Towards Comparing Personal Information Privacy Protection Measures

Abstract: Privacy is a fundamental human right. Data controllers take measures to protect personal information that is processed. Data subjects are interested in the level of protection given to their personal information by data controllers. In determining the level of protection necessary for guarding personal information, an adequate level of protection against unauthorized and accidental activities is a key requirement. This thesis presents the findings of studies conducted on the nature of personal information and the risks of processing personal information. Two surveys were conducted in Sweden and Sri Lanka. Personal interviews and questionnaires with both structured and semi-structured questions were used to collect data. A documentary review was done to study how data protection and privacy commissioners have interpreted the principle of information security safeguards. The findings contribute to the knowledge base; they can subsequently be used for developing a method for comparing different protection levels. In addition to that, one paper in this thesis takes a step toward bridging the knowledge gap between legal privacy advocates and technologists. The list of protection measures can be used to evaluate, improve, and enhance personal information protection measures. Submitted to Stockholm University in partial fulfilment of the requirements for the degree of Licentiate of Philosophy