{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,1]],"date-time":"2025-10-01T15:24:30Z","timestamp":1759332270469,"version":"3.41.2"},"reference-count":32,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2020,4,21]],"date-time":"2020-04-21T00:00:00Z","timestamp":1587427200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2020,4,21]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This study aims to assist organizations to protect the privacy of their users and the security of the data that they store and process. Users may be the customers of the organization (people using the offered services) or the employees (users who operate the systems of the organization). To be more specific, this paper proposes a privacy impact assessment (PIA) method that explicitly takes into account the organizational characteristics and employs a list of well-defined metrics as input, demonstrating its applicability to two hospital information systems with different characteristics.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>This paper presents a PIA method that employs metrics and takes into account the peculiarities and other characteristics of the organization. The applicability of the method has been demonstrated on two Hospital Information Systems with different characteristics. The aim is to assist the organizations to estimate the criticality of potential privacy breaches and, thus, to select the appropriate security measures for the protection of the data that they collect, process and store.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The results of the proposed PIA method highlight the criticality of each privacy principle for every data set maintained by the organization. The method employed for the calculation of the criticality level, takes into account the consequences that the organization may experience in case of a security or privacy violation incident on a specific data set, the weighting of each privacy principle and the unique characteristics of each organization. So, the results of the proposed PIA method offer a strong indication of the security measures and privacy enforcement mechanisms that the organization should adopt to effectively protect its data.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>The novelty of the method is that it handles security and privacy requirements simultaneously, as it uses the results of risk analysis together with those of a PIA. A further novelty of the method is that it introduces metrics for the quantification of the requirements and also that it takes into account the specific characteristics of the organization.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-01-2020-0007","type":"journal-article","created":{"date-parts":[[2020,5,4]],"date-time":"2020-05-04T14:04:40Z","timestamp":1588601080000},"page":"503-529","source":"Crossref","is-referenced-by-count":5,"title":["Utilizing a privacy impact assessment method using metrics in the healthcare sector"],"prefix":"10.1108","volume":"28","author":[{"given":"Eleni-Laskarina","family":"Makri","sequence":"first","affiliation":[]},{"given":"Zafeiroula","family":"Georgiopoulou","sequence":"additional","affiliation":[]},{"given":"Costas","family":"Lambrinoudakis","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020100112345020700_ref001","first-page":"141","article-title":"Developing a structured metric to measure privacy risk in privacy impact assessments","year":"2016","journal-title":"Privacy and Identity Management. Time for a Revolution"},{"issue":"4","key":"key2020100112345020700_ref002","doi-asserted-by":"crossref","first-page":"1017","DOI":"10.2307\/41409971","article-title":"Privacy in the digital age: a review of information privacy research in information systems","volume":"35","year":"2011","journal-title":"Journal MIS Quarterly"},{"key":"key2020100112345020700_ref003","unstructured":"Cavoukian, A. (2006), \u201cCreation of a global privacy standard\u201d, available at: www.ipc.on.ca\/images\/Resources\/gps.pdf"},{"key":"key2020100112345020700_ref004","unstructured":"Cavoukian, A. (2011), \u201cPrivacy by design \u2013 the 7 foundational principles\u201d, Technical report, In-formation and Privacy Commissioner of Ontario, (revised version)."},{"issue":"2","key":"key2020100112345020700_ref005","article-title":"Privacy by design: essential for organizational accountability and strong business practices","volume":"3","year":"2010","journal-title":"Identity in the Information Society"},{"key":"key2020100112345020700_ref006","unstructured":"Commission Nationale de l\u2019Informatique et des Libert\u00e9s (CNIL) (2015), \u201cPrivacy impact assessment (PIA) methodology (how to carry out a PIA)\u201d, Edition, available at: www.cnil.fr\/sites\/default\/files\/typo\/document\/CNIL-PIA-1-Methodology.pdf"},{"key":"key2020100112345020700_ref007","unstructured":"Commission Nationale de l\u2019Informatique et des Libert\u00e9s (CNIL) (2018), \u201cThe open source PIA software helps to carry out data protection impact assesment\u201d, available at: www.cnil.fr\/en\/open-source-pia-software-helps-carry-out-data-protection-impact-assesment"},{"key":"key2020100112345020700_ref008","unstructured":"Data Protection Act (1998), available at: www.legislation.gov.uk\/ukpga\/1998\/29\/contents, www.legislation.gov.uk\/ukpga\/1998\/29\/pdfs\/ukpga_19980029_en.pdf"},{"issue":"6","key":"key2020100112345020700_ref009","doi-asserted-by":"crossref","first-page":"793","DOI":"10.1142\/S0218488512400247","article-title":"Data privacy: Definitions and techniques","volume":"20","year":"2012","journal-title":"International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems"},{"volume-title":"Recommendation on the Implementation of Privacy and Data Protection Principles in Applications Supported by Radio-Frequency Identification, C (2009) 3200 Final","year":"2009","author":"European Commission","key":"key2020100112345020700_ref010"},{"key":"key2020100112345020700_ref011","unstructured":"European Commission (2011\/2012), \u201cPIAF: a privacy impact assessment framework for data protection and privacy rights\u201d, available at: www.piafproject.eu\/Index.html"},{"key":"key2020100112345020700_ref012","unstructured":"European Union Agency for Network and Information Security (ENISA) (2020), \u201cCRAMM (CCTA risk analysis and management method)\u201d, available at: www.enisa.europa.eu\/topics\/threat-risk-management\/risk-management\/current-risk\/risk-management-inventory\/rm-ra-methods\/m_cramm.html"},{"key":"key2020100112345020700_ref013","first-page":"307","article-title":"The ISO PIA standard for financial services","year":"2012","journal-title":"The ISO PIA Standard for Financial Services, Book Title: Privacy Impact Assessment"},{"issue":"1","key":"key2020100112345020700_ref014","doi-asserted-by":"crossref","first-page":"275","DOI":"10.25300\/MISQ\/2013\/37.1.12","article-title":"Internet privacy concerns: an integrated conceptualization and four empirical studies","volume":"37","year":"2013","journal-title":"MIS Quarterly"},{"volume-title":"Privacy Impact Assessment Handbook","year":"2007","author":"Information Commissioner\u2019s Office (ICO)","key":"key2020100112345020700_ref015"},{"volume-title":"Privacy Impact Assessment Handbook","year":"2009","author":"Information Commissioner\u2019s Office (ICO)","key":"key2020100112345020700_ref016"},{"key":"key2020100112345020700_ref017","unstructured":"Information Commissioner\u2019s Office (ICO) (2014), \u201cConducting privacy impact assessments code of practice\u201d, available at: https:\/\/ico.org.uk\/media\/for-organisations\/documents\/1595\/pia-code-of-practice.pdf"},{"key":"key2020100112345020700_ref018","unstructured":"Information Commissioner\u2019s Office (ICO) (2017), \u201cThe guide to data protection\u201d, available at: https:\/\/ico.org.uk\/media\/for-organisations\/guide-to-data-protection-2-7.pdf"},{"key":"key2020100112345020700_ref019","unstructured":"ISO\/IEC FDIS 29134 (2017), \u201cInformation technology \u2013 security techniques \u2013 privacy impact assessment \u2013 guidelines, target publication date: 2017-05-30\u201d, available at: www.iso.org\/iso\/catalogue_detail.htm?csnumber=62289, www.iso.org\/obp\/ui\/#iso:std:iso-iec:29134:dis:ed-1:v1:en"},{"first-page":"219","article-title":"Privacy principles: towards a common privacy audit methodology","year":"2015","key":"key2020100112345020700_ref020"},{"first-page":"151","article-title":"Towards a common security and privacy requirements elicitation methodology","year":"2015","key":"key2020100112345020700_ref021"},{"year":"2019","key":"key2020100112345020700_ref022","article-title":"A proposed privacy impact assessment method using metrics based on organizational characteristics"},{"key":"key2020100112345020700_ref023","unstructured":"OECD (1980), \u201cPrivacy principles, OECD privacy.org\u201d, available at: http:\/\/oecdprivacy.org\/"},{"year":"2012","key":"key2020100112345020700_ref024","article-title":"Privacy-by-design through systematic privacy impact assessment - a design science approach"},{"issue":"2","key":"key2020100112345020700_ref025","first-page":"1","article-title":"A systematic method for privacy impact assessments: a design science approach","volume":"23","year":"2013","journal-title":"European Journal of Information Systems"},{"key":"key2020100112345020700_ref026","unstructured":"Regulation (EU) (2016), \u201c2016\/679 Of the european parliament and of the council, the european parliament and the council of the european union\u201d, available at: http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679&qid=1485368166820&from=en"},{"issue":"1-2","key":"key2020100112345020700_ref027","doi-asserted-by":"publisher","first-page":"161","DOI":"10.1080\/13511610.2013.761748","article-title":"Evaluating privacy impact assessments, innovation: the european journal of","volume":"26","year":"2013","journal-title":"Innovation: The European Journal of Social Science Research"},{"key":"key2020100112345020700_ref028","unstructured":"Wang, Y. and Kobsa, A. (2008), \u201cPrivacy-Enhancing technologies\u201d, available at: www.cs.cmu.edu\/afs\/cs\/Web\/People\/yangwan1\/papers\/2008-Handbook-LiabSec-AuthorCopy.pdf"},{"journal-title":"Trilateral Research and Consulting","article-title":"Should privacy impact assessments be mandatory?","year":"2009","key":"key2020100112345020700_ref029"},{"issue":"8","key":"key2020100112345020700_ref030","doi-asserted-by":"publisher","DOI":"10.1145\/1978542.1978568","article-title":"Should privacy impact assessments be mandatory?","volume":"54","year":"2011","journal-title":"Communications of the Acm"},{"volume-title":"A Step-by-Step Guide to Privacy Impact Assessment, Second PIAF Workshop","year":"2012","key":"key2020100112345020700_ref031"},{"key":"key2020100112345020700_ref032","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1007\/978-94-007-2543-0_1","article-title":"Chapter 1: Introduction to privacy impact assessment","volume-title":"Privacy Impact Assessment","year":"2012"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2020-0007\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2020-0007\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:38Z","timestamp":1753406558000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/4\/503-529\/112467"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,4,21]]},"references-count":32,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,4,21]]}},"alternative-id":["10.1108\/ICS-01-2020-0007"],"URL":"https:\/\/doi.org\/10.1108\/ics-01-2020-0007","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"},{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2020,4,21]]}}}