by business and devices is not automatically classified like personal data: it really depends on various conditions which should at least be considered. (This wouldn't change the rest of the work, but that sentence isn't correct). corrected

I assume there is some editing problem after section 6.6, and the current heading of section 7 is wrong, and most of the subsequent headings too. This should absolutely be corrected. Agree, now corrected

As a personal-taste note: I found worked example a really difficult label. I think something like "practical example" would be a more simple and fitting label.

Response: Worked example is a term that we believe is commonly used and understood and therefore, we would like to keep this wording as it is

 

Reviewer 3 Report

Overall positive and worth publishing after some improvements.

Most points below are minor, indicated if otherwise. Even the ones marked "serious" aren't deal breakers.

Many of the references to own work are justified, but a few are misrepresented as "the research community" and at least one looks gratuitous

Check ALL uses of ; and replace it with : where it is followed by an explanation or list of what was before the symbol. Too many to list individually.

Abstract: not explaining what circularity is supposed to mean, can it be avoided?

p1 36 missing words, sentence ungrammatical. "Thus" also unclear.

p2 40 compl*e*ment not compl*i*ment

57 what is personally identifiable data, why is it abbreviated PD, and why use a term that is not used in the GDPR context?

59 missing \ before ref{sec

63-67 lots of things happening in Section 6, probably too many - check this after fixing the problem with sectioning on page 11.

72 missing )

76 remove second ,

79 unsatisfactory, because circular, definition

84 "they" unclear reference

87 don't agree with data/information - what businesses collect about users has to be data, not information, to start with, and turning it back into data is nonsense

p3 95 "using the power of that data" too informal

95-97 not really "additional" to what was described before, analysing the data is already part of turning data into information

98 last sentence is a complete non-sequitur

106 [15-21] too many references, including gratuitous self citation 15, 21 doesn't look appropriate

118 refer to author not journal

123 remove second ,

125 Serious: data privacy is way more than "data breach"

131 can have comma after arguably only if you have one before too

142 missing )

p4 171 remove ,

p5 218-220 self citation dressed up as "the research community", rephrase "need to be made"

226 et. al -> et al. (and put a hard backslash-space after al. to avoid a line separator spacing in LaTeX).

p8 Serious: intervenability is a non-standard term, really deserves an explanation along the lines of what's in the appendix.

p9 388 Also -> It also

p10 399 Serious: rephrase this because it almost suggests that consent is always the legal basis, whereas purpose limitation is not constrained to situations in which informed consent is possible or achievable.

p11 443-451 Paragraph is almost completely repeat of previous one.

456 this this -> that this

481-483 debatable, as Principle 6 says "security, including ... (integrity and confidentiality" so leaves it open that there's more to it. But minor point.

484 Serious: I think the sectioning has gone wrong here, because we're halfway down Principle 6 and later we'll have Principle 7, but starting a new Section here. Maybe the whole first few sentences following belong elsewhere, a few "this" that don't have an obvious referent.

486 Remove , after principle.

p12 507 missing )

508 don't use SA here but use the standard term DPA which is also in your list of abbreviations ...

565 Serious: you missed a trick here by not using evaluators with expertise in (data protection) law.

p14 DFD: missed opportunity here, drawing trust boundaries on the DFD would have supported security analysis

p15 639-640 Serious: Really weak justification for using contract as the GDPR legal basis. "This means that" not justified on this basis.

p16 661 If really transformation coincides with "processing" under GDPR as you claim, you would have been better off using the GDPR term. However, they don't coincide - GDPR processing is much wider, including e.g. storing.

669 Might also mention access control in connection with "what they can and cannot do"

691 pseudonymised

692 because you haven't defined intervenability earlier, "intervene at any point" sounds far too vague here.

p17 728-729 Serious: you are making an unjustified connection between the possibility of on-sharing and consent being the legal basis.

733 Serious: The decision probably also needs to be influenced by the question whether the data subjects will be able to exercise their rights after sharing. E.g. you discuss right to deletion on the next page, but if you can already determine now that they wouldn't be able to exercise it, you need to decide not to share at all at this point. Similarly for the rights mentioned in Post-Access. Overall this makes the separation between 7-DL:5 and 7-DL:6 look counterproductive.

733 One reference to purpose in this paragraph, but not to the interaction between purpose limitation and decision to share.

p18 759-750 Serious: this sounds credible at first reading, but is wrong. While the purpose of processing persists, the data controller needs to make sure the data is not prematurely disposed of.

772 complimentary -> complementary

(I think my review may be somewhat complimentary overall, but I hope it is complementary to the other reviews so between us we cover all issues.)

795 "and the GDPR compliance have" -> "and GDPR compliance has"

800 missing : in 7DL2

Author Response

First of all, thank you for taking the time to read and review this submission, we appreciate your comments and take pleasure in responding as follows:

Overall positive and worth publishing after some improvements. Thank you

Most points below are minor, indicated if otherwise. Even the ones marked "serious" aren't deal breakers. Thank you again

Many of the references to own work are justified, but a few are misrepresented as "the research community" and at least one looks gratuitous Have removed reference to the research community and updated this to read simply, "previous work conducted… " (line 241)

Check ALL uses of ; and replace it with : where it is followed by an explanation or list of what was before the symbol. Too many to list individually. Have updated to either remove, turn into a , or : depending on context

Abstract: not explaining what circularity is supposed to mean, can it be avoided? Have reworded this to say reuse and/or repurpose (line 7)

p1 36 missing words, sentence ungrammatical. "Thus" also unclear. Reworded to clarify (lines 36/37)

p2 40 compl*e*ment not compl*i*ment have corrected to say complement (all instances)

57 what is personally identifiable data, why is it abbreviated PD, and why use a term that is not used in the GDPR context? Reworded to say personally identifiable information (PII) (lines 71/72)

59 missing \ before ref{sec corrected

63-67 lots of things happening in Section 6, probably too many - check this after fixing the problem with sectioning on page 11. now addressed, sectioning is now aligned. Have removed the subsection to eliminate confusion which should now address any confusion (line 503)

72 missing ) inserted

76 remove second , done

79 unsatisfactory, because circular, definition Reworded to clarify

84 "they" unclear reference  Reworded to clarify to "For instance, data collected may be used to offer…." (lines 85/86)

87 don't agree with data/information - what businesses collect about users has to be data, not information, to start with, and turning it back into data is nonsense Hmm, actually, it does. You can start with data, turn in into information and then back into data. However, to clarify have change to say "Similarly, the information may be turned back into data and potentially reused for other purposes by collating it in another way or removing some of the interpreted meaning." (lines 90-92)

p3 95 "using the power of that data" too informal Reworded to clarify (lines 95/96)

95-97 not really "additional" to what was described before, analysing the data is already part of turning data into information -Removed 

98 last sentence is a complete non-sequitur Removed

106 [15-21] too many references, including gratuitous self citation 15, 21 doesn't look appropriate Removed some of these references to reduce the number. Did however, leave the 'gratuitous' reference as this refers to a paper about a redaction tool devised by colleagues and therefore, is actually very appropriate here

118 refer to author not journal done

123 remove second , done

125 Serious: data privacy is way more than "data breach" indeed, have reworded to say: "..minimises the risk of a privacy violation, e.g. a data breach" (line 124)

131 can have comma after arguably only if you have one before too done

142 missing ) done

p4 171 remove , done

p5 218-220 self citation dressed up as "the research community", rephrase "need to be made" reworded to say " previous work conducted has explored decision-making: prior to sharing data as open data … and for assessing privacy risks with the DPIA Data Wheel …) (lines 241-243)

226 et. al -> et al. (and put a hard backslash-space after al. to avoid a line separator spacing in LaTeX). updated

p8 Serious: intervenability is a non-standard term, really deserves an explanation along the lines of what's in the appendix. Have included a definition for each of the terms in the table of goals compared to make meanings clear (pages 8-9)

p9 388 Also -> It also updated

p10 399 Serious: rephrase this because it almost suggests that consent is always the legal basis, whereas purpose limitation is not constrained to situations in which informed consent is possible or achievable. Rephrased to clarify - now says: "Thus, in 7-DL, purpose limitation is considered to incorporate a requirement to ensure informed consent is obtained unless overriding principles apply (e.g. vital interest, Article 6(1)(D))" (lines 427/428)

p11 443-451 Paragraph is almost completely repeat of previous one. Agreed, sentence removed

456 this this -> that this removed one of the repeated words

481-483 debatable, as Principle 6 says "security, including ... (integrity and confidentiality" so leaves it open that there's more to it. But minor point.

484 Serious: I think the sectioning has gone wrong here, because we're halfway down Principle 6 and later we'll have Principle 7, but starting a new Section here. Maybe the whole first few sentences following belong elsewhere, a few "this" that don't have an obvious referent. Agreed, have corrected incorporate this into principle 6 (section 6.6) which has resolved the issue, the article moves from section 6.6 (Principle 6) to 6.7 (Principle 7)

486 Remove , after principle. removed

p12 507 missing ) inserted

508 don't use SA here but use the standard term DPA which is also in your list of abbreviations … updated

565 Serious: you missed a trick here by not using evaluators with expertise in (data protection) law. Perhaps, but the work was done in relation to computing. However, duly noted

p14 DFD: missed opportunity here, drawing trust boundaries on the DFD would have supported security analysis Agreed, and thank you for pointing this out. We have updated the diagram to include trust boundaries and added a paragraph to explain (lines 642-655)

p15 639-640 Serious: Really weak justification for using contract as the GDPR legal basis. "This means that" not justified on this basis. Fair point, have changed this to consent and, if no consent, vital interest in an emergency situation (lines 661-663)

p16 661 If really transformation coincides with "processing" under GDPR as you claim, you would have been better off using the GDPR term. However, they don't coincide - GDPR processing is much wider, including e.g. storing. While I agree processing encompasses more than the act of manipulating the data, in terms of actively doing something with the data, transformation is where that happens, hence why this is there.  However, to make this clear, this has been changed from "known as processing under GDPR" to say "part of the act of processing under GDPR" (line 684)

669 Might also mention access control in connection with "what they can and cannot do" have added this (line 725)

691 pseudonymised corrected

692 because you haven't defined intervenability earlier, "intervene at any point" sounds far too vague here. See comment above on intervenability

p17 728-729 Serious: you are making an unjustified connection between the possibility of on-sharing and consent being the legal basis. Have updated this to specifically explain that on-sharing can only happen where the citizen has consented (line 756)

733 Serious: The decision probably also needs to be influenced by the question whether the data subjects will be able to exercise their rights after sharing. E.g. you discuss right to deletion on the next page, but if you can already determine now that they wouldn't be able to exercise it, you need to decide not to share at all at this point. Similarly for the rights mentioned in Post-Access. Overall this makes the separation between 7-DL:5 and 7-DL:6 look counterproductive. This is covered but have moved this to the beginning of the sentence to make it absolutely clear - now says: "As part of this, consideration also needs to be given to whether the data can/will be shared with third-parties and therefore, this decision should also take into account what the data subject has consented to " (lines 771-772)

733 One reference to purpose in this paragraph, but not to the interaction between purpose limitation and decision to share. Have added on-sharing to this - now says: "…ensuring consent choices of the data subject as to the extent of sharing allowed, and decisions are made around the logistics of such sharing" (lines 775-776)

p18 759-750 Serious: this sounds credible at first reading, but is wrong. While the purpose of processing persists, the data controller needs to make sure the data is not prematurely disposed of. Have added "(and no valid constraints exist that require continued storage, e.g. for a minimum statutory period)" to make it clear that there may be times when deletion could be premature (lines 804-805)

772 complimentary -> complementary updated

(I think my review may be somewhat complimentary overall, but I hope it is complementary to the other reviews so between us we cover all issues.) Yes, thank you, very much appreciated that you have taken the time to go into such detail, very helpful indeed

795 "and the GDPR compliance have" -> "and GDPR compliance has" updated

800 missing : in 7DL2 thank you, added!

Reviewer 4 Report

The paper lacks original novelty. No supported evaluation and results were presented. need comprehensive English language check. Related work is lengthy with unnecessary content to the reader.

Author Response

The paper presents an original framework to support privacy decision making throughout the data lifecycle. This framework has been derived based on adaptation of an existing life cycle (Altman) combined with a set of privacy goals devised to support more effective decision making. A succinct overview of the contribution is also provided in section 8.1.

Evaluation is explained in Section 7, where we explain that the framework was assessed by 9 independent reviewers (peer evaluation, Section 7.1) before then providing a worked example based on the lifelogging use case scenario from the Ideal Cities project in Section 7.2 to demonstrate how the framework can be applied in practice

Round 2

Reviewer 4 Report

The authors have answered my inquiries. Although Sec 2 is still lengthy with unnecessary background, I am satisfied with this version. 

Back to TopTop