Provenance-based Auditing of Private Data Use

Across the world, organizations are required to comply with regulatory frameworks dictating how to manage personal information. Despite these, several cases of data leaks and exposition of private data to unauthorized recipients have been publicly and widely advertised. For authorities and system administrators to check compliance to regulations, auditing of private data processing becomes crucial in IT systems. Finding the origin of some data, determining how some data is being used, checking that the processing of some data is compatible with the purpose for which the data was captured are typical functionality that an auditing capability should support, but difficult to implement in a reusable manner. Such questions are so-called provenance questions, where provenance is defined as the process that led to some data being produced. The aim of this paper is to articulate how data provenance can be used as the underpinning approach of an auditing capability in IT systems. We present a case study based on requirements of the Data Protection Act and an application that audits the processing of private data, which we apply to an example manipulating private data in a university

How to implement EU data protection regulation for R&D in biometrics

Biometrics R&D has to deal with personal data. From the Universal Declaration of Human Rights, privacy of a human being shall be protected, and this is addressed in different ways in each region of the world. In the case of the European Union, Data Protection Directives, Laws and Regulations have been established, and interpreted in different ways by each European Member State. Such a diversity has pushed the European Union to generate an improved regulation that will be mandatory from May 2018. Biometric R&D shall not only comply with the current Directive, but also has to adapt its work to the new Regulation. This work is intended to describe the situation and provide a recommended procedure when having to acquire personal data. The recommended procedure is illustrated by the implementation of a Biometric Data Acquisition Platform, used to acquire fingerprints from nearly 600 citizens using different sensors