How to handle privacy issues in IT projects
| Sieuwert van Otterloo |
Privacy
Project Management
New privacy laws have made it mandatory to consider any privacy issues in any IT project. In this blog posts we provide several examples of hidden privacy issues in software projects, and explain how a project manager can handle these issues.
Examples of hidden privacy issues
The following examples were taken from student projects in our course on software project management. In this course, small groups of students work on a project plan for a project of their own choice. We did not ask the students to come up with problematic ideas. All issues came up naturally, due to the desire of the students to do something interesting with data.
A smart watch for the elderly
Elderly people with dementia often lose track of where they are. A smart watch can offer a number of helpful features, by tracking location and giving directions. However, it is also a potential invasion of the privacy of the elderly person. Examples of privacy concerns that we can think of are:
- User consent. One needs informed user consent to collect data, but in the case of an elderly person with a severe case of dementia, it is not clear who should consent. Is the person itself capable of deciding? Can the personnel of the care home decide to use the watch? Or should the family of the person sign for approval?
- Long term storage. In order to provide the core service it is not necessary to store past locations of each user, but the team might want to store this data in order to improve the product later on.
Children’s playground app
It is healthy for 6-12 yo children to play outside. This project team created an app that asks children to play games outside. Whether this app has any privacy issues, depends on the app architecture. If the app is purely local and does not use any backend, there are no privacy issues: all data stays in the app and in full control of the user.
If there is a backend there are privacy risks that need to be addressed.
- If the app allows children to create profiles with names or even photos, this profile information would be personal data and is regulated by privacy laws.
- It gets even more complicated if data about number of plays is stored in the cloud, or high scores. The fact that certain children are very inactive or not good at certain games is potentially medical information, and would be extra sensitive.
Good security is a must in this case and there should be ways for people to opt out of data collection and to delete their data if they stop using the app.
Clothing delivery
Faster delivery is important for many products and services, including clothing. Users can order clothes via an app and it is delivered straight away using a courier. The project plan already has security aspects covered, since the app handles payments. There are however also privacy concerns, since you need to handle detailed size and location information for users. Both the size measurements and the exact locations (presumably work addresses) are personal data.
The Privacy Impact assessment
The best way to address privacy issues in software projects is by making them explicit and planning steps to handle privacy throughout the project. From a project management perspective, including a privacy impact assessment in the project plan is the most important step. The Privacy Impact Assessment or PIA is an official scan to determine whether a project contains changes in the way personal data is handled. The PIA should be conducted after some design work has been completed and before a first release can be tested.
After the Privacy Impact assessment
Based on the privacy impact assessment, you should plan suitable steps to ensure privacy will be protected at all times. Some of the steps will become part of the project plan. Other steps are returning activities for the organisation. We cannot list all the steps here since they depend on the project. To give you some idea, we have listed a few typical steps. For some projects (e.g. a small app) only a few steps are needed and each step is only a small effort. For very sensitive projects (e.g. handling medical data) much more effort is required.
- Design review – If a project involves personal data, it is mandatory to apply privacy and security by design. You should the design to see if it protects the privacy of users and minimizes privacy invasions from the user perspective
- Security requirements and testing. Good security is important to prevent unintended leaks of private information. You should explicitly test the security of any application before go-live and also regularly after go-live
- Create terms and conditions and privacy statement. Users must be informed and give consent for any handling of their private data. By creating terms and conditions and a privacy statement you make sure that users are informed correctly.
- Create insight and opt-out options. Users have a right to request which data you are collecting and to have their data removed when it is no longer relevant. You must either support this as self-service in software, or provide a manual process to handle such requests.
- Make sure there is a process for reporting data breaches. This is a legal requirement for any organisation handling personal data.
People to involve
The best way for a project manager to get privacy right, is to make sure the right people are involved early on. As we explained in our post ‘there are no IT projects‘, communication is key. You should start communication with the rest of the organisation early to avoid risks. The following people are typically involved in creating the privacy impact analysis: the project team (including the developers, designers and testers), inhouse legal experts, security officers and privacy offers and possibly external privacy experts.
Further information
In some countries, the government has provide additional information on the privacy impact analysis: There is the New Zealand PIA handbook (note 01-2023, handbook no longer available) and this website made by Hugo Leisink in Dutch.
This article is part of a series that accompanies the university course on software project management by Joost Schalken, Jeroen Arnoldus and Sieuwert van Otterloo. The series consists of (1) creating a vision, (2) project scope, (3) managing non-fuctional requirements, (4) effort estimation, (5) planning and scheduling, (6) organisational change, (7) risk management, (8) Privacy Impact Analysis, (9) Financial project metrics and (10) recommended project management books and articles.
For more articles about privacy, visit our page with all privacy articles.
Image credit: Rob Sarmiento via Unsplash
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.