ENDORSE: Preliminary work on the
Privacy Rules Definition Language
Presented by Mark McLaughlin
Motivation for PRDL
• Provide a domain specific language to facilitate the creation of rules to address the main areas of concern in ENDORSE:
– Making privacy terms transparent to the user/customer and providing better guarantees on data protection.
– Providing a powerful tool to aid organizations holding personal data to comply with data protection & privacy law and regulations.
Challenges for PRDL
• “[identifying] .. relevant legal requirements from policies, laws and guidance documents and aligning these requirements with software specifications to maintain a defensible position in a court of law” - Travis D. Breaux
• Identifying the best method of evaluating privacy & data protection rules in the context of ENDORSE and the organisational system(s) in which ENDORSE deployments will reside.
8/2/2011 3
Rule Examples
• Rule 1: Legal Dept may delete data [Permission]
• Rule 2: Company must store data for 10 years after contract or claim closure date. [Obligation]
• Rule 3: Company may store data if consent for marketing exists. [Conditional permission]
8/2/2011 4
Rules choices
• What do the rules do? E.g. reasoning versus access control:– Forward/backward chaining rules engine v XACML
• Expert system v policy translation.• Gathering stakeholder requirements in terms of
“types of rules” to see what we need to be able to deal with.
• Look at the kind of systems our rules will ‘respond to’ or ‘control’.
8/2/2011 5
Current Meta Rule Model
8/2/2011 6
PRDL Progress
8/2/2011 7
Thank you.
Questions & Discussion.
8/2/2011 8
Top Related