EnCoRe: Towards a holistic approach to privacy

by Nick Papanikolaou, Sadie Creese, Michael Goldsmith, Marco Casassa Mont, Siani Pearson
Abstract:
We make the case for an integrated approach to privacy management within organisations. Current approaches to privacy management are either too high-level, enforcing privacy of personal data using legal compliance, risk and impact assessments, or too low-level, focusing only on the technical implementation of access controls to personal data held by an enterprise. High-level approaches tend to address privacy as an afterthought in ordinary business practice, and involve ad hoc enforcement practices; low-level approaches often leave out important legal and business considerations. As part of the EnCoRe project we are developing a methodology which tries to bridge the gap between privacy risk and impact assessment with the technical management of privacy policies. We are working to define a conceptual model as a means of expressing policy requirements as well as users’ privacy preferences and as a way to bridge the gap described above. We aim to show the value of this approach in collaborative case studies (including corporate personnel management, biobanks and assisted living) in the context of the EnCoRe project.
Reference:
EnCoRe: Towards a holistic approach to privacy (Nick Papanikolaou, Sadie Creese, Michael Goldsmith, Marco Casassa Mont, Siani Pearson), Technical report, HP Laboratories, 2010.
Bibtex Entry:
@TECHREPORT{Papanikolaou2010,
  author = {Nick Papanikolaou and Sadie Creese and Michael Goldsmith and Marco
	{Casassa Mont} and Siani Pearson},
  title = {{EnCoRe}: Towards a holistic approach to privacy},
  institution = {HP Laboratories},
  year = {2010},
  type = {HP Labs Technical Report},
  number = {HPL-2010-83},
  __markedentry = {[Nick]},
  abstract = {We make the case for an integrated approach to privacy management
	within organisations. Current approaches to privacy management are
	either too high-level, enforcing privacy of personal data using legal
	compliance, risk and impact assessments, or too low-level, focusing
	only on the technical implementation of access controls to personal
	data held by an enterprise. High-level approaches tend to address
	privacy as an afterthought in ordinary business practice, and involve
	ad hoc enforcement practices; low-level approaches often leave out
	important legal and business considerations. As part of the EnCoRe
	project we are developing a methodology which tries to bridge the
	gap between privacy risk and impact assessment with the technical
	management of privacy policies. We are working to define a conceptual
	model as a means of expressing policy requirements as well as users'
	privacy preferences and as a way to bridge the gap described above.
	We aim to show the value of this approach in collaborative case studies
	(including corporate personnel management, biobanks and assisted
	living) in the context of the EnCoRe project.},
  keywords = {privacy policies, policy hierarchy, policy refinement},
  owner = {nikos},
  timestamp = {2011.10.30}
}