Aligning IT Law and Human Computer Interaction – Making law more accessible through Privacy by Design ideation cards
Case study source: Horizon Digital Economy Research Impact Highlights, June 2017
|Dr Lachlan Urquhart, was a member of the 2012 cohort and graduated with a PhD from the Horizon Centre for Doctoral Training in July 2017, after successfully passing his viva in March of the same year.
During his PhD Lachlan was looking to understand the role of technology designers in addressing some of the tough regulatory questions around emerging technologies, like the Internet of Things (IoT). He was interested in how much IT Law and HCI could conceptually be aligned, and the areas of practical crossover between the two disciplines.
Lachlan is now a Research Fellow in IT Law at Horizon Digital Economy Research at the University of Nottingham, focusing on aligning the fields of IT Law and Human Computer Interaction (HCI), so that academics and designers can work together to address regulatory challenges of emerging data driven technologies.
Research focus: Lachlan studied different design frameworks which were quite open to engaging with wider ethical implications of technology, and from the law side looked to see what role design already had as a regulatory tool to shape behaviour of end users. While this had already been studied to some extent, he however found a gap between the work in HCI – looking at how users interact with technology – and the models currently used in IT Law, that are more abstracted and neglect how actual users use technology in practice.
Research activity: To explore the implications of this, he focused on smart metering and domestic IoT, conducting in-depth case studies of regulating these types of technologies. Some examples of the real big issues are getting informed consent from users when they are using ambient technologies, and how to implement The Right to be Forgotten. Lachlan carried out interviews with experts from both IT law and HCI/design communities to see if the concepts he was developing in his PhD would actually work in practice. Alongside this, a set of physical ideation cards were developed, which centered on doing ‘privacy by design’ in practice. The cards are a great tool to sensitise the design community to legal issues, as law is often not a traditional area of focus or familiarity for them.
Privacy by Design Cards: How they work
To begin with an initial deck of cards were developed to explore impacts of the new pan-European data protection law, the EU Gerenal Data Protection Regulation (GDPR) 2016, in practice. Initially the cards focused on changes in data protection law, like new breach notification requirements or The Right to be Forgotten. The research team looked at impacts on design and how these data protection changes may best be communicated to designers. A wider deck for the whole new GDPR was developed, as part of a Horizon project in partnership with Microsoft Research. Lachlan then ran a series of workshops with the deck of cards in a range of organisations and with a mix of attendees including interface designers, programmers, business strategists and beyond – all of them concerned about the impact of regulation on their work.
Following this, Lachlan concentrated on the design of a hypothetical system (such as an autonomous vehicle), and the cards were used to lead the attendees through various scenarios – for example, how would consideration of specific user types (older or young people) change the design of the system? What if there are constraints on context of use, for instance poor network connectivity or tight budgets – what impact would these have on the design process? Lastly legal concepts were introduced, like user legal rights and designer responsibilities. How would The Right to be Forgotten be implemented to ensure all personal data was deleted? How can designers enact the right to data portability, to allow users to move information freely between service providers? Tricky questions to answer!
To make the related law more accessible, the cards are clustered into suites of legal concepts – such as the rights of the end user, the responsibilities of the designers, definitions like what is personal data, what is a data controller, and international concerns, such as using cloud services hosted in the US. It was analysed how users went through the process of using cards and how they navigated around these complicated legal concepts. Finally, Lachlan carried out a focus group discussing the issues arising out of the workshops. Interestingly this activity ended up developing into a clinic, where participants were raising many different questions related to their own individual situations.
It became clear that, while large companies and multinationals often have internal law advice-giving departments, many small companies do not have a support structure for this. They felt the cards would be a good entry point for them to be introduced to some of the ideas, and would help them understand what questions needed to ask during the design process.
Samples of the cards are available on Lachlan’s website at: lachlansresearch.wordpress.com