Abstract
This paper focuses on the problem of dealing with privacy obligations in enterprises. Privacy obligations dictate expected behaviours, tasks and constraints that must be satisfied when handling personal and confidential data. This includes being compliant with data retention policies and satisfying constraints dictated by customers’ opt-in and opt-out choices.
It is important for enterprises to address this problem to preserve their reputation and brand and be compliant with legislation and customers’ requirements. This paper describes important related issues and requirements to be kept into account, including dealing with transactional, ongoing and long-term obligations.
Technical work has already been done for the management of obligations subordinated to authorization aspects and simple obligations for data retention: however, dealing with ongoing and long-term aspects of obligations is still a green field and open to research. We introduce and describe a trusted system, currently under research and development at HP Labs, dealing with the monitoring, enforcement and tracking of privacy obligations: this system will support the strong association of privacy obligations to data, accountability management and users’ involvement.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Laurant, C, Privacy International: Privacy and Human Rights 2003: an International Survey of Privacy Laws and Developments, Electronic Privacy Information Center (EPIC), Privacy International. http://www.privacyinternational.org/survey/phr2003/, 2003
OECD: OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. http://www.1.oecd.org/publications/e-book/9302011E.PDF, 1980
Online Privacy Alliance: Guidelines for Online Privacy Policies. http://www.privacyalliance.org/, Online Privacy Alliance, 2004
Karjoth, G., Schunter, M.: A Privacy Policy Model for Enterprises. IBM Research, Zurich. 15th IEEE Computer Foundations Workshop, 2002
Karjoth, G., Schunter, M., Waidner, M.: Platform for Enterprise Privacy Practices: Privacy-enabled Management of Customer Data. 2nd Workshop on Privacy Enhancing Technologies, Lecture Notes in Computer Science, Springer Verlang, 2002
Schunter, M, Ashley, P.: The Platform for Enterprise Privacy Practices. IBM Zurich Research Laboratory, 2002
Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled Services for Enterprises. IBM Zurich Research Laboratory, TrustBus 2002, 2002
IBM: The Enterprise Privacy Authorization Language (EPAL), EPAL 1.1 specification. http://www.zurich.ibm.com/security/enteprise-privacy/epal/, IBM, 2004
Casassa Mont, M., Pearson, S., Bramhall, P.: Towards Accountable Management of Privacy and Identity Information, ESORICS 2003, 2003
IBM Tivoli: IBM Tivoli Storage Manager for Data Retention, 2004
Bettini, C, Jajodia, S., Sean Wang, X., Wijesekera, D.: Obligation Monitoring in Policy Management, 2002
Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder Policy Specification Language, 2001
Housley, R., Ford, W., Polk, W., Solo, D.: RFC2459: Internet X.509 Public Key Infrastructure Certificate and CRL profile. IETF, 1999
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic Databases. IBM Almaden Research Center, 2002
Anderson, R. J.: The Eternity Service. Proc. PRAGO-CRYPT 96, CTU Publishing House, Prague, 1996
Ellison, R.J., Fisher, D.A., Linger, R.C., Lipson, H.F., Longstaff, T.A., Mead, N.R.: Survivability: Protecting your Critical Systems. Proceeding of the International Conference of Requirements Engineering, 1998
Kubiatowicz, J., Bibdel, D., Chen, Y., Czerwinski, S., Eaton, P., Geels D., Gummadi, R., Rhea, D., Weatherspoon, H., Weimer, W., Wells, C, Zao, B.: OceanStore: An Architecture for Global Scale Persistent Storage. University of California, Berkeley, ASPLOS 2000, 2000
Neumann, P.G.: Practical Architectures for Survivable Systems and Networks. SRI International, Army Research Lab, 1999
Wylie, J.J., Bigrigg, M. W., Strunk, J. D., Ganger, G. R., Kiliccote, H., Khosia, P.K.: Survivable Information Storage Systems. IEEE Computer, 2000
Casassa Mont, M: Dealing with Privacy Obligations: Important Aspects and Technical Approaches. To appear in proceeding of the 1st International Conference TrustBus 2004, Springer Verlag, LNCS, 2004
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2004 Friedr. Vieweg & Sohn Verlagsgesellschaft/GWV Fachverlage GmbH, Wiesbaden
About this chapter
Cite this chapter
Mont, M.C. (2004). Dealing with Privacy Obligations in Enterprises. In: ISSE 2004 — Securing Electronic Business Processes. Vieweg+Teubner Verlag. https://doi.org/10.1007/978-3-322-84984-7_20
Download citation
DOI: https://doi.org/10.1007/978-3-322-84984-7_20
Publisher Name: Vieweg+Teubner Verlag
Print ISBN: 978-3-528-05910-1
Online ISBN: 978-3-322-84984-7
eBook Packages: Springer Book Archive