Module 1: Foundational Principles | General Understanding of Privacy Risk Models and Frameworks and their Roles in Laws and Guidance: • Fair Information Practice Principles (FIPPs) and OECD Principles
• Privacy frameworks (e.g., NIST/NICE, ISO/IEC 27701 and BS100112 Privacy Information Management System (PIMS))
• Nissenbaum’s Contextual Integrity
• Calo’s Harms Dimensions
• FAIR (Factor Analysis in Information Risk)
|
General Understanding of Privacy by Design Principles: • Full Life Cycle Protection • Embedded into Design • Full Functionality
• Visibility and Transparency • Proactive not Reactive
• Privacy by Default • Respect for Users
|
General Understanding of Privacy-related Technology Fundamentals: • Risk concepts (e.g., threats, vulnerability) • Data/security incidents vs. personal data/privacy breaches • Privacy and security practices within an organisation
• Understanding how technology supports information governance in an organisation • External Data Protection and Privacy notices
• Internal Data Protection and Privacy guidelines, policies and procedures • Third-party contracts and agreements
• Data inventories, classification and records of processing • Enterprise architecture and data flows, including cross-border transfers
• Data Protection and Privacy impact assessments (DPIA/PIAs) • Privacy-related Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs)
|
General Understanding of the Data Life Cycle: • Collection • Use
• Disclosure • Transfer
• Retention • Destruction |
Module 2: Privacy technologist’s role in the organisation | General responsibilities:
• Understanding various roles within the privacy team (e.g., DPO, CPO, legal compliance, security • Implementing industry Privacy Standards and Frameworks
• Translating legal and regulatory requirements into practical technical and/or operational solutions • Consulting on internal privacy notices and external privacy policies
• Consulting on contractual and regulatory requirements |
Technical Responsibilities:
• Advising on technology elements of privacy and security practices • Advising on the privacy implications of new and emerging technologies
• Implementing privacy and security technical measures • Implementing and developing privacy-enhancing technologies and tools
• Advising on the effective selection and implementation during the acquisition of privacy-impacting products • Advising on privacy by design and data protection impact assessments in systems development
• Handling individuals’ rights requests (e.g., access, deletion) • Supporting records of processing activities (RoPA), automation of inventory and data flow mapping
• Reviewing security incidents/investigations and advising on breach notification • Performing and supporting IT privacy oversights and audits, including 3rd party assessment
• Developing, compiling and reporting Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) |
Part 3: Privacy Risks, Threats and Violations | Data Ethics:
• Legal versus Ethical (e.g., when working with countries that lack privacy laws) • Moral issues (e.g., accessing personal information through illegal means and using it for personal advantage)
• Societal issues (e.g., manipulating societal conversations and attitudes on controversial topics) • Bias/discrimination (e.g., incorporating personal preference into data decisions)
|
During Data Collection:
• Asking individuals to reveal personal information
• Tracking and surveillance (e.g., geo-tagging, geo-social patterns)
• Lack of informed consent
• Automatic collection
• Inaccuracies
• Extracting from publicly available sources
• Jurisdictional implications (e.g., localisation, government access)
|
During Data Use:
• Insecurity • Identification and re-identification
• Aggregation • Secondary Use • Exclusion
• Profiling
|
During Data Dissemination:
• Disclosure • Distortion
• Exposure • Breach of Confidentiality (personal data breaches)
• Increased accessibility
• Blackmail • Appropriation
|
Intrusion, Decisional Interference and Self-Representation:
• Behavioral advertising • Cyberbullying
• Social engineering • Blackmail
• Dark patterns
|
Software Security:
• Vulnerability management • Intrusion detection and prevention
• Change management (e.g., patches, upgrades) • Open-source vs Closed-source
• Possible violations by service providers |
Part 4: Privacy-Enhancing Strategies, Techniques and Technologies | Data-Oriented Strategies:
• Separate • Minimise
• Abstract • Hide
|
Process-Oriented Strategies:
• Informing the Individual • User Control
• Policy and Process Enforcement • Demonstrate Compliance
|
Techniques:
• Aggregation • De-identification
• Anonymisation • Pseudonymisation
• Encryption
• Identity and access management • Authentication
• Technology implications of Privacy Regulations and Techniques needed for:
- Processing/verification of Individual Rights Request (IRR) - Ability for record processing activities related to customer data - Notice and Consent; obligations management - Retention Requirements - Privacy Incident Reporting |
Part 5: Privacy Engineering | The Privacy Engineering role in the organisation:
• Effective Implementation • Technological Controls
• Protecting Privacy during the Development Lifecycle |
Privacy Engineering Objectives:
• Predictability • Manageability
• Disassociability |
Privacy Design Patterns
• Design patterns to emulate • Dark patterns to avoid
|
Privacy Risks in Software
• Controls and countermeasures
|
Part 6: Privacy by Design Methodology
| The Privacy by Design Process:
• Goal Setting • Documenting Requirements
• Understanding quality attributes • Identify information needs
• Privacy risk assessment and analysis
• High-level design
• Low-level design and implementation
• Impose controls
- Architect
- Secure
- Supervise
- Balance
• Testing and validation
|
Privacy Interfaces and User Experience:
• Design Effects on User Behaviour • UX Design and Usability of privacy-related functions
• Privacy Notices, Setting and Consent Management • Usability Testing
|
Value Sensitive Design:
• How Design Affects Users • Strategies for Skillful Practice
|
Ongoing Vigilance:
• Privacy audits and IT control reviews • Code reviews
• Code audits • Runtime behavior monitoring
• Software evolution • Data cleansing in production and non-production environments
|
Part 7: Evolving or Emerging Technologies in Privacy | Robotics and the Internet of Things (IoT):
• Mobile phones • Wearable devices
• Edge Computing • Smart homes and cities (e.g., CCTV and tracking/surveillance)
• Robots
• Drones
|
Internet/eCommerce:
• Adtech • Cookies and other web-tracking technologies
• Alerts and notifications • Location tracking
• Chatbots
• Online/mobile payments
|
Biometrics:
• Facial recognition • Speech recognition
• Fingerprint ID • Behavioral profiling
|
Corporate IT Services:
• Shared Data centers
• Cloud-based infrastructure
• Third-party vendor IT solutions
• Remote working
• Video calls and conferencing
|
Advanced Computing:
• Data Management and Analytics
• Artificial Intelligence
• Quantum computing
• Blockchain
• Cryptocurrencies
• Non-fungible tokens (NFTs)
• Machine and Deep Learning
|
Social Networks:
• Social media
• Messaging and video calling
• Virtual/Augmented reality
|
