Privacy on the Internet

Professors Stefanos Gritzalis
Christos Xenakis
Course category OPT/SEC
Course ID DS-809
Credits 5
Lecture hours 3 hours
Lab hours 2 hours
Digital resources View on Aristarchus (Open e-Class)

Learning Outcomes

The purpose of the course is to highlight the necessity of a high-level framework, for the protection of personally identifiable information (PII) within information and communication technology (ICT) systems, general in nature, placing organizational, technical, and procedural aspects in an overall privacy framework. The privacy framework, according to ISO/IEC 29100:2011 and ISO/IEC 29101:2018, is intended to support organizations define their privacy safeguarding requirements related to PII within an ICT environment by defining the actors and their roles in processing PII, describing privacy safeguarding requirements, and referencing known privacy principles. According to ISO/IEC 2913:2017, guidelines are providing for conducting a Privacy Impact Assessment (PIA) as an instrument for assessing the potential impacts on privacy of a process, information system, program, software module, device, which processes PII. Privacy-by-Design critical issues are introduced. Moreover, privacy protection issues in cloud environments are described in detail, according to ISO/IEC 27018:2014.

In this context, the learning outcomes of the course, after its successful completion, are that the students will be able:

  • to understand the basic concepts of privacy framework as well as how to recognize and analyze privacy requirements
  • to realize the Privacy-By-Design principle
  • to conduct a study for Privacy Impact Assessment
  • to understand and deal with privacy protection issues in cloud environments.

Course Contents

  • Privacy protection: Technical, legal, regulation, and ethical issues
  • Privacy framework according to ISO/IEC 29100:2011 and ISO/IEC 29101:2018
  • Privacy by Design critical issues
  • Privacy Impact Assessment according to ISO/IEC 29134:2017
  • Privacy protection countermeasures according to ISO/IEC 27701:2019
  • Cloud computing and related Privacy protection issues according to ISO 27018:2014
  • GDPR and ISO 27001 synergies of activities towards organization’s compliance
  • Case study: Privacy in social media

Recommended Readings

  • Lambrinoudakis, L. Mitrou, S. Gritzalis, S. Katsikas (2010), Privacy Protection and Information and Communication Technologies (Eds.), Papasotiriou Pubs. (in Greek)
  • Acquisti, S. Gritzalis, C. Lambrinoudakis, S. De Capitani di Vimercati (Eds) (2008) Digital Privacy, Theory, Technology and Practices, Auerbach Publications.
  • Tamo-Larrieux (2018), Designing for Privacy and its Legal Framework: Data Protection by Design and Default for the Internet of Things, Springer
  • van der Sloot, A. de Groot, (2018) The Handbook of Privacy Studies, Amsterdam University Press
  • ISO/IEC 29100:2011 Information Technology – Security Techniques – Privacy Framework
  • ISO/IEC 29134:2017 Information Technology — Security Techniques — Guidelines for Privacy Impact Assessment
  • ISO/IEC 27701:2019 Information Technology – Security Techniques – Extension to ISO 27002:2013 for Privacy Information Management – Requirements and Guidelines
  • ISO/IEC 27018:2014 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors