A Named Entity Recognition Based Approach for Privacy Requirements Engineering

• Published in: 2021 IEEE 29th International Requirements Engineering Conference Workshops (REW) pp. 406 - 411
• Main Authors: Herwanto, Guntur Budi, Quirchmayr, Gerald, Tjoa, A Min
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.09.2021
• Subjects: agile development; Bridges; Conferences; Data protection; Knowledge engineering; Machine learning; named entity recognition; Privacy; privacy requirements engineering; Requirements engineering; user stories
• DOI: 10.1109/REW53955.2021.00072

The presence of experts, such as a data protection officer (DPO) and a privacy engineer is essential in Privacy Requirements Engineering. This task is carried out in various forms including threat modeling and privacy impact assessment. The knowledge required for performing privacy threat modeling can be a serious challenge for a novice privacy engineer. We aim to bridge this gap by developing an automated approach via machine learning that is able to detect privacy-related entities in the user stories. The relevant entities include (1) the Data Subject, (2) the Processing, and (3) the Personal Data entities. We use a state-of-the-art Named Entity Recognition (NER) model along with contextual embedding techniques. We argue that an automated approach can assist agile teams in performing privacy requirements engineering techniques such as threat modeling, which requires a holistic understanding of how personally identifiable information is used in a system. In comparison to other domain-specific NER models, our approach achieves a reasonably good performance in terms of precision and recall.