{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T06:21:36Z","timestamp":1773469296949,"version":"3.50.1"},"reference-count":44,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2019,11,11]],"date-time":"2019-11-11T00:00:00Z","timestamp":1573430400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2019,11,11]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>The enforcement of the General Data Protection Regulation imposes specific privacy- and -security related requirements that any organisation that processes European Union citizens\u2019 personal data must comply with. The application of privacy- and security-by-design principles are assisting organisation in achieving compliance with the Regulation. The purpose of this study is to assist data controllers in their effort to achieve compliance with the new Regulation, by proposing the adoption of the privacy level agreement (PLA). A PLA is considered as a formal way for the data controllers and the data subjects to mutually agree the privacy settings of a service provisioned. A PLA supports privacy management, by analysing privacy threats, vulnerabilities and information systems\u2019 trust relationships.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>However, the concept of PLA has only been proposed on a theoretical level. To this aim, two different domains have been selected acting as real-life case studies, the public administration and the health care, where special categories of personal data are processed.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The results of the evaluation of the adoption of the PLA by the data controllers are positive. Furthermore, they indicate that the adoption of such an agreement facilitates data controllers in demonstrating transparency of their processes. Regarding data subjects, the evaluation process revealed that the use of the PLA increases trust levels on data controllers.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This paper proposes a novel reference architecture to enable PLA management in practice and reports on the application and evaluation of PLA management.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-04-2019-0052","type":"journal-article","created":{"date-parts":[[2019,8,28]],"date-time":"2019-08-28T11:11:55Z","timestamp":1566990715000},"page":"711-730","source":"Crossref","is-referenced-by-count":5,"title":["Practical evaluation of a reference architecture for the management of privacy level agreements"],"prefix":"10.1108","volume":"27","author":[{"given":"Vasiliki","family":"Diamantopoulou","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Haralambos","family":"Mouratidis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2020040109443216600_ref001","first-page":"80","article-title":"Supporting the security certification and privacy level agreements in the context of clouds","volume-title":"International Symposium on Business Modeling and Software Design","year":"2015"},{"key":"key2020040109443216600_ref002","unstructured":"Ahmed, N. and Matulevicius, R. (2014), \u201cA method for eliciting security requirements from the business process models\u201d, In CAiSE (Forum\/Doctoral Consortium), pp. 57-64."},{"key":"key2020040109443216600_ref003","first-page":"94","volume-title":"The LION Way. Machine Learning plus Intelligent Optimization","year":"2014"},{"issue":"1","key":"key2020040109443216600_ref004","first-page":"91","article-title":"Trust and public administration","volume":"60","year":"2012","journal-title":"Nispacee Journal of Public Administration and Policy"},{"key":"key2020040109443216600_ref005","first-page":"169","article-title":"Specification of service level agreements, clarifying concepts on the basis of practical research","year":"1999"},{"key":"key2020040109443216600_ref006","first-page":"81","article-title":"Towards a modeling and analysis framework for privacy-aware systems","volume-title":"Privacy, Security, Risk and Trust (PASSAT), 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Conference on Social Computing (SocialCom)","year":"2012"},{"issue":"3","key":"key2020040109443216600_ref007","doi-asserted-by":"crossref","first-page":"319","DOI":"10.2307\/249008","article-title":"Perceived usefulness, perceived ease of use, and user acceptance of information technology","volume":"13","year":"1989","journal-title":"MIS Quarterly"},{"issue":"1","key":"key2020040109443216600_ref008","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1007\/s00766-010-0115-7","article-title":"A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements","volume":"16","year":"2011","journal-title":"Requirements Engineering"},{"key":"key2020040109443216600_ref009","first-page":"422","article-title":"Towards a formalised representation for the technical enforcement of privacy level agreements","volume-title":"Cloud Engineering (IC2E), 2015 IEEE International Conference","year":"2015"},{"key":"key2020040109443216600_ref010","volume-title":"Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union","author":"Cloud Security Alliance, Privacy Level Agreement Working Group (CSA)","year":"2013"},{"key":"key2020040109443216600_ref011","first-page":"285","article-title":"A metamodel for GDPR-based privacy level agreements","year":"2017","journal-title":"In ER Forum\/Demos"},{"key":"key2020040109443216600_ref012","first-page":"491","article-title":"Supporting privacy by design using privacy process patterns","volume-title":"IFIP International Conference on ICT Systems Security and Privacy Protection","year":"2017"},{"key":"key2020040109443216600_ref013","first-page":"97","article-title":"Privacy level agreements for public administration information systems","volume-title":"Proceedings of the CAiSE Forum 2017 29th International Conference on Advanced Information Systems Engineering","year":"2017"},{"issue":"2","key":"key2020040109443216600_ref014","doi-asserted-by":"crossref","first-page":"101","DOI":"10.1504\/IJEG.2013.058361","article-title":"Employing privacy policies and preferences in modern e\u2013government environments","volume":"6","year":"2013","journal-title":"International Journal of Electronic Governance"},{"key":"key2020040109443216600_ref015","unstructured":"European Commission (2015), Eurobarometer 431 \u2013 Data Protection Report. Technical report (2015), available at: http:\/\/ec.europa.eu\/commfrontoffice\/publicopinion\/archives\/ebs\/ebs_431_sum_en.pdf (accessed 25 April 2019)."},{"key":"key2020040109443216600_ref016","unstructured":"European Commission (2002), Directive 2002\/58\/EC of the European Parliament and of the Council URL: http:\/\/ec.europa.eu\/justice\/data-protection\/law\/files\/recast_20091219_en.pdf (visited on 23\/05\/2018)."},{"key":"key2020040109443216600_ref017","unstructured":"European Commission: Directive 95\/46\/EC of the European Parliament and of the Council (1995), available at: http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX (accessed 23Janauary 2019)."},{"key":"key2020040109443216600_ref018","unstructured":"European Commission: Proposal for a regulation of the European Parliament and of the Council (2012), available at: http:\/\/eur-lex.europa.eu\/legal-content\/en\/ALL\/?uri=CELEX:52012PC0011 (accessed 23 Janauary 2019)."},{"key":"key2020040109443216600_ref019","unstructured":"European Parliament: Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EU (GDPR) (2016), available at: http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679&from=en31995L0046 (accessed 23 May 2018)."},{"key":"key2020040109443216600_ref020","first-page":"5","article-title":"Functional requirements under security pressure","volume-title":"9th International Conference on Software Paradigm Trends (ICSOFT-PT)","year":"2014"},{"key":"key2020040109443216600_ref021","first-page":"311","article-title":"Problem-based security requirements elicitation and refinement with pressure","volume-title":"International Conference on Software Technologies","year":"2014"},{"issue":"1","key":"key2020040109443216600_ref022","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1109\/TSC.2016.2593925","article-title":"Modeling service level agreements with linked USDL agreement","volume":"10","year":"2017","journal-title":"IEEE Transactions on Services Computing"},{"key":"key2020040109443216600_ref023","doi-asserted-by":"crossref","first-page":"256","DOI":"10.1109\/RE.2016.13","article-title":"Privacy requirements: findings and lessons learned in developing a privacy platform","volume-title":"2016 IEEE 24th International Requirements Engineering Conference (RE)","year":"2016"},{"key":"key2020040109443216600_ref024","volume-title":"Understanding e-Government: Information Systems in Public Administration","year":"2008"},{"key":"key2020040109443216600_ref025","first-page":"412","article-title":"UMLsec: Extending UML for secure systems development","volume-title":"International Conference on The Unified Modeling Language","year":"2002"},{"issue":"3","key":"key2020040109443216600_ref026","doi-asserted-by":"crossref","first-page":"241","DOI":"10.1007\/s00766-008-0067-3","article-title":"Addressing privacy requirements in system design: the PriS method","volume":"13","year":"2008","journal-title":"Requirements Engineering"},{"issue":"1","key":"key2020040109443216600_ref027","doi-asserted-by":"crossref","first-page":"57","DOI":"10.1023\/A:1022445108617","article-title":"The WSLA framework: specifying and monitoring service level agreements for web services","volume":"11","year":"2003","journal-title":"Journal of Network and Systems Management"},{"key":"key2020040109443216600_ref028","first-page":"13","article-title":"The governance of cyberspace","volume-title":"The Governance of Cyberspace","year":"2003"},{"key":"key2020040109443216600_ref029","first-page":"1","volume-title":"Security Quality Requirements Engineering (SQUARE) Methodology","year":"2005"},{"issue":"2","key":"key2020040109443216600_ref030","doi-asserted-by":"crossref","first-page":"1742003","DOI":"10.1142\/S0218843017420035","article-title":"rSLA: an approach for managing service level agreements in cloud environments","volume":"26","year":"2017","journal-title":"International Journal of Cooperative Information Systems"},{"key":"key2020040109443216600_ref031","first-page":"357","article-title":"Security requirements engineering for cloud computing: the secure tropos approach","volume-title":"Domain-Specific Conceptual Modelling","year":"2016"},{"key":"key2020040109443216600_ref032","unstructured":"Obama, B. (2011), \u201cTransparency and open government\u201d, Presidential Memorandum, available at: www.whitehouse.gov\/thepress-office\/transparency-and-open-government (accessed 21 January 2012)."},{"key":"key2020040109443216600_ref033","first-page":"1","article-title":"Towards the design of usable privacy by design methodologies","year":"2018"},{"issue":"1","key":"key2020040109443216600_ref034","doi-asserted-by":"crossref","first-page":"25","DOI":"10.4018\/ijismd.2014010102","article-title":"Modeling trust relationships for developing trustworthy information systems","volume":"5","year":"2014","journal-title":"International Journal of Information System Modeling and Design ( Design)"},{"key":"key2020040109443216600_ref035","unstructured":"Platform for Privacy Preferences (P3P) Project (2016), available at: www.w3.org\/P3P\/ (accessed 23 May 2018)."},{"key":"key2020040109443216600_ref036","first-page":"341","article-title":"Model oriented security requirements engineering (MOSRE) framework for web applications","volume-title":"Advances in Computing and Information Technology","year":"2013"},{"key":"key2020040109443216600_ref037","first-page":"155","article-title":"Maintaining secure business processes in light of socio-technical systems' evolution","volume-title":"Requirements Engineering Conference Workshops (REW)","year":"2016"},{"key":"key2020040109443216600_ref038","first-page":"205","volume-title":"STS-Tool 3.0: Maintaining Security in Socio-Technical Systems","year":"2015"},{"key":"key2020040109443216600_ref039","first-page":"82","article-title":"A systematic literature review of interoperable architecture for e-government portals","volume-title":"Software Engineering (MySEC), 2011 5th Malaysian Conference","year":"2011"},{"issue":"1","key":"key2020040109443216600_ref040","doi-asserted-by":"crossref","first-page":"67","DOI":"10.1109\/TSE.2008.88","article-title":"Engineering privacy","volume":"35","year":"2009","journal-title":"IEEE Transactions on Software Engineering"},{"key":"key2020040109443216600_ref041","doi-asserted-by":"crossref","first-page":"2805","DOI":"10.4018\/978-1-59904-947-2.ch210","article-title":"Online one-stop government: a single point of access to public services","volume-title":"Electronic Government: Concepts, Methodologies, Tools, and Applications","year":"2008"},{"issue":"2","key":"key2020040109443216600_ref042","doi-asserted-by":"crossref","first-page":"186","DOI":"10.1287\/mnsc.46.2.186.11926","article-title":"A theoretical extension of the technology acceptance model: Four longitudinal field studies","volume":"46","year":"2000","journal-title":"Management Science"},{"key":"key2020040109443216600_ref043","unstructured":"Vision privacy platform (2016), availbale at: www.visioneuproject.eu\/ (accessed 23 May 2018)."},{"issue":"1","key":"key2020040109443216600_ref044","article-title":"Case study as a research method","volume":"5","year":"2007","journal-title":"Jurnal Kemanusiaan"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2019-0052\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2019-0052\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:52Z","timestamp":1753406572000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/27\/5\/711-730\/108993"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,11,11]]},"references-count":44,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2019,11,11]]}},"alternative-id":["10.1108\/ICS-04-2019-0052"],"URL":"https:\/\/doi.org\/10.1108\/ics-04-2019-0052","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2019,11,11]]}}}