Privacy as an Architectural Quality: A Definition and an Architectural View

Software architects describe architectures from different perspectives to compare, document, and explain them to other stakeholders. Numerous views have been proposed in the past in the form of architectural models and modelling languages. However, these views do not sufficiently reflect privacy properties, making it difficult for architects to evaluate and compare design candidates.In this paper, we first define privacy as an architectural quality, and then propose a privacy-by-design architectural view which uses an extended data flow diagram to support the documentation, evaluation, and comparison of architecture designs. The view uses control domains, showing which entities actually control personal data in the design, and metrics that can quantify privacy aspects. We also present a method to create the view automatically from source code. This approach can be useful in the maintenance phase of the software lifecycle, as well as in agile development where source code and architecture are changed iteratively. The results can be integrated into the Attribute-Driven Design method, and can also be used to document design decisions, e.g., for future design support or a certification audit.