Privacy in information technology: Designing to enable privacy policy management in organizations

As information technology continues to spread, we believe that there will be an increasing awareness of a fundamental need to address privacy concerns, and that doing so will require an understanding of policies that govern information use accompanied by development of technologies that can implement such policies. The research reported here describes our efforts to design a system which facilitates privacy policy authoring, implementation, and compliance monitoring. We employed a variety of user-centered design methods with 109 target users across the four steps of the research reported here. This case study highlights the work of identifying organizational privacy requirements, iteratively designing and validating a prototype with target users, and conducting laboratory tests to guide specific design decisions to meet the needs of providing flexible privacy enabling technologies. Each of the four steps in our work is identified and described, and directions for future work in privacy are suggested.