PARTICIPATORY DESIGN RESEARCH TO INTEGRATE PRIVACY LAW REQUIREMENTS AS DESIGN REQUIREMENTS FOR PATIENT PORTAL USER INTERFACE

Abstract

The increase in privacy legislation has motivated our research on integrating privacy law requirements as design requirements. An effective privacy compliance framework requires communication between privacy professionals and IT designers. To bridge the gap between the two professions, we propose and apply mixed methods of Participatory Design (PD) techniques to collaboratively construct design ideas from multidisciplinary teams based on the legal perspective of privacy. In focusing on enhancing the privacy of the user interface in the context of online patient portals, we aim to develop a taxonomy of a usable privacy framework derived from PD for IT designers as a one-stop-shop framework to help them show compliance with privacy legislation. We started with the requirement-gathering phase by analyzing the Nova Scotia’s Personal Health Information Act (PHIA) to generate a set of privacy patterns that cover individuals’ privacy rights. Next, we conducted in-depth interviews to communicate the design solutions proposed from the privacy patterns and cover gaps we discern from the initial analysis. We applied Grounded Theory to the qualitative data we collected to form a set of privacy-preserving design guidelines regarding Notification, Data Collection, Data Access, Information Disclosure, and Consents. These guidelines shape our initial privacy-preserving requirements and are used as input (tasks) to the cooperative prototyping sessions. Our proposed cooperative prototyping sessions, as participatory design research, are divided into two studies. Three rounds of the Collaborative Analysis of Requirement and Design (CARD) was conducted to provide a high-level task analysis and used to build on our proposed privacy-preserving framework. The results from the CARD sessions were used as input to the next four Decision-Making (DM) workshops as a way to include privacy professionals and multidisciplinary teams in the early design phase. We focus on bringing diverse perspectives to construct usable and privacy-preserving collaboratively agreed-upon designs. Privacy professionals evaluated these designs during the workshops. We also apply Activity Theory as a qualitative framework to understand how multidisciplinary teams create common agreed-upon designs and share expertise as a supportive potential contribution. The final phase was combining the inputs from all the previous phases to form our proposed usable privacy-preserving framework as our main potential contribution that is Nova Scotia PHIA-compliant.