Skip to Main content Skip to Navigation
Conference papers

A Conceptual Model for Privacy Policies with Consent and Revocation Requirements

Abstract : This paper proposes a conceptual model for privacy policies that takes into account privacy requirements arising from different stakeholders, with legal, business and technical backgrounds. Current approaches to privacy management are either high-level, enforcing privacy of personal data using legal compliance, risk and impact assessments, or low-level, focusing on the technical implementation of access controls to personal data held by an enterprise. High-level approaches tend to address privacy as an afterthought in ordinary business practice, and involve ad hoc enforcement practices; low-level approaches often leave out important legal and business considerations focusing solely on technical management of privacy policies. Hence, neither is a panacea and the low level approaches are often not adopted in real environments. Our conceptual model provides a means to express privacy policy requirements as well as users’ privacy preferences. It enables structured reasoning regarding containment and implementation between various policies at the high level, and enables easy traceability into the low-level policy implementations. Thus it offers a means to reason about correctness that links low-level privacy management mechanisms to stakeholder requirements, thereby encouraging exploitation of the low-level methods. We also present the notion of a consent and revocation policy. A consent and revocation policy is different from a privacy policy in that it defines not enterprise practices with regards to personal data, but more specifically, for each item of personal data held by an enterprise, what consent preferences a user may express and to what degree, and in what ways he or she can revoke their personal data. This builds on earlier work on defining the different forms of revocation for personal data, and on formal models of consent and revocation processes. The work and approach discussed in this paper is currently carried out in the context of the UK collaborative project EnCoRe (Ensuring Consent and Revocation).
Document type :
Conference papers
Complete list of metadata

Cited literature [19 references]  Display  Hide  Download

https://hal.inria.fr/hal-01559459
Contributor : Hal Ifip <>
Submitted on : Monday, July 10, 2017 - 4:49:28 PM
Last modification on : Thursday, December 28, 2017 - 1:58:02 PM
Long-term archiving on: : Wednesday, January 24, 2018 - 6:42:04 PM

File

978-3-642-20769-3_21_Chapter.p...
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Nick Papanikolaou, Marco Casassa Mont, Siani Pearson, Sadie Creese, Michael Goldsmith. A Conceptual Model for Privacy Policies with Consent and Revocation Requirements. 6th International Summer School (ISS), Aug 2010, Helsingborg, Sweden. pp.258-270, ⟨10.1007/978-3-642-20769-3_21⟩. ⟨hal-01559459⟩

Share

Metrics

Record views

321

Files downloads

308