Towards an Integrated Approach to the Management, Specification and Enforcement of Privacy Policies

by Marco Casassa Mont, Siani Pearson, Sadie Creese, Michael Goldsmith, Nick Papanikolaou
Abstract:
We make the case for an integrated approach to privacy management within organisations. Current approaches to privacy management are either too high-level, enforcing privacy of personal data using legal compliance, risk and impact assessments, or too low-level, focusing only on the technical implementation of access controls to personal data held by an enterprise. High-level approaches tend to address privacy as an afterthought in ordinary business practice, and involve ad hoc enforcement practices; low-level approaches often leave out important legal and business considerations. As part of the EnCoRe project we are developing a methodology which tries to bridge the gap between privacy risk and impact assessment with the technical management of privacy policies. We offer our thoughts on how a conceptual model might be devised as a means of expressing policy requirements as well as users’ privacy preferences and offer a way to bridge the gap described above.
Reference:
Towards an Integrated Approach to the Management, Specification and Enforcement of Privacy Policies (Marco Casassa Mont, Siani Pearson, Sadie Creese, Michael Goldsmith, Nick Papanikolaou), In Proceedings of W3C Workshop on Access Control Application Scenarios, 2009.
Bibtex Entry:
@INPROCEEDINGS{CasassaMont2009,
  author = {Marco {Casassa Mont} and Siani Pearson and Sadie Creese and Michael
	Goldsmith and Nick Papanikolaou},
  title = {Towards an Integrated Approach to the Management, Specification and
	Enforcement of Privacy Policies},
  booktitle = {Proceedings of W3C Workshop on Access Control Application Scenarios},
  year = {2009},
  address = {Abbaye de Neum"unster, Luxembourg},
  month = nov,
  abstract = {We make the case for an integrated approach to privacy management
	within organisations. Current approaches to privacy management are
	either too high-level, enforcing privacy of personal data using legal
	compliance, risk and impact assessments, or too low-level, focusing
	only on the technical implementation of access controls to personal
	data held by an enterprise. High-level approaches tend to address
	privacy as an afterthought in ordinary business practice, and involve
	ad hoc enforcement practices; low-level approaches often leave out
	important legal and business considerations. As part of the EnCoRe
	project we are developing a methodology which tries to bridge the
	gap between privacy risk and impact assessment with the technical
	management of privacy policies. We offer our thoughts on how a conceptual
	model might be devised as a means of expressing policy requirements
	as well as users' privacy preferences and offer a way to bridge the
	gap described above.},
  owner = {Nick},
  timestamp = {2010.06.20},
  url = {../files/W3c-final.pdf}
}