Aaron Ceross scite author profile

Simpson

2018

The field of privacy engineering proposes a methodological framework for designing privacy-protecting information systems. Recognising that the utilisation of privacy-enhancing techniques for data storage and analysis does not address the entire scope of individual privacy, privacy engineering incorporates influences from user sentiment, legal norms and risk analysis in order to provide a holistic approach. Framed by related design principles, such as 'Privacyby-Design', privacy engineering purports to provide a practical, deployable set of methods by which to achieve such a holistic outcome. Yet, despite this aim, there have been difficulties in adequately articulating the value proposition of privacy engineering. Without being able to adequately define privacy or map its contours, any proposed methodology or framework will be difficult to implement in practice, if not self-defeating. This paper identifies and examines the assumptions that underpin privacy engineering, linking them to shortcomings and open questions. Further, we explore possible research avenues that may give rise to alternative frameworks.

Evaluating the Presence of Software-as-a-Medical-Device in the Australian Therapeutic Goods Register

Bergmann

2021

Prosthesis

In recent years, medical device regulatory bodies have recognised software-as-a-medical-device (SaMD) as a distinct subgroup of devices. The field of SaMD has been rapidly evolving and encompasses a range of different digital solutions. Many organisations have now started to look into digital healthcare, as a way to solve key global challenges. However, there remains uncertainty regarding how many of these SaMD products are entering the market and to what extent these systems achieve a desired level of general safety once they are in the market. In this study, we utilise data collected from publicly available databases. The data are evaluated for trends and a descriptive analysis is performed of the recall and adverse events associated specifically with SaMD. We find that there is a significant positive trend (p < 0.05) of SaMD registrations, although the number of SaMD registrations remains relative low compared to non-SaMD. This rise in SaMD registrations coincides with increasing levels of recalls and adverse events. More importantly, it becomes apparent that adverse events notification is not yet fit for purpose with regards to SaMD.

The Use of Data Protection Regulatory Actions as a Data Source for Privacy Economics

Simpson

2017

It is well understood that security informatics is constrained by the availability of reliable data sources, which limits the development of robust methods for measuring the impact of data breaches. To date, empirical data breach analysis has largely relied upon the use of economic and financial data associated with an organisation as a measure of impact.To provide an alternative, complementary approach, we explore monetary fines resulting from data protection regulatory actions to understand how the data can inform the evaluation of data breaches. The results indicate where context matters and also provide information on the wider challenges faced by organisations managing personal data.1 The Data Protection Directive (Directive 95/46/EC) required EU Member States to harmonise national legislation on data protection. 2 https://www.ftc.gov/news-events/press-releases/2013/02/ path-social-networking-app-settles-ftc-charges-it-deceived 3 https://www.ftc.gov/news-events/press-releases/2016/12/ operators-ashleymadisoncom-settle-ftc-state-charges-resulting

Using Rule-Based Decision Trees to Digitize Legislation

et al. 2022

This article introduces a novel approach to digitize legislation using rule based-decision trees (RBDTs). As regulation is one of the major barriers to innovation, novel methods for helping stakeholders better understand, and conform to, legislation are becoming increasingly important. Newly introduced medical device regulation has resulted in an increased complexity of regulatory strategy for manufacturers, and the pressure on notified body resources to support this process is making this an increasing concern in industry. This paper explores a real-world classification problem that arises for medical device manufacturers when they want to be certified according to the In Vitro Diagnostic Regulation (IVDR). A modification to an existing RBDT algorithm is introduced (RBDT-1C) and a case study demonstrates how this method can be applied. The RBDT-1C algorithm is used to design a decision tree to classify IVD devices according to their risk-based classes: Class A, Class B, Class C and Class D. The applied RBDT-1C algorithm demonstrated accurate classification in-line with published ground-truth data. This approach should enable users to better understand the legislation, has informed policy makers about potential areas for future guidance, and allowed for the identification of errors in the regulations that have already been recognized and amended by the European Commission.

Examining data protection enforcement actions through qualitative interviews and data exploration

International Review of Law, Computers & Technology

2018

Tracking the Presence of Software as a Medical Device in US Food and Drug Administration Databases: Retrospective Data Analysis (Preprint)

Ceross¹,

Bergmann²

2020

Preprint

UNSTRUCTURED Software-as-a-medical-device (SaMD) has gained popularity as a type of medical device. However, to date, empirical analysis of SaMD trends have been lacking. Using databases managed by the US medical device regulator (the Food and Drug Administration), we map the path SaMD takes towards classification and recorded adverse events. The findings show that while SaMD has been identified in literature as an area of development, the data analysis suggests that this growth has been modest. These devices are overwhelming classified as moderate to high risk and they take a very particular path to that classification. The digital revolution in health care is less pronounced when evidence is considered of SaMD. In general, the trend for software registration mimics that of medical devices.

Prediction of monetary penalties for data protection cases in multiple languages

Zhu

2021

Blessed Are The Lawyers, For They Shall Inherit Cybersecurity

Woods

2021

This paper considers which types of evidence guide cybersecurity decisions. We argue that the "InfoSec belongs to the quants" paradigm will not be realised despite its normative appeal. In terms of progress to date, we find few empirical results that can guide risk mitigation decisions. We suggest the knowledge base about quantitative cybersecurity is continually eroded by increasing complexity, technological flux, and strategic adversaries. Given these secular forces will not abate any time soon, we argue that legal reasoning will increasingly influence cybersecurity decisions relative to technical and quantitative reasoning. The law as a system of social control bristles with ambiguity and so legal mechanisms exist to resolve uncertainties over time. Actors with greater claims to authority over this knowledge base, predominantly lawyers, will accrue decision making power within organisations. We speculate about the downstream impacts of lawyers inheriting cybersecurity, and also sketch the limits of the paradigm's explanatory power.