A model-driven privacy compliance decision support for medical data sharing in Europe

Objectives: Clinical practitioners and medical researchers often have to share health data with other colleagues across Europe. Privacy compliance in this context is very important but challenging. Automated privacy guidelines are a practical way of increasing users' awareness of privacy obligations and help eliminating unintentional breaches of privacy. In this paper we present an ontology-plus-rules based approach to privacy decision support for the sharing of patient data across European platforms. Methods: We use ontologies to model the required domain and context information about data sharing and privacy requirements. In addition, we use a set of Semantic Web Rule Language rules to reason about legal privacy requirements that are applicable to a specific context of data disclosure. We make the complete set invocable through the use of a semantic web application acting as an interactive privacy guideline system can then invoke the full model in order to provide decision support. Results: When asked, the system will generate privacy reports applicable to a specific case of data disclosure described by the user. Also reports showing guidelines per Member State may be obtained. Conclusion: The advantage of this approach lies in the expressiveness and extensibility of the modelling and inference languages adopted and the ability they confer to reason with complex requirements interpreted from high level regulations. However, the system cannot at this stage fully simulate the role of an ethics committee or review board. © Schattauer 2011

A Systemic Approach to Automate Privacy Policy Enforcement in Enterprises

privacy, privacy policy enforcement, automation, data governance, identity management, privacy-aware information lifecycle management It is common practice for enterprises and other organisations to ask people to disclose their personal data in order to grant them access to services and engage in transactions. This practice is not going to disappear, at least in the foreseeable future. Most enterprises need personal information to run their businesses and provide the required services, many of whom have turned to identity management solutions to do this in an efficient and automated way. Privacy laws dictate how enterprises should handle personal data in a privacy compliant way: this requires dealing with privacy rights, permissions and obligations. It involves operational and compliance aspects. Currently much is done by means of manual processes, which make them difficult and expensive to comply. A key requirement for enterprises is being able to leverage their investments in identity management solutions. This paper focuses on how to automate the enforcement of privacy within enterprises in a systemic way, in particular privacy-aware access to personal data and enforcement of privacy obligations: this is still a green field. We introduce our work in these areas: core concepts are described along with our policy enforcement models and related technologies. Two prototypes have been built as a proof of concept and integrated with HP state-of-the-art identity management solutions to demonstrate the feasibility of our work. We provide technical details, discuss open issues and our next steps

Role of Policies in a

policies, distributed trust model, e-services ∗ Internal Accession Date Only © Copyright Hewlett-Packard Company 1999 The last few years have seen an explosive growth of the eservice offered over the Internet. E-service provision is evolving from a centralized model to a distributed and dynamic one. Identity, rights, non-repudiation, access control and QoS are extremely important aspects in such a distributed e-service framework. This paper briefly describes our distributed trust model that underpins the e-service framework and the rol

to Enforce Privacy Policies and Obligations

privacy, IT governance, privacy policy enforcement, privacy-aware access control, privacy obligations, regulatory compliance * Internal Accession Date Onl