A Conceptual Model for Privacy Policies with Consent and Revocation Requirements

by Marco Casassa Mont, Siani Pearson, Sadie Creese, Michael Goldsmith, Nick Papanikolaou
Abstract:
This paper proposes a conceptual model for privacy policies that takes into account privacy requirements arising from different stakeholders, with legal, business and technical backgrounds. Current approaches to privacy management are either high-level, enforcing privacy of personal data using legal compliance, risk and impact assessments, or low-level, focusing on the technical implementation of access controls to personal data held by an enterprise. High-level approaches tend to address privacy as an afterthought in ordinary business practice, and involve ad hoc enforcement practices; low-level approaches often leave out important legal and business considerations focusing solely on technical management of privacy policies. Hence, neither is a panacea and the low level approaches are often not adopted in real environments. Our conceptual model provides a means to express privacy policy requirements as well as users’ privacy preferences. It enables structured reasoning regarding containment and implementation between various policies at the high level, and enables easy traceability into the low-level policy implementations. Thus it offers a means to reason about correctness that links low-level privacy management mechanisms to stakeholder requirements, thereby encouraging exploitation of the low-level methods. We also present the notion of a consent and revocation policy. A consent and revocation policy is different to a privacy policy in that it defines not enterprise practices with regards to personal data, but more specifically, for each item of personal data held by an enterprise, what consent preferences a user may express and to what degree, and in what ways he or she can revoke their personal data. This builds on earlier work on defining the different forms of revocation for personal data, and on formal models of consent and revocation processes. The work and approach discussed in this paper is currently carried out in the context of the UK collaborative project EnCoRe (Ensuring Consent and Revocation).
Reference:
A Conceptual Model for Privacy Policies with Consent and Revocation Requirements (Marco Casassa Mont, Siani Pearson, Sadie Creese, Michael Goldsmith, Nick Papanikolaou), In Proceedings of PrimeLife/IFIP Summer School 2010: Privacy and Identity Management for Life, Springer-Verlag, 2010.
Bibtex Entry:
@INPROCEEDINGS{CasassaMont2010a,
  author = {Marco {Casassa Mont} and Siani Pearson and Sadie Creese and Michael
	Goldsmith and Nick Papanikolaou},
  title = {A Conceptual Model for Privacy Policies with Consent and Revocation
	Requirements},
  booktitle = {Proceedings of PrimeLife/IFIP Summer School 2010: Privacy and Identity
	Management for Life},
  year = {2010},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer-Verlag},
  abstract = {This paper proposes a conceptual model for privacy policies that takes
	into account privacy requirements arising from different stakeholders,
	with legal, business and technical backgrounds. Current approaches
	to privacy management are either high-level, enforcing privacy of
	personal data using legal compliance, risk and impact assessments,
	or low-level, focusing on the technical implementation of access
	controls to personal data held by an enterprise. High-level approaches
	tend to address privacy as an afterthought in ordinary business practice,
	and involve ad hoc enforcement practices; low-level approaches often
	leave out important legal and business considerations focusing solely
	on technical management of privacy policies. Hence, neither is a
	panacea and the low level approaches are often not adopted in real
	environments. Our conceptual model provides a means to express privacy
	policy requirements as well as users' privacy preferences. It enables
	structured reasoning regarding containment and implementation between
	various policies at the high level, and enables easy traceability
	into the low-level policy implementations. Thus it offers a means
	to reason about correctness that links low-level privacy management
	mechanisms to stakeholder requirements, thereby encouraging exploitation
	of the low-level methods. We also present the notion of a consent
	and revocation policy. A consent and revocation policy is different
	to a privacy policy in that it defines not enterprise practices with
	regards to personal data, but more specifically, for each item of
	personal data held by an enterprise, what consent preferences a user
	may express and to what degree, and in what ways he or she
	
	can revoke their personal data. This builds on earlier work on defining
	the different forms of revocation for personal data, and on formal
	models of consent and revocation processes. The work and approach
	discussed in this paper is currently carried out in the context of
	the UK collaborative project EnCoRe (Ensuring Consent and Revocation).},
  keywords = {privacy policies, policy hierarchy, policy refinement, conceptual
	model},
  owner = {Nick},
  timestamp = {2012.02.23},
  url = {../files/PrimeLife-Conceptual.pdf}
}