A Data-centric View on Expressing Privacy Policies

Services often depend on data about users to work at all (e.g. providing quotes for health insurance) or to improve their quality (e.g. product recommendation systems). Storing and giving access to data owned by third parties is in many cases even the core task of services, e.g., for social networks or cloud storage providers. Privacy is an important concern, as users still want to control usage and distribution of their data. Enabled by Internet technologies, services are often provided by dynamically created and frequently changing groups of cooperating providers. This leads to a situation, where often no single entity has a complete view of the process operating on a user’s data. In consequence, it is difficult to check compliance of such a process with the user’s privacy policy. As an alternative model, we propose a data-centric view on privacy policies, that are attached to data artefacts and are self-contained descriptions of the allowed actions to be performed. Such policies can be passed together with the artefacts to subproviders. A key challenge of such policies is to express restrictions on the policies of derived artefacts, which
... mehr
can also be subject to privacy constraints.