The Ultimate Guide to Drafting Your Separation Agreement with a Template
From Law to Code: Translating Legal Principles into Digital Rules
1. From Law to Code:
Translating Legal Principles into Digital
Rules
Michael Lang and Rónán
Kennedy
National University of Ireland, Galway
michael.lang@nuigalway.ie
Image: Karl-Ludwig Poggemann,
https://www.flickr.com/photos/hinkelstone/
2. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
Overview
• Public perceptions of the ‘Right to be Forgotten’
• Implementation challenges
• Privacy in security policy implementation
• Privacy in requirements analysis and design
2
3. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
Public Perceptions of the
‘Right to be Forgotten’
• Survey conducted by Clare Doherty & Michael
Lang (NUIG), Autumn 2013
Objective: obtain a sense of how people feel about the
proposed right to be forgotten and how it might be
implemented
• Respondent profile
260 respondents
Ranged in age from 17 to 61, mean of 29 years
14 different counties (Ireland 82%, Others 18%)
Employed persons 74%, Students 17%, Others 9%
3
4. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
Do you know what your privacy
rights are?
5. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
Are existing controls effective
against on-line reputational
damage?
6. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
Are you in favour of “right to be
forgotten” becoming law?
7. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
What type of information
should you have right to
erase?
8. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
Implementation
Challenges
• Legal rules:
• Flexible, deliberately unclear, contested,
malleable
• Digital:
• Rigid, clearly defined in advance, strictly
operationalised, difficult to change
8
9. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
ICT and
Legal Processes
Legal processes neither simple nor linear
Not easily modelled by logic or expert systems
Risk of destructive feedback cycle
ICT as embedded and entrenched infrastructure
9
10. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
Translating Legal
Principles into Digital
Rules
Dangers of digital decision-making
Closed, inflexible, unaccountable systems
Containing assumptions, biases, mistakes
Formalising practices and knowledge is difficult
Need to ‘Get It Right First Time’
10
11. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
“Privacy” in IS Security
Risk Management
• Information systems risk management strategies
are based on rational process:
What is likelihood of something going wrong?
What is the severity: loss of life? loss of money?
loss of reputation?
Cost-benefit analysis
• So, … do organisations really care about
safeguarding privacy? Or is it worth taking a risk?
11
12. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
Information Systems
Development:
The Importance of “Clear”
Requirements• ISD Project Management: time / cost / quality challenge
(“software crisis” conundrum)
• “In nearly every software project that fails to meet
performance and cost goals, requirements inadequacies
play a major and expensive role in project failure” (Alford &
Lawson, 1979)
• “The hardest single part of building a software system is
deciding precisely what to build. No other part of the
conceptual work is as difficult as establishing the detailed
technical requirements ... No other part of the work so
cripples the resulting system if done wrong.” (Brooks, 1987)
12
13. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015 13
Getting the Requirements
“Right”
14. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
Getting the Requirements
Right:
What Does “Privacy”
Mean ?
14
15. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
Privacy as a
“Requirement”• Information systems developers don’t deal with
laws, principles, rights, etc.
• They deal with “requirements”: clear, complete,
consistent specifications of the behaviour of a
system
Requirements definition: procedural logic,
data attributes
Requirements prioritisation: feasibility, cost,
“must have” versus “nice-to-have”
15
16. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
“Privacy by Design”
• Privacy by Design: vague set of principles
No methodological guidance: how do systems
developers build privacy into design process?
• Privacy by Re-Design: retro-fitting existing systems
Very expensive
Computers are designed to share, retain, index, and
analyse information … They are not designed to
“forget”. Even “erasure” is not straightforward.
17. Privacy: Gathering Insights from Lawyers and Technologists
Maynooth University, July 1, 2015
Over to you …
• Michael Lang1
& Rónán Kennedy2
, NUI Galway
• 1. School of Business & Economics, NUI Galway
Michael.Lang@nuigalway.ie
• 2. School of Law, NUI Galway
Ronan.M.Kennedy@nuigalway.ie
17