Contextual Privacy by Design (CPbD): Exploring how privacy norms emerge during the appropriation of digital health technologies.

Contextual Privacy by Design (CPbD): Exploring how privacy norms emerge during the appropriation of digital health technologies.

Timothy Kariotis¹, Melbourne Law School Carlton², Carlton Victoria

¹Melbourne Law School, Carlton, Victoria, Australia
²Faculty of Engineering and Information Technology , Carlton, Victoria, Australia

Abstract

Privacy by design (PbD) has been defined as the proactive consideration of privacy throughout the design of technology. However, though PbD captures legal conceptualisations of privacy, it may not respond to people’s privacy expectations and experiences. There is growing recognition of the social nature and contextual implications of privacy, in that privacy is experienced and evolves out of specific contexts and that people’s privacy expectations may not always align with legal definitions. The theory of contextual integrity captures this idea of privacy expectations by defining privacy as the appropriate flow of information in a specific context. The appropriate flow of information is understood as being related to context-specific informational norms, known as privacy norms. Contextual integrity provides a way to evaluate whether technology will breach context-specific information norms. This presentation takes the analytical and evaluative power of contextual integrity to develop a design framework that can be used to consider privacy expectations in the design of new technologies and socio-technical systems. Theories of technology appropriation are used to consider how new privacy norms may arise through the design and implementation of technology and how these may conflict with norms and values designed into the technology. A conceptual framework is proposed and applied to the design of electronic health records (EHRs) in mental health contexts. Finding from a recent scoping review are utilised to explore how privacy norms designed into EHRs conflict with established privacy norms. This conflict leads to new information norms, which may undermine the EHR’s value while raising new privacy risks. Designers and change managers can utilise the framework to make explicit the designed-in norms of EHRs and manage the emergence of new privacy norms.

Biography

Timothy Kariotis is a Lecturer in Digital Government and PhD Candidate in Digital Health at the University of Melbourne. His research explores how new technologies impact people’s information experiences.