Abstract
This paper presents the extraction of a legal access control policy and a conflict resolution policy from the EU Data Protection Directive [1]. These policies are installed in a multi-policy authorization infrastructure described in [2, 3]. A Legal Policy Decision Point (PDP) is constructed with a legal access control policy to provide automated decisions based on the relevant legal provisions. The legal conflict resolution policy is configured into a Master PDP to make sure that the legal access control policy gets priority over access control policies provided by other authorities i.e. the data subject, the data issuer and the data controller. We describe how clauses of the Directive are converted into access control rules based on attributes of the subject, action, resource and environment. There are currently some limitations in the conversion process, since the majority of provision require additional interpretation by humans. These provisions cannot be converted into deterministic rules for the PDP. Other provisions do allow for the extraction of PDP rules but need to be tailored to the application environment before they are configured into the Legal PDP.
Chapter PDF
References
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Chadwick, D.W., Fatema, K.: An advanced policy based authorisation infrastructure. In: Proceedings of the 5th ACM Workshop on Digital Identity Management (DIM 2009). ACM, New York (2009)
Fatema, K., Chadwick, D.W., Lievens, S.: A Multi-privacy Policy Enforcement System. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds.) Privacy and Identity 2010. IFIP AICT, vol. 352, pp. 297–310. Springer, Heidelberg (2011)
OECD, Privacy and Personal Data Control, http://www.oecd.org/dataoecd/30/32/37626097.pdf
Health Information Privacy, HIPAA 1996 privacy and Security Rules, http://www.hhs.gov/ocr/privacy/
Protection of personal information in the private sector, http://www2.parl.gc.ca/HousePublications/Publication.aspx?pub=bill&doc=C-6&parl=36&ses=2&language=E&File=32#4
Australian Govt. ComLaw, Privacy Act (1988), http://www.comlaw.gov.au/Series/C2004A03712
Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled services for enterprises. In: 13th International Workshop on Database and Expert Systems Applications, pp. 483–487. IEEE Computer Society, Washington DC (2002)
Mont, M.C.: Dealing with Privacy Obligations: Important Aspects and Technical Approaches. In: International conference on Trust and Privacy in Digital Business no. 1, Zaragoza (2004)
Ardagna, C.A., Bussard, L., Vimercati, S.D.C., Neven, G., Paraboschi, S., Pedrini, E., Preiss, F.-S., Raggett, D., Samarati, P., Trabelsi, S., Verdicchio, M.: PrimeLife Policy Language. Project’s position paper at W3C Workshop on Access Control Application Scenarios (November 2009)
Trabelsi, S., Njeh, A., Bussard, L., Neven, G.: PPL Engine: A Symmetric Architecture for Privacy Policy Handling. Position paper at W3C Workshop on Privacy and Data Usage Control (October 2010)
OASIS XACML 2.0. eXtensible Access Control Markup Language (XACML) Version 2.0 (October 2005), http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=xacml#XACML20
OASIS XACML 3.0. eXtensible Access Control Markup Language (XACML) Version 3.0 (April 16, 2009), http://docs.oasisopen.org/xacml/3.0/xacml-3.0-core-spec-en.html
Chadwick, D., Zhao, G., Otenko, S., Laborde, R., Su, L., Nguyen, T.A.: PERMIS: a modular authorization infrastructure. Concurrency and Computation: Practice and Experience 20(11), 1341–1357 (2008)
W3C: The Platform for Privacy Preferences 1.0 (P3P 1.0), Technical Report (2002)
Ashley, S.H.P., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.2), presented at W3C Member Submission (2003)
Casellas, N., Mozos, M.R.D.L, Casanovas, P. : Ontology-Enhanced Legal Decision-Support Tools: The NEURONA Data Protection Compliance Application, http://www.lefis.org/app/eportfolio/artefact/file/download.php?file=584&view=61
Casellas, N., Nieto, J.-E., Merono, A., Roig, A., Torralba, S., Reyes, M., Casanovas, P.: Ontology Semantics for Data Privacy Compliance: The NEURONA Project, www.aaai.org/ocs/index.php/SSS/SSS10/paper/download/1071/1476
Breaux, T.D., Antón, A.I.: Analyzing Regulatory Rules for Privacy and Security Requirements. IEEE Transactions on Software Engineering, Special Issue on Software Engineering for Secure Systems (IEEE TSE) 34(1), 5–20 (2008)
Breaux, T.D., Antón, A.I.: A Systematic Method for Acquiring Regulatory Requirements: A Frame-Based Approach. In: Proc. 6th International Workshop on Requirements for High Assurance Systems (RHAS-6), Delhi, India (September 2007)
Breaux, T.D., Antón, A.I.: Analyzing Goal Semantics for Rights, Permissions and Obligations. In: Proc. IEEE 13th International Requirements Engineering Conference (RE 2005), Paris, France, pp. 177–186 (August 2005)
Kiyavitskaya, N., Zeni, N., Breaux, T.D., Antón, A.I., Cordy, J.R., Mich, L., Mylopoulos, J.: Automating the Extraction of Rights and Obligations for Regulatory Compliance. In: Li, Q., Spaccapietra, S., Yu, E., Olivé, A. (eds.) ER 2008. LNCS, vol. 5231, pp. 154–168. Springer, Heidelberg (2008)
ITU-T Rec X.812 (1995) | ISO/IEC 10181-3:1996. Security Frameworks for open systems: Access control framework
PERMIS, Standalone authorization Server, http://sec.cs.kent.ac.uk/permis/downloads/Level3/standalone.shtml
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Fatema, K., Chadwick, D.W., Van Alsenoy, B. (2012). Extracting Access Control and Conflict Resolution Policies from European Data Protection Law. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds) Privacy and Identity Management for Life. Privacy and Identity 2011. IFIP Advances in Information and Communication Technology, vol 375. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31668-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-31668-5_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31667-8
Online ISBN: 978-3-642-31668-5
eBook Packages: Computer ScienceComputer Science (R0)