Designing a Training Journey for Privacy and Information Security Practitioners in the Federal Public Administration
Resumo
Context: The Ministry of Management and Innovation in Public Services (MGI) leads the formulation and coordination of the Digital Government Strategy (EGD). DEPSI, under the Secretariat of Digital Government (SGD), is responsible for the Privacy and Information Security Program (PPSI), which aims at data privacy, compliance, and institutional resilience. Problem: The culture of privacy and information security in the Federal Public Administration faces development challenges. Despite the PPSI, there is a lack of awareness initiatives, training, a clear strategy, best practices, and performance indicators. Proposed Solution: The proposal aims to develop a training journey for Practitioners working in roles related to privacy and information security, with the goal of identifying and promoting the best practices, skills, and competencies required for these roles. IS Theory: This study aligns with Organizational Information Processing Theory, providing mechanisms to help organizations adapt to regulatory uncertainties in privacy and security. Method: We employed a mixed approach, combining document analysis, a literature review, and a survey. Guidelines and standards were analyzed to map competencies and responsibilities, while the survey gathered practitioners’ perceptions of the proposed training journey. Summary of Results: We identified the key profiles and their corresponding responsibilities, and proposed a personalized training journey. Survey results indicated that the journey meets Practitioners’ expectations, being well-evaluated in terms of criteria and assigned weights. Contributions and Impact in IS: This work contributes by presenting a proposal for a Training Journey to assess the knowledge of Federal Public Administration employees and guide them on the best paths for professional development.
Palavras-chave:
Privacy, Information Security, Competencies, Criteria, Training Journey
Referências
Vinicius Camargo Andrade, Richard D. Ribeiro, Rafael dos Passos Canteri, Sheila S. Reinehr, Cinthia O. de A. Freitas, and Andreia Malucelli. 2024. Privacy in Practice: Exploring Concrete Relationships Between Privacy Patterns and Privacy by Design Principles in Software Engineering. In 27th Iberoamerican Conference on Software Engineering, CIbSE 2024, Curitiba, Brazil, May 6-10, 2024. Curran Associates, 271–285. DOI: 10.5753/CIBSE.2024.28453
Eric Araújo, Jéssyka Vilela, Carla Silva, and Carina Alves. 2021. Are My Business Process Models Compliant With LGPD? The LGPD4BP Method to Evaluate and to Model LGPD aware Business Processes. In SBSI 2021: XVII Brazilian Symposium on Information Systems, Uberlândia, Brazil, June 7 - 10, 2021. ACM, DOI: 10.1145/3466933.3466982, 46:1–46:9.
Rebecca Balebako, Abigail Marsh, Jialiu Lin, Jason Hong, and Lorrie Faith Cranor. 2014. The privacy and security behaviors of smartphone app developers. In Workshop on Usable Security. Citeseer, Workshop on Usable Security, Workshop on Usable Security, 1–10.
Edna Dias Canedo, Ian Nery Bandeira, Angélica Toffano Seidel Calazans, Pedro Henrique Teixeira Costa, Emille Catarine Rodrigues Cançado, and Rodrigo Bonifácio. 2023. Privacy requirements elicitation: a systematic literature review and perception analysis of IT practitioners. Requir. Eng. 28, 2 (2023), 177–194. DOI: 10.1007/S00766-022-00382-8
Edna Dias Canedo, Angélica Toffano Seidel Calazans, Anderson Jefferson Cerqueira, Pedro Henrique Teixeira Costa, and Eloisa Toffano Seidel Masson. 2021. Agile Teams’ Perception in Privacy Requirements Elicitation: LGPD’s compliance in Brazil. In 29th IEEE International Requirements Engineering Conference, RE 2021, Notre Dame, IN, USA, September 20-24, 2021. IEEE, 58–69. DOI: 10.1109/RE51729.2021.00013
Nartional Congress da República, Presidência. 2011. Brazilian Acess to Information Law (LAI). Nartional Congress 1, 1 (2011), 1. [link]
Nartional Congress da República, Presidência. 2018. Brazilian General Data Protection Law (LGPD). Nartional Congress, accessed in April 10, 2022 1, 1 (2018), 1–31. [link]
Evandro Thalles Vale de Castro, Geovana R. S. Silva, and Edna Dias Canedo. 2022. Ensuring privacy in the application of the Brazilian general data protection law (LGPD). In SAC ’22: The 37th ACM/SIGAPP Symposium on Applied Computing, Virtual Event, April 25 - 29, 2022. ACM, 1228–1235. DOI: 10.1145/3477314.3507023
Evandro Thalles Vale de Castro, Geovana R. S. Silva, and Edna Dias Canedo. 2022. Ensuring privacy in the application of the Brazilian general data protection law (LGPD). In Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing (Virtual Event) (SAC ’22). Association for Computing Machinery, New York, NY, USA, 1228–1235. DOI: 10.1145/3477314.3507023
Ruy Ovídio Perrelli de Melo, Jéssyka Vilela, and Carla Silva. 2024. Do Entendimento à Aplicação: Requisitos de Privacidade e a Visão dos Usuários sobre a LGPD. In Anais do WER24 - Workshop em Engenharia de Requisitos, Buenos Aires, Argentina, August 7-9, 2024. Even3, Brasil, DOI: 10.29327/1407529.27-27, 1–8.
Anirudh Ekambaranathan, Jun Zhao, and Max Van Kleek. 2023. How Can We Design Privacy-Friendly Apps for Children? Using a Research through Design Process to Understand Developers’ Needs and Challenges. Proc. ACM Hum. Comput. Interact. 7, CSCW2 (2023), 1–29. DOI: 10.1145/3610066
Sâmmara Éllen Renner Ferrão, Geovana Ramos Sousa Silva, Edna Dias Canedo, and Fabiana Freitas Mendes. 2024. Towards a taxonomy of privacy requirements based on the LGPD and ISO/IEC 29100. Inf. Softw. Technol. 168 (2024), 107396. DOI: 10.1016/J.INFSOF.2024.107396
Antonio C. Gil. 1991. Métodos e técnicas de pesquisa social. Atlas, São Paulo.
Graham Greenleaf. 2022. Now 157 Countries: Twelve Data Privacy Laws in 2021/22. [link] [Online; accessed 10. Oct. 2024].
Seda Gurses and José M. del Álamo. 2016. Privacy Engineering: Shaping an Emerging Field of Research and Practice. IEEE Secur. Priv. 14, 2 (2016), 40–46. DOI: 10.1109/MSP.2016.37
ISO/IEC. 2011. ISO/IEC 29100:2011 Information Technology - Security techniques - Privacy Framework.
Leonardo Horn Iwaya, Muhammad Ali Babar, and Awais Rashid. 2023. Privacy Engineering in the Wild: Understanding the Practitioners’ Mindset, Organizational Aspects, and Current Practices. IEEE Trans. Software Eng. 49, 9 (2023), 4324–4348. DOI: 10.1109/TSE.2023.3290237
Christos Kalloniatis, Evangelia Kavakli, and Stefanos Gritzalis. 2009. Methods for Designing Privacy Aware Information Systems: A Review. In PCI 2009, 13th Panhellenic Conference on Informatics, 10-12 September 2009, Corfu, Greece. IEEE Computer Society, 185–194. DOI: 10.1109/PCI.2009.45
Eric Lachaud. 2020. ISO/IEC 27701 standard: Threats and opportunities for GDPR certification. Eur. Data Prot. L. Rev. 6 (2020), 194.
Tianshi Li, Yuvraj Agarwal, and Jason I. Hong. 2018. Coconut: An IDE Plugin for Developing Privacy-Friendly Apps. Proc. ACM Interact. Mob.Wearable Ubiquitous Technol. 2, 4 (2018), 178:1–178:35. DOI: 10.1145/3287056
Menga Lüdke and Marli D. A. André. 1999. A Pesquisa em educação: abordagens qualitativas. EPU, São Paulo.
Aaron K. Massey, Eric Holtgrefe, and Sepideh Ghanavati. 2017. Modeling Regulatory Ambiguities for Requirements Analysis. In Conceptual Modeling - 36th International Conference, ER 2017, Valencia, Spain, November 6-9, 2017, Proceedings (Lecture Notes in Computer Science, Vol. 10650). Springer, 231–238. DOI: 10.1007/978-3-319-69904-2_19
Aaron K. Massey, Richard Rutledge, Annie I. Antón, and Peter P. Swire. 2014. Identifying and classifying ambiguity for regulatory requirements. In IEEE 22nd International Requirements Engineering Conference, RE 2014, Karlskrona, Sweden, August 25-29, 2014. IEEE Computer Society, 83–92. DOI: 10.1109/RE.2014.6912250
Ana Paula Mello and Giovanna Coelho Miramontes. 2022. LGPD: agentes De Tratamento, Resposável E ANPD. Cadernos Jurídicos da Faculdade de Direito de Sorocaba 3, 1 (mar. 2022), 73–80. [link]
MINISTÉRIO DA GESTÃO E DA INOVAÇÃO EM SERVIÇOS PÚBLICOS 2024. Guia sobre Privacidade desde a Concepção e por Padrão: PROGRAMA DE PRIVACIDADE E SEGURANÇA DA INFORMAÇÃO (PPSI). MINISTÉRIO DA GESTÃO E DA INOVAÇÃO EM SERVIÇOS PÚBLICOS, Brasília. [link]
European Union Agency For Network and Information Security. 2015. Online privacy tools for the general public: Towards a methodology for the evaluation of PETsfor internet&mobile users. European Union Agency For Network And Information Security, European Union. [link]
Helen Nissenbaum. 2010. Privacy in Context - Technology, Policy, and the Integrity of Social Life. Stanford University Press, [link].
European Parliament and Council of European Union. 2016. General Data Protection Regulation (GDPR). , 88 pages. [link], Last access on 10 April 2022.
Mariana Maia Peixoto, Dayse Ferreira, Mateus Cavalcanti, Carla Silva, Jéssyka Vilela, João Araújo, and Tony Gorschek. 2020. On Understanding How Developers Perceive and Interpret Privacy Requirements Research Preview. In Requirements Engineering: Foundation for Software Quality - 26th International Working Conference, REFSQ 2020, Pisa, Italy, March 24-27, 2020, Proceedings [REFSQ 2020 was postponed] (Lecture Notes in Computer Science, Vol. 12045). Springer, DOI: 10.1007/978-3-030-44429-7_8, 116–123.
Mariana Maia Peixoto, Dayse Ferreira, Mateus Cavalcanti, Carla Silva, Jéssyka Vilela, João Araújo, and Tony Gorschek. 2023. The perspective of Brazilian software developers on data privacy. J. Syst. Softw. 195 (2023), 111523. DOI: 10.1016/J.JSS.2022.111523
Renato Carauta Ribeiro and Edna Dias Canedo. 2020. Using MCDA for Selecting Criteria of LGPD Compliant Personal Data Security. In dg.o ’20: The 21st Annual International Conference on Digital Government Research, Seoul, Republic of Korea, June 15-19, 2020. ACM, 175–184. DOI: 10.1145/3396956.3398252
Lucas Dalle Rocha, Geovana Ramos Sousa Silva, and Edna Dias Canedo. 2023. Privacy Compliance in Software Development: A Guide to Implementing the LGPD Principles. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing, SAC 2023, Tallinn, Estonia. ACM, 1352–1361. DOI: 10.1145/3555776.3577615
Lucas Dalle Rocha, Geovana Ramos Sousa Silva, and Edna Dias Canedo. 2023. Privacy Compliance in Software Development: A Guide to Implementing the LGPD Principles. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing (Tallinn, Estonia) (SAC ’23). Association for Computing Machinery, New York, NY, USA, 1352–1361. DOI: 10.1145/3555776.3577615
T. L. Saaty. 1980. The Analytic Hierarchy Process. McGraw-Hill, New York, NY, USA.
William Stallings. 2019. Information privacy engineering and privacy by design: Understanding privacy threats, technology, and regulations based on standards and best practices. Addison-Wesley Professional, Addison-Wesley Professional.
Claes Wohlin, Per Runeson, Martin Höst, Magnus C. Ohlsson, Björn Regnell, and Anders Wesslén. 2012. Experimentation in Software Engineering. Springer. DOI: 10.1007/978-3-642-29044-2
Eric Araújo, Jéssyka Vilela, Carla Silva, and Carina Alves. 2021. Are My Business Process Models Compliant With LGPD? The LGPD4BP Method to Evaluate and to Model LGPD aware Business Processes. In SBSI 2021: XVII Brazilian Symposium on Information Systems, Uberlândia, Brazil, June 7 - 10, 2021. ACM, DOI: 10.1145/3466933.3466982, 46:1–46:9.
Rebecca Balebako, Abigail Marsh, Jialiu Lin, Jason Hong, and Lorrie Faith Cranor. 2014. The privacy and security behaviors of smartphone app developers. In Workshop on Usable Security. Citeseer, Workshop on Usable Security, Workshop on Usable Security, 1–10.
Edna Dias Canedo, Ian Nery Bandeira, Angélica Toffano Seidel Calazans, Pedro Henrique Teixeira Costa, Emille Catarine Rodrigues Cançado, and Rodrigo Bonifácio. 2023. Privacy requirements elicitation: a systematic literature review and perception analysis of IT practitioners. Requir. Eng. 28, 2 (2023), 177–194. DOI: 10.1007/S00766-022-00382-8
Edna Dias Canedo, Angélica Toffano Seidel Calazans, Anderson Jefferson Cerqueira, Pedro Henrique Teixeira Costa, and Eloisa Toffano Seidel Masson. 2021. Agile Teams’ Perception in Privacy Requirements Elicitation: LGPD’s compliance in Brazil. In 29th IEEE International Requirements Engineering Conference, RE 2021, Notre Dame, IN, USA, September 20-24, 2021. IEEE, 58–69. DOI: 10.1109/RE51729.2021.00013
Nartional Congress da República, Presidência. 2011. Brazilian Acess to Information Law (LAI). Nartional Congress 1, 1 (2011), 1. [link]
Nartional Congress da República, Presidência. 2018. Brazilian General Data Protection Law (LGPD). Nartional Congress, accessed in April 10, 2022 1, 1 (2018), 1–31. [link]
Evandro Thalles Vale de Castro, Geovana R. S. Silva, and Edna Dias Canedo. 2022. Ensuring privacy in the application of the Brazilian general data protection law (LGPD). In SAC ’22: The 37th ACM/SIGAPP Symposium on Applied Computing, Virtual Event, April 25 - 29, 2022. ACM, 1228–1235. DOI: 10.1145/3477314.3507023
Evandro Thalles Vale de Castro, Geovana R. S. Silva, and Edna Dias Canedo. 2022. Ensuring privacy in the application of the Brazilian general data protection law (LGPD). In Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing (Virtual Event) (SAC ’22). Association for Computing Machinery, New York, NY, USA, 1228–1235. DOI: 10.1145/3477314.3507023
Ruy Ovídio Perrelli de Melo, Jéssyka Vilela, and Carla Silva. 2024. Do Entendimento à Aplicação: Requisitos de Privacidade e a Visão dos Usuários sobre a LGPD. In Anais do WER24 - Workshop em Engenharia de Requisitos, Buenos Aires, Argentina, August 7-9, 2024. Even3, Brasil, DOI: 10.29327/1407529.27-27, 1–8.
Anirudh Ekambaranathan, Jun Zhao, and Max Van Kleek. 2023. How Can We Design Privacy-Friendly Apps for Children? Using a Research through Design Process to Understand Developers’ Needs and Challenges. Proc. ACM Hum. Comput. Interact. 7, CSCW2 (2023), 1–29. DOI: 10.1145/3610066
Sâmmara Éllen Renner Ferrão, Geovana Ramos Sousa Silva, Edna Dias Canedo, and Fabiana Freitas Mendes. 2024. Towards a taxonomy of privacy requirements based on the LGPD and ISO/IEC 29100. Inf. Softw. Technol. 168 (2024), 107396. DOI: 10.1016/J.INFSOF.2024.107396
Antonio C. Gil. 1991. Métodos e técnicas de pesquisa social. Atlas, São Paulo.
Graham Greenleaf. 2022. Now 157 Countries: Twelve Data Privacy Laws in 2021/22. [link] [Online; accessed 10. Oct. 2024].
Seda Gurses and José M. del Álamo. 2016. Privacy Engineering: Shaping an Emerging Field of Research and Practice. IEEE Secur. Priv. 14, 2 (2016), 40–46. DOI: 10.1109/MSP.2016.37
ISO/IEC. 2011. ISO/IEC 29100:2011 Information Technology - Security techniques - Privacy Framework.
Leonardo Horn Iwaya, Muhammad Ali Babar, and Awais Rashid. 2023. Privacy Engineering in the Wild: Understanding the Practitioners’ Mindset, Organizational Aspects, and Current Practices. IEEE Trans. Software Eng. 49, 9 (2023), 4324–4348. DOI: 10.1109/TSE.2023.3290237
Christos Kalloniatis, Evangelia Kavakli, and Stefanos Gritzalis. 2009. Methods for Designing Privacy Aware Information Systems: A Review. In PCI 2009, 13th Panhellenic Conference on Informatics, 10-12 September 2009, Corfu, Greece. IEEE Computer Society, 185–194. DOI: 10.1109/PCI.2009.45
Eric Lachaud. 2020. ISO/IEC 27701 standard: Threats and opportunities for GDPR certification. Eur. Data Prot. L. Rev. 6 (2020), 194.
Tianshi Li, Yuvraj Agarwal, and Jason I. Hong. 2018. Coconut: An IDE Plugin for Developing Privacy-Friendly Apps. Proc. ACM Interact. Mob.Wearable Ubiquitous Technol. 2, 4 (2018), 178:1–178:35. DOI: 10.1145/3287056
Menga Lüdke and Marli D. A. André. 1999. A Pesquisa em educação: abordagens qualitativas. EPU, São Paulo.
Aaron K. Massey, Eric Holtgrefe, and Sepideh Ghanavati. 2017. Modeling Regulatory Ambiguities for Requirements Analysis. In Conceptual Modeling - 36th International Conference, ER 2017, Valencia, Spain, November 6-9, 2017, Proceedings (Lecture Notes in Computer Science, Vol. 10650). Springer, 231–238. DOI: 10.1007/978-3-319-69904-2_19
Aaron K. Massey, Richard Rutledge, Annie I. Antón, and Peter P. Swire. 2014. Identifying and classifying ambiguity for regulatory requirements. In IEEE 22nd International Requirements Engineering Conference, RE 2014, Karlskrona, Sweden, August 25-29, 2014. IEEE Computer Society, 83–92. DOI: 10.1109/RE.2014.6912250
Ana Paula Mello and Giovanna Coelho Miramontes. 2022. LGPD: agentes De Tratamento, Resposável E ANPD. Cadernos Jurídicos da Faculdade de Direito de Sorocaba 3, 1 (mar. 2022), 73–80. [link]
MINISTÉRIO DA GESTÃO E DA INOVAÇÃO EM SERVIÇOS PÚBLICOS 2024. Guia sobre Privacidade desde a Concepção e por Padrão: PROGRAMA DE PRIVACIDADE E SEGURANÇA DA INFORMAÇÃO (PPSI). MINISTÉRIO DA GESTÃO E DA INOVAÇÃO EM SERVIÇOS PÚBLICOS, Brasília. [link]
European Union Agency For Network and Information Security. 2015. Online privacy tools for the general public: Towards a methodology for the evaluation of PETsfor internet&mobile users. European Union Agency For Network And Information Security, European Union. [link]
Helen Nissenbaum. 2010. Privacy in Context - Technology, Policy, and the Integrity of Social Life. Stanford University Press, [link].
European Parliament and Council of European Union. 2016. General Data Protection Regulation (GDPR). , 88 pages. [link], Last access on 10 April 2022.
Mariana Maia Peixoto, Dayse Ferreira, Mateus Cavalcanti, Carla Silva, Jéssyka Vilela, João Araújo, and Tony Gorschek. 2020. On Understanding How Developers Perceive and Interpret Privacy Requirements Research Preview. In Requirements Engineering: Foundation for Software Quality - 26th International Working Conference, REFSQ 2020, Pisa, Italy, March 24-27, 2020, Proceedings [REFSQ 2020 was postponed] (Lecture Notes in Computer Science, Vol. 12045). Springer, DOI: 10.1007/978-3-030-44429-7_8, 116–123.
Mariana Maia Peixoto, Dayse Ferreira, Mateus Cavalcanti, Carla Silva, Jéssyka Vilela, João Araújo, and Tony Gorschek. 2023. The perspective of Brazilian software developers on data privacy. J. Syst. Softw. 195 (2023), 111523. DOI: 10.1016/J.JSS.2022.111523
Renato Carauta Ribeiro and Edna Dias Canedo. 2020. Using MCDA for Selecting Criteria of LGPD Compliant Personal Data Security. In dg.o ’20: The 21st Annual International Conference on Digital Government Research, Seoul, Republic of Korea, June 15-19, 2020. ACM, 175–184. DOI: 10.1145/3396956.3398252
Lucas Dalle Rocha, Geovana Ramos Sousa Silva, and Edna Dias Canedo. 2023. Privacy Compliance in Software Development: A Guide to Implementing the LGPD Principles. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing, SAC 2023, Tallinn, Estonia. ACM, 1352–1361. DOI: 10.1145/3555776.3577615
Lucas Dalle Rocha, Geovana Ramos Sousa Silva, and Edna Dias Canedo. 2023. Privacy Compliance in Software Development: A Guide to Implementing the LGPD Principles. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing (Tallinn, Estonia) (SAC ’23). Association for Computing Machinery, New York, NY, USA, 1352–1361. DOI: 10.1145/3555776.3577615
T. L. Saaty. 1980. The Analytic Hierarchy Process. McGraw-Hill, New York, NY, USA.
William Stallings. 2019. Information privacy engineering and privacy by design: Understanding privacy threats, technology, and regulations based on standards and best practices. Addison-Wesley Professional, Addison-Wesley Professional.
Claes Wohlin, Per Runeson, Martin Höst, Magnus C. Ohlsson, Björn Regnell, and Anders Wesslén. 2012. Experimentation in Software Engineering. Springer. DOI: 10.1007/978-3-642-29044-2
Publicado
19/05/2025
Como Citar
SPÓSITO, Stefano Luppi; MOREIRA, Fernando Rocha; CANEDO, Edna Dias.
Designing a Training Journey for Privacy and Information Security Practitioners in the Federal Public Administration. In: SIMPÓSIO BRASILEIRO DE SISTEMAS DE INFORMAÇÃO (SBSI), 21. , 2025, Recife/PE.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 95-104.
DOI: https://doi.org/10.5753/sbsi.2025.246040.
