Page 1

International Journal of Computer Science Engineering and Information Technology Research (IJCSEITR) ISSN 2249-6831 Vol. 3, Issue 2, Jun 2013, 37-46 © TJPRC Pvt. Ltd.


ABSTRACT Privacy Impact Assessment is a systematic process for evaluating the possible future effects that a particular activity or proposal may have on an individual’s privacy. A PIA permits organizations to design privacy into new systems during the design and development stages, reducing the risk that costly retrofitting of privacy safeguards will be required after implementation. This paper talks about developing a PIA decision support tool for a cloud environment. An architecture and knowledge representation is being discussed in the paper along with various questionnaires for administrator, stakeholder, and customer for the deployment of PIA tool in cloud environment.

KEYWORDS: Cloud Computing, Privacy, Privacy Impact, Privacy Issues INTRODUCTION Current cloud services pose an inherent challenge to data privacy because they typically result in data being exposed in an unencrypted form on a machine owned and operated by a different organization form the data owner. Some major privacy issues in cloud computing environment are: 

Lack of user control

Lack of expertise

Potential unauthorized secondary usage

Regulatory complexity


Legal uncertainty[1] A Privacy Impact Assessment (PIA) is a systematic policy process for identifying, assessing, and mitigating the

possible privacy risksthat a particular activity or proposal may have on an individual’s privacy. PIAs usually take the form of a series of steps, posing and answering questions and considering options, although they can be very holistic.[2] PIAs vary across jurisdictions, sometimes substantially, and there are many inter-related dimensions. Within different jurisdictions there are different reasons for conducting a PIA viz. the PIA may be required by the legislation, prescribed by the binding policy or recommended by those with legal authority. PIAs can even be conducted in the absence of any level of prescription based upon self-regulation. The applications of PIA in public sector are different than that in the private sector as a result of longer history of regulation within organizations in the public sector than in the private sector. Organizations can conduct PIAs themselves or hire someone to do it for them. Some organizations in UK employ external consultants to carry out PIA either because


Ishan Rastogi, Adesh Chandra & Anurag Singh

they do not possess the necessary skills in-house or because they with the PIA to be perceived as being as independent as possible from potential influences within the organization. Security officers sometimes considered PIAs to be a threat to their expertise, and consequently, employees in that position in the organization or acting as external stakeholders may often be reluctant to engage with an organization conducting a PIA. This is through the lack of interest, trust, or resources. Commonly, an initial screening exercise is conducted to determine if a PIA should be completed according to rules or recommendations in the jurisdiction. Two Different Types of PIAs are Conducted in All Jurisdictions. In UK, Processes Involved in Conducting a PIA are 

Initial assessment

Small-scale PIA

Full-scale PIA 



Consultation and Analysis


Review and Audit

Privacy Law Compliance Check

Data Protection Compliance Check PIAs are usually conducted by senior analyst or manager with on-going programme administration

responsibilities. There are a few PIA tools which are currently available viz. 

E-learning tool provided by TBS in Canada.

Privacy Threshold Analysis provided by Department of Homeland Security (DHS) United States of America.

Screening questions to decide whether to go for small-scale PIA or full-scale PIA in United Kingdom. All these tool use decision-tree model for evaluation process.


Data proliferations, trans-border data flow, dynamic provisioning and virtualization are very important to PIAs in the cloud.

The movement of data, governance and accountability of the PIA tools becomes more complex when it moves onto the cloud and potentially across and between legal jurisdictions.

Virtualization introduces similar concerns due to the separation of legal entities being assessed from the underlying physical resources.


The tool addresses the complexity of privacy compliance requirements for organizations, by highlighting within the organizations who are not experts in privacy and security, so they can identify solutions in a given situation.

User input for the PIA tool contains project information such as project name, organization name, region, brief project description, project lead and contact details. This is followed by descriptive analysis of the project such as

A Questionnaire Based Tool for Evaluating the Impact of Privacy Decisions in Cloud Computing


outlining project documents, identifying stakeholders and identifying early privacy risks in order to determine if a PIA is required. 

The PIA tool provides detailed information about policies in relation to which the project is not compliant or is only partially compliant.

Output for the tool is a report displaying information in several sections: introduction, project and contact details, summary of findings (indicates if the project has found project compliant or not), and details of other compliance/ non-compliance issues, such as security, transparency, and transborder data flows.

Recommendations are displayed indicating what the organization must do to resolve these issues. Throughout the report, clear visual indicators are displayed; these indicate the issues that appear to be compliant with the requirements, require further attention, or have failed.

Architecture and Knowledge Representation The approach for the PIA tool is a decision support system (DSS) which is based on a type of expert system. The tool has a knowledge base (KB) that is created and updated by privacy experts on an on-going basis. Experts can be within organization (in-house) or can be outsourced externally (external consultants). Generic rules for privacy and data protection legislation from a number of jurisdictions are created and entered into the knowledge base by the experts using a specific user interface. The tool supports two types of users: end-users (who fill in the questionnaire) and domain experts (who create and maintain the knowledge base).The tool is developed to support multi-tenancy. It is possible to have different knowledge bases for different departments. The decision making engine makes inferences by deciding which rules are satisfied by facts or objects, prioritizes the satisfied rules, and executes the rule with the highest priority. The decision making engine used two models: forward chaining (data-driven) and backward chaining (goaldriven). In forward chaining, the engine searches the rules until it finds one in which the “IF” condition is knows to be true. It concludes the “THEN” condition and adds this information to its data and continues in this way until a goal or conclusion is reached. In backward chaining, the engine searches for the top-level goals, which are possible answers to the problem or potential recommendations. Cloud Deployment of PIA Tool While Deploying the Tool on the Cloud, there are Three Cloud Services Models to Consider 

Software-as-a-Service (SaaS)

Platform-as-a-Service (Paas)

Infrastructure-as-a-Service (IaaS)

For this Tool SaaS Appears to be Appropriate. However, there are Some Common Technological Challenges with SaaS, Like 

User Interface Flexibility


Operational Excellence


Ishan Rastogi, Adesh Chandra & Anurag Singh

Security and Compliance




Costs Also, since we want our tool to support multi-tenancy we have several options including:

Isolated tenancy: tool, databases and infrastructure are isolated and are hosted per tenant as separate instances.

Infrastructure tenancy: tool and databases are isolated, although infrastructure is shared and hosted in virtual environment.

Application tenancy: tool and infrastructure are shared, databases are isolated.

Shared tenancy: tool, database and infrastructure are all shared. For our tool, application multi-tenancy model is more suited because of reasonably low initial costs, high

scalability, and similar nature of target tenants. Also, since the deployment models (private, public, and community) have different characteristics and different business drivers, the best solution for our PIA tool may be a hybrid solution that involves all three models. User Interfaces of the PIA Tool This section briefly describes the appearances and functionalities of some of the user interfaces of the PIA tool. The first screen of the tool consists of a log-in screen. Different user access modes for the tool (administrator, customer and stakeholder) are allowed by the log-in system for different usernames and passwords. Administrator Mode An administrator can view different projects, the customers and stakeholders in a particular project. Administrator can also use some specific utilities that help in maintaining the tool. Projects are Listed in a Table that Displays Information Including 

The overall status of the project

Project name

Organization name

Contact name

Completion or last-modified date of a project.

Person who completed or modified the project.

Project description

Stakeholder Mode This mode allows stakeholders to view completed reports for some particular projects and also to provide feedback without going through the main questionnaire. In order to restrict stakeholders to access only those particular database tables where the project name is same as the stakeholder ID, permissions are set in the database via the “GRANT” option. The organizations can also control permissions and access to reports by exclusively setting the IP addresses to individual or group computers.

A Questionnaire Based Tool for Evaluating the Impact of Privacy Decisions in Cloud Computing


An in-depth analysis is provided by the report to help stakeholders and the decision makers to determine whether a full-scale PIA is required or not. Specific reasons are provided by the report for the current compliance status, advice to the users is also provided. Once stakeholders have read a report, they can complete a questionnaire about it. Customer Mode The Initial Screen in the Customer Mode Provides the Following Options 

To view feedback provided by a stakeholder.

To conduct a new privacy impact assessment.

To edit or modify an existing privacy impact assessment. The Tool Provides the Functionality that Allows Customers to Quit Mid-Session after Answering Some

Questions, with the Ability to Come Back to the Same Question Later. This Facility Can be Very Useful for Various Situations Including 

When there are some questions in the questionnaire that requires long time on the user’s behalf to answer.

When there are some questions in the questionnaire that a user finds difficult to answer immediately.

When there are some questions in the questionnaire that requires different users to provide their input, and each user provides different answers to some questions. Other than these, Buttons are Present on the Navigation bar to Provide Users with a Number of Activities and

Information Including 


PIA Handbooks

UK Legal Topics

European Law

Legal Organizations

Contact Us At various stages of the assessment, as help, current risk status and progress pages appear. Various rules are used by the tool to generate the output results page and an audit trail. The output obtained from the questionnaire is matched against the “THEN” condition of business rules. Risks are

assessed and output is grouped into characteristics and categories by the code contained in the corresponding action within the rules. After the results page is generated, the PIA tool makes the decision regarding a full-scale PIA should continue to the data protection compliance checks and the privacy law, or whether the organization should conduct an initial smallscale PIA. Development Suite and Expert Mode The development suite for the PIA tool has such been modified into an external file so that can reside outside the infrastructure on the expert’s computer.


Ishan Rastogi, Adesh Chandra & Anurag Singh

Easy Access to the Internal Processes of the PIA Tool is Incorporated in the Development Suite. This Has Been Achieved by Accessing the Internal “Blocks” by the Expert Including 

Logic blocks: the blocks which are made up of rules which can be defined by the help of tree diagrams or can be stated as individual rules.

Action blocks: the blocks which describe the logic of the PIA tool processes by using a spread sheet style approach.

Command blocks: the blocks which control how the PIA tool operates.

Confidence Variable The intention is to calculate the overall confidence value for a variable. This confidence variable is the confidence or likelihood that the recommendation or solution provided by the PIA tool for a particular situation is appropriate. Here, this variable is being used to measure the probability of selection of a particular answer in the questionnaire by the user. The value of the confidence variable in the tool is calculated by using the sum method, i.e. the single value of the answer for each question is added together; thus, the confidence is increased by positive values and decreased by negative values. The confidence variable is also used to find the project completion status out of three possibilities (high, medium and low), based on “best fit” strategy. The confidence variable is used in the decision making for full-scale PIA. If the confidence value assigned to each question is modified as per the needs of an organization, the results of the PIA and the report following it will reflect the change. Thus, different knowledge bases can be created for different organizations that have different values for each question, and therefore different results and reports. Decision Making in the Tool The tool is capable of handling very complex problem-solving tasks which involve probabilistic reasoning and folds together many factors responsible in reaching to a conclusion and recommendation. Such reasoning and decision making ability in the tool is achieved by the Inference Engine (IE). Inference Engine utilizes the “backward chaining” method, to determine what is required to meet a particular goal. This includes determining when that goal is met, or if a that goal can’t be met. Inference Engine also uses the “forward chaining” method, wherein the required data is already present within the logic of the rules. Here, the rules are sequentially tested to find out what the conclusions result. The tool uses a combination of backward and forward chaining. The forward chaining method is used to run the top-level rules and the backward chaining method is used for deriving the needed values from other rule modules like the confidence variable. Sensitive Data in the Cloud and the PIA Tool This section discusses sensitive data storage in the cloud and how the PIA tool may help in minimizing the risk.

A Questionnaire Based Tool for Evaluating the Impact of Privacy Decisions in Cloud Computing


Sensitive data includes a wide range of information including political opinion, race, ethnicity, mental or physical health details, religious beliefs, criminal or civil offences, memberships, and also any personally identifiable information that may relate to customer and contact details. The input of the PIA tool includes information including project lead name, contact name, stakeholder details and telephone number. However, if any organization wishes so, it may leave out this information at the time of registration, by simply omitting the variables. The PIA tool, to protect the sensitive data, can make use of a network device known as Cloud Storage Gateway (CSG). A Cloud Storage Gateway is used to provide encryption, authentication and authorization. It is a server which resides inside the premises of the customer and exposes cloud storage services like they were some local storage devices. Another reason for using a cloud storage gateway for the PIA tool is to update, at any time, the main files of the PIA tool which are stored in the cloud. Many cloud storage gateways also facilitate the use of encryption, whereby the gateway does not have any access to customer data, since the encryption and decryption process takes place at the user site. The data at rest which is used by the PIA tool cannot generally be encrypted as encryption limits data usage.

DEVELOPMENT METHODOLOGY FOR THE PIA TOOL IN CLOUD COMPUTING This section discusses the methodology used for software development, data collection and analysis, modelling and results for the PIA tool. The requirement gathering for the tool is done by using MoSCoW rules. Dynamic Systems Development Method (DSDM) framework is chosen as the software methodology for the development of the PIA tool. The main reason for choosing this method over the traditional “Waterfall” method is that the DSDM framework provides a flexible but controlled process which can be used to deliver solutions when the project timelines are tight. Data Collection, Data Analysis and Findings This section considers data collection and analysis and provides summary of findings of the PIA tool’s requirements. Before the collection of any data, the MoSCoW values were set to these agreed upon values: 

Must have => 4 points

Should have =< 3 points

Could have => 2 points

Won’t have =< 1 point The collection of data consists of a questionnaire which is used to extract the emotional opinions about privacy,

privacy impact assessments and the requirements for the tool from the target audience. The analysis of the raw data shows a significant difference in the opinions and perspectives of the discussed topics between the interested parties.


Ishan Rastogi, Adesh Chandra & Anurag Singh

Conversion of raw data into requirements is done with the help of MoSCoW. Also, correlation techniques like pattern matching are applied to find similar stakeholder words and phrases. User Requirements Modelling for the PIA Tool This section discusses the modelling of user requirements for the PIA tool, with the help of use-case diagram and activity diagram.

Figure 1: Use-Case Diagram for the Project Information Interface

Figure 2: Activity Diagram for the Project Name Use-Case Validation of the PIA Tool Testing and validation of a tool is very essential as it helps in providing quality assurance, reliability estimation and validity and verification. The PIA tool is tested by automating a very large number of tests including various warning tests to check for certain specific issues in the system. Any warnings, errors, problems if generated are detected and logged in a file.

RELATED WORK Accountability as a way forward for privacy protection in the cloud is considered by Pearson and Charlesworth. Obfuscation as a first line of defence is described by Pearson et al.

A Questionnaire Based Tool for Evaluating the Impact of Privacy Decisions in Cloud Computing


Hewlett-Packard’s Privacy Advisor (HPPA) is an expert system that captures data about business processes to determine their privacy compliance.


Conducting a round of stakeholder meetings that includes a presentation of working tool

Developing tool further, to include all necessary and preferable requirements

Consider a cloud storage gateway provider.

CONCLUSIONS The tool addresses the inherent complexity and helps both expert and non-expert end users with identifying and addressing privacy requirements for a given context. If the PIA tool is used as a SaaS application itself, regulatory issues can be involved.


Pearson, S. (2012). Privacy, Security and Trust in Cloud Computing. Privacy and Security for Cloud Computing, 3-42.


Tancock, D., Pearson, S., &Charlesworth, A. (2010, November). A privacy impact assessment tool for cloud computing. In Cloud Computing Technology and Science (CloudCom), 2010 IEEE Second International Conference on (pp. 667-676).IEEE.


IshanRastogi He completed his B.Tech in Computer Science and Engineering from Jaypee Institute of Information. Technology, Noida in 2011. He is currently pursuing M.S in Cyber Law and Information Security from Indian Institute of Information Technology, Allahabad. He is an EC Council – Certified Ethical Hacker v6, a CISCO Certified Network Associate and Microsoft Certified Professional. He secured 10th Rank in ACM ICPC – Kanpur Gwalior Regionals 2009.His area of interest is Cloud Computing, Cryptography and Cyber Forensics.


Ishan Rastogi, Adesh Chandra & Anurag Singh

Adesh Chandra He completed his B.Tech in Information Technology from Dr. K. N. Modi Institute of Engineering and Technology, Ghaziabad in 2011. He is currently pursuing M.S in Cyber Law and Information Security from Indian Institute of Information Technology, Allahabad. His Area of interest are Risk management, ITIL and Computer networks.

Anurag Singh He completed his B.Tech in Information Technology from Dr. Ram ManoharLohiaAvadh University Faizabad in 2011. He is currently pursuing M.S in Cyber Law and Information Security from Indian Institute of Information Technology, Allahabad. His Area of interest are Risk management, ISO, PCI-DSS & Knowledgebase.

5.A Questionnaire.full  
Read more
Read more
Similar to
Popular now
Just for you