Privacy Impact Assessments (PIAs) offer a systematic process for assessing the privacy impacts of a project or system. As a privacy engineering strategy, PIAs are heralded as one of the main approaches to privacy by design, supporting the early identification of threats and controls. However, there is still a shortage of empirical evidence on their uptake and proven effectiveness in practice. To better understand the current state of literature and research, this paper provides a comprehensive Scoping Review (ScR) on the topic of PIAs "in the wild", following the well-established Preferred Reporting Items for Systematic reviews and Meta-Analyses (PRISMA) guidelines. As a result, this ScR includes 45 studies, providing an extensive synthesis of the existing body of knowledge, classifying types of research and publications, appraising the methodological quality of primary research, and summarising the positive and negative aspects of PIAs in practice, as reported by studies. This ScR also identifies significant research gaps (e.g., evidence gaps from contradictory results and methodological gaps from research design deficiencies), future research pathways, and implications for researchers, practitioners, and policymakers developing and evaluating PIA frameworks. As we conclude, there is still a significant need for more primary research on the topic, both qualitative and quantitative. A critical appraisal of qualitative studies (n=28) revealed deficiencies in the methodological quality, and only four quantitative studies were identified, suggesting that current primary research remains incipient. Nonetheless, PIAs can be regarded as a prominent sub-area in the broader field of Empirical Privacy Engineering, warranting further research toward more evidence-based practices.
翻译:隐私影响评估(PIAs)为评估项目或系统的隐私影响提供了系统化流程。作为隐私工程策略,PIAs被推崇为隐私保护设计的主要方法之一,有助于早期识别威胁并制定控制措施。然而,目前仍缺乏关于其在实践中应用情况及实际有效性的实证证据。为深入理解现有文献与研究现状,本文遵循成熟的系统综述与荟萃分析优先报告项目(PRISMA)指南,对"实践中"的PIAs主题进行了全面的范围综述(ScR)。本综述最终纳入45项研究,对现有知识体系进行了广泛整合,系统分类了研究类型与出版物形式,评估了原始研究的方法学质量,并归纳了研究中报告的PIAs实践中的积极与消极方面。本综述同时揭示了显著的研究空白(例如矛盾结果导致的证据缺口与研究设计缺陷引发的方法学缺口),指明了未来研究路径,并对开发与评估PIA框架的研究者、从业者及政策制定者提出了实践启示。总结而言,该领域仍亟需更多定性及定量的原始研究。对定性研究(n=28)的批判性评估揭示了其方法学质量的不足,而仅识别出的四项定量研究表明当前原始研究仍处于萌芽阶段。尽管如此,PIAs可被视为更广泛的实证隐私工程领域中一个重要的子方向,值得通过进一步研究推动更具循证基础的实践发展。