This document discusses the development of the Privacy Rules Definition Language (PRDL) to create rules addressing privacy concerns in the ENDORSE project. It aims to make privacy terms transparent to users and provide better data protection guarantees. Key challenges include identifying legal requirements and evaluating privacy rules in organizational systems. Example rules are presented along with choices around rule functionality and requirements gathering. The current meta rule model and progress on PRDL are also outlined.
2. Motivation for PRDL
• Provide a domain specific language to
facilitate the creation of rules to address
the main areas of concern in ENDORSE:
– Making privacy terms transparent to the
user/customer and providing better
guarantees on data protection.
– Providing a powerful tool to aid organizations
holding personal data to comply with data
protection & privacy law and regulations.
3. Challenges for PRDL
• “[identifying] .. relevant legal requirements from
policies, laws and guidance documents and
aligning these requirements with software
specifications to maintain a defensible position
in a court of law” - Travis D. Breaux
• Identifying the best method of evaluating privacy
& data protection rules in the context of
ENDORSE and the organisational system(s) in
which ENDORSE deployments will reside.
8/2/2011 3
4. Rule Examples
• Rule 1: Legal Dept may delete data
[Permission]
• Rule 2: Company must store data for 10
years after contract or claim closure date.
[Obligation]
• Rule 3: Company may store data if
consent for marketing exists. [Conditional
permission]
8/2/2011 4
5. Rules choices
• What do the rules do? E.g. reasoning versus
access control:
– Forward/backward chaining rules engine v XACML
• Expert system v policy translation.
• Gathering stakeholder requirements in terms of
“types of rules” to see what we need to be able
to deal with.
• Look at the kind of systems our rules will
‘respond to’ or ‘control’.
8/2/2011 5