Attention to privacy legislation is an important issue in IT (information technology) projects to avoid lawsuits and loss of consumer trust [ 1 ]. The privacy domain in IT and accountable privacy management (APM) in organizations are explored in several works, as follows. In [ 2 ] a taxonomy describes concepts such as collection, processing, dissemination and invasion of information. Knutson [ 3 ] presents basic principles to create privacy awareness in software projects. This is done through the identification of privacy goals that fulfill legal obligations, the definition of a privacy core team with technical and legal experts and the creation of guidelines to help developers to become independent from the privacy experts. Similar concerns for software design are endorsed within other work on privacy awareness [ 4 ][ 5 ]. The KAoS Policy Ontologies (KPO) [ 6 ] defines concepts such as actions, actors, groups, places, entities related to actions, and policies. An integration of policies relating several aspects of security is proposed in [ 7 ], including authorization and privacy into semantic web services. The BDSG ontology, mapping law statements to a machine interpretable language is presented in [ 8 ] as a way to enforce privacy in enterprises using ontologies to generate XACML [ 9 ] policies. Hecker [ 10 ] argues that ontologies on the privacy field must enable interoperability, determine the privacy level of a transaction and guide the implementation of privacy functionalities without requiring expertise from the domain. Hecker creates an ontology using terms from privacy notions and concepts from the European Parliament Directive 95/46/EC11. Hu [ 11 ] proposes that the semantic model for EPAL privacy policies can be expressed as a variety of combinations of ontologies and rules.

Considering the importance of a proper representation of relevant rules formulated for handling personal information, described in laws, guidelines, policies, and other normative sources, we propose an ontology describing data privacy risk related concepts, based on project actions. In particular, we address the appropriate usage of information under a set of rules based on the identification of privacy risks when dealing with sensitive information. An OWL ontology infers risks in terms of actions of software projects and the effect of these actions over sensitive information. 2. REPRESENTING PRIVACY RISKS Our model includes concepts, such as personally identifiable information (PII), sensitive information, user actions, location, and risk levels. Restrictions and constructors to classify actions in risk actions are described through object properties. Figure 1 shows some of the relevant identified classes.

These are common concepts in documents, laws and guidelines of the domain for privacy assurance and accountable software development1. Properties are used to relate actions to contextual information, examples are:

Information Transfer has origin Country Information Transfer has destination Country PII is sensitive information in location Geo Action involves information Information

Action has secondary action Action Based on Argentina’s provision [ 12 ], which presents a classification of risks as low, moderate and high, we exemplify risk inference as follows. Figure 2 shows Risk_Action classes.

In our model, privacy risks are inferred from project related information. Consider an instance of a project in the ontology, which refers to actions that manipulate information, such as name, address and social security number. This project instance is asserted using the relations: involves action, involves information, has origin, has destination, and is sensitive information in location, as shown below.

project involves action information access information transfer information access involves information name address social security number information transfer involves information name address social security number information transfer has origin

USA information transfer has destination

Portugal social security number is sensitive information in location

USA With these facts asserted in the ontology, an instance involving social security number will be classified as Sensitive Information in the USA as a consequence of a SWRL codified rule. In this way, the action will be inferred as high risk action: Sensitive Information Access and Sensitive Information Transfer.

Ontologies on the privacy domain are useful to provide ways to share vocabulary and better understand a particular domain and its related concepts. Our research is aimed at building models that infer risks automatically from the specification of project features. Such knowledge intensive areas require advanced knowledge management technologies. A privacy core team is necessary to create and maintain such systems based on dynamically changing knowledge. Our model presents concepts and relations where actions involving data related to personal information and their 1 A hyperbolic view of the ontology is available at http://www.inf.pucrs.br/~ontolp/Visualizacao/Privacy_Risks/Privacy_risks.html. contexts (time, place) are related to risks. The proposed approach is intended to guide managers with risk assessment. The model is also designed to help privacy experts to formalize risky situations in organizations. As future work we plan to map our concepts to other similar ontologies, linking for instance, our action concepts to action concepts of KAoS. We are also considering the processing of textual knowledge sources such as laws and guidelines to ease the identification of relevant domain information.