Privacy & Confidentiality

https://taxonomy.eticas.ai/risk/privacy-confidentiality

Maturity: established

The risk that an AI system collects, processes, or infers personal information in ways that infringe on individuals’ rights to control their data (privacy), or that sensitive information is exposed, accessed, or shared without authorization (confidentiality). This includes risks from data leakage, re-identification, unauthorized use, or insufficient safeguards.

Also known as: Privacy · Data Privacy

System type: ADM and LLM systems
Lifecycle stages: Pre Processing, In Processing, Post Processing

Risk groups

Mappings to external frameworks

Standards & frameworks

Framework Reference
EU AI Act (Regulation 2024/1689) Article 10(5) — special categories of personal data + Recital 47 (fundamental rights including privacy)
ISO/IEC 42001:2023 — AI Management System Privacy considerations for AI systems
AIUC-1 — AI Underwriting Company Standard Data & Privacy domain
Council of Europe Framework Convention on AI (CETS No. 225) Article 11 — Privacy and personal data protection
IEEE Std 7002-2022 — Data Privacy Process IEEE 7002-2022 (whole standard)
NIST AI 600-1 — Generative AI Risk Profile Data Privacy
NIST AI Risk Management Framework (AI 100-1) Privacy-Enhanced
OECD AI Principles Human rights, rule of law, fairness & privacy
TC260 AI Safety Governance Framework (v2.0) §3.1.2(a) Data risks — collection without consent + §3.1.2(d) Data risks — PII leaks

Taxonomies & vocabularies

Framework Reference
MIT AI Risk Repository Compromise of privacy by obtaining, leaking or correctly inferring sensitive information
W3C Data Privacy Vocabulary — AI Extension Personal Data Handling (DPV core)
AIR 2024 Legal & Rights → Privacy (Unauthorized Privacy Violations × Sensitive Data types)
IBM AI Risk Atlas Input → Data privacy + Output → Privacy violations