Modern organizations, such as businesses, non-profits, government agencies, and universities, collect and use personal information from a range of sources, shared with specific expectations about how it will be managed and used. Accordingly, they must find ways to comply with expectations, which may be complex and varied, as well as with relevant privacy laws and regulations, while they minimize operational risk and carry out core functions of the organization efficiently and effectively. Designing organizational processes to manage personal information is one of the greatest challenges facing organizations (see, e.g. a recent survey by Deloitte and the Ponemon Institute [TI07]), with far-reaching implications for every individual whose personal information is available to modern organizations, i.e. all of us.
This project responds to these challenges by developing methods, algorithms and prototype tools for integrating privacy, compliance, and risk evaluation into complex organizational processes. It explores, articulates and characterizes formally the scope and nature of privacy-expectations of stakeholders as well as those of key regulations, such as HIPAA, GLBA, COPPA, BASEL 2, and Sarbanes-Oxley (SOX). It incorporates the diverse perspectives and areas of expertise of its multidisciplinary research team, which includes three computer scientists, one philosopher, and collaborating researchers from IBM. This industry connection facilitates interaction with product teams that have served complex organizations concerned with business process integrity, information security, privacy, and information risk management. The research builds on "contextual integrity" (a philosophical account of privacy) as well as language and risk-based methods for privacy policy specification and enforcement. Extensive training and educational opportunities are provided to undergraduate and graduate students and research results integrated into courses at CMU, NYU, Stanford, and UPenn.
