A Conceptual Model for Privacy Policies with Consent and Revocation Requirements

Abstract : This paper proposes a conceptual model for privacy policies that takes into account privacy requirements arising from different stakeholders, with legal, business and technical backgrounds. Current approaches to privacy management are either high-level, enforcing privacy of personal data using legal compliance, risk and impact assessments, or low-level, focusing on the technical implementation of access controls to personal data held by an enterprise. High-level approaches tend to address privacy as an afterthought in ordinary business practice, and involve ad hoc enforcement practices; low-level approaches often leave out important legal and business considerations focusing solely on technical management of privacy policies. Hence, neither is a panacea and the low level approaches are often not adopted in real environments. Our conceptual model provides a means to express privacy policy requirements as well as users’ privacy preferences. It enables structured reasoning regarding containment and implementation between various policies at the high level, and enables easy traceability into the low-level policy implementations. Thus it offers a means to reason about correctness that links low-level privacy management mechanisms to stakeholder requirements, thereby encouraging exploitation of the low-level methods. We also present the notion of a consent and revocation policy. A consent and revocation policy is different from a privacy policy in that it defines not enterprise practices with regards to personal data, but more specifically, for each item of personal data held by an enterprise, what consent preferences a user may express and to what degree, and in what ways he or she can revoke their personal data. This builds on earlier work on defining the different forms of revocation for personal data, and on formal models of consent and revocation processes. The work and approach discussed in this paper is currently carried out in the context of the UK collaborative project EnCoRe (Ensuring Consent and Revocation).
Type de document :
Communication dans un congrès
Simone Fischer-Hübner; Penny Duquenoy; Marit Hansen; Ronald Leenes; Ge Zhang. 6th International Summer School (ISS), Aug 2010, Helsingborg, Sweden. Springer, IFIP Advances in Information and Communication Technology, AICT-352, pp.258-270, 2011, Privacy and Identity Management for Life. 〈10.1007/978-3-642-20769-3_21〉
Liste complète des métadonnées

Littérature citée [25 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01559459
Contributeur : Hal Ifip <>
Soumis le : lundi 10 juillet 2017 - 16:49:28
Dernière modification le : jeudi 28 décembre 2017 - 13:58:02
Document(s) archivé(s) le : mercredi 24 janvier 2018 - 18:42:04

Fichier

978-3-642-20769-3_21_Chapter.p...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Nick Papanikolaou, Marco Casassa Mont, Siani Pearson, Sadie Creese, Michael Goldsmith. A Conceptual Model for Privacy Policies with Consent and Revocation Requirements. Simone Fischer-Hübner; Penny Duquenoy; Marit Hansen; Ronald Leenes; Ge Zhang. 6th International Summer School (ISS), Aug 2010, Helsingborg, Sweden. Springer, IFIP Advances in Information and Communication Technology, AICT-352, pp.258-270, 2011, Privacy and Identity Management for Life. 〈10.1007/978-3-642-20769-3_21〉. 〈hal-01559459〉

Partager

Métriques

Consultations de la notice

45

Téléchargements de fichiers

27