EPAL and Management of Privacy Obligations Presentation Title EPAL and Management of Privacy Obligations Marco Casassa Mont marco.casassa-mont@hp.com Trusted Systems Lab Hewlett-Packard Labs, Bristol, UK 13-14 May 2004, Lubeck, Germany

Presentation Outline HP Position on EPAL Privacy Obligation Management and Technical Solution leveraging EPAL Additional Requirements for EPAL Conclusions 4/7/2019

HP Position on EPAL HP Supports the Standardisation Process of EPAL. The current EPAL Version is a starting point towards a standard HP Labs are interested in Investigating and Researching the usage of EPAL in a variety of contexts, including: - Research Prototypes - Commercial Offering 4/7/2019

Using EPAL for Management of Privacy Obligations Importance of dealing with Privacy Obligations - Need to be compliant with Laws, Legislation, Organisations’ Guidelines, Customers’ Requests … EPAL provides a framework to deal with Privacy Policies HP Labs/TSL is researching in the context of Privacy Obligation Management for Enterprises: - Exploring how to leverage EPAL … Research and work (partially) done in EU PRIME 4/7/2019

the security and confidentiality of customer information” Privacy Obligations Dictated by Laws, Legislation, Organisations’ Guidelines, Customers’ Requests, … EU Legislation, OECD, US Laws (HIPPA, COPPA, GLB, etc.) Define requirements and actions to be fulfilled by Organisations and Enterprises concerning Personal Data Obligations can be very abstract: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” Gramm-Leach-Bliley Act 4/7/2019

Privacy Obligations More refined Privacy Obligations dictate responsibilities with respect of Personal Information: Notice Requirements Enforcement of opt-out options Limits on reuse of Information and Information Sharing … 4/7/2019

Privacy Obligations Even more refined Privacy Obligations specify “technical” constraints on Personal Information: “Notify Data Owners every time their Personal Data is involved in a Transaction or Accessed by Personnel” “Access/Changes to Personal Data must be Audited” “Delete Personal Information after 7 Years” “Delete Personal Information of Customers whom do not come back to this web site within 30 days” … 4/7/2019

Categories of Privacy Obligations “Transactional” “Notify Data Owners when their Personal Data is involved in a Transaction or is accessed by Personnel” “Audit the Access/Changes to Personal Data” … “Delete Personal Information after 7 Years” “Delete Personal Information of Customers that do not come back to this web site within 30 days” “Non-Transactional” - Ongoing Obligations 4/7/2019

Privacy Obligations We focus on technical aspects of Obligations (even if we recognise it is not just a matter of technology…) To be technically enforceable a Privacy Obligation requires the definition of: Timeframe and Period of Validity Events and Situations that Trigger the Obligation Target of the Obligation (PII data, etc.) Actions and Tasks to be fulfilled for its Enforcement Entities that are Accountable for its Enforcement Accountability Criteria (logging, reporting, notification, etc.) Exceptions and Special Cases … 4/7/2019

Privacy Obligation Management Interactions/Transactions Involving Personal Data Ongoing and Long-term Privacy Obligations Authorization Process Obligation Management and Enforcement “Transactional” Privacy Obligations 4/7/2019

EPAL and Privacy Obligation Management User, Application, Service, … EPAL-driven Authorization and Enforcement Obligation Management And Enforcement Personal and Private Information Privacy Management Framework 4/7/2019

EPAL and Privacy Obligation Management 4/7/2019

Example of EPAL Rule Privacy Policy (informal): Allow a sales agent or a sales supervisor to collect a customer's data for order entry if the customer is older than 13 years of age and the customer has been notified of the privacy policy. Delete the data 3 years from now. EPAL Privacy Rule: ruling allow user category sales department action store data category customer-record purpose order-processing condition the customer is older than 13 years of age obligation delete the data 3 years from now Source: http://www.w3.org/Submission/2003/SUBM-EPAL-20031110/ 4/7/2019

EPAL and Privacy Obligation Management EPAL supports Privacy Obligations: “EPAL defines an Abstract Authorization Interface that outputs a Decision and Obligations …”  There is a clear fit for “Transactional” Obligations but … Is it correct to describe also “Non-Transactional” Privacy Obligations within an EPAL rule? These Obligations can actually specify “First Class” Policies  Why “Embedding” them in the context of Authorization Rules? These Obligations might need to be enabled and enforced independently by any Transaction or Interaction (e.g. Unconditionally Delete Personal Data XYZ after 7 years …) 4/7/2019

EPAL and HPL Privacy Obligation Management – Current Status Interactions and Transactions Involving Personal Data Ongoing and Long-term Privacy Obligations EPAL “Transactional” Privacy Obligations Obligation Management Service 4/7/2019

HPL Privacy Obligation Management High-Level Architecture Server Obligation Store & Versioning Events Handler Enforcer Obligation Monitoring Service Audit Logs Confidential Data Ref. obligation result feedback 4/7/2019

HPL Privacy Obligation Management Applications and Services Portal Users Admins Privacy Portal GUI: Authoring & Display Obligation Monitoring Service Admins Monitoring Task Handler Obligation Handler Retrieve Store/ Tracking Active Obligations Workflows Events Handler Obligation Enforcer Association Manager Obligation Scheduler & Manager Action Adaptors Obligation Server ENTERPRISE Audit Server Data Ref. Obligation Information Tracker Audit Logs Obligation Store & Versioning Confidential Data 4/7/2019

Open Issues [1/2] Dealing with different types of Privacy Obligations: - using same Language - Independence from the Nature of the Obligation (Transactional, Non-Transactional, …) Strong Stickiness of “Obligation Policies” to Personal Data might be Required (for data transmission, etc.) Provide degrees of Assurance on Obligations Enforcement and overall Accountability Dealing with Trust Aspects 4/7/2019

Open Issues [2/2] Dealing with Explicit Management of Conflicting Obligations, at the Enforcement time: - Criteria can change based on the Context, Location … - Different priorities (on the same Rule-set) dictated by Local Legislation, Guidelines, Local Arrangements, … - Different rule-sets in a Policy might be “active” in different contexts … Note: at the moment EPAL addresses conflicts on rules via: - precedence, i.e. priority in the rule list - “delegation” to additional management tools  Using rule preconditions can add complexity to rules 4/7/2019

EPAL: Additional Requirements Extend EPAL to represent different types of Privacy Policies: EPAL  EPL Goal: allow the explicit definition of Privacy Policies beyond Authorization: “Non-transactional” and “Ongoing” Privacy Obligations Trust Compliance Policies for Privacy … 4/7/2019

EPAL: Additional Requirements Introduce “Meta-Rules” within the EPAL Language to declare: How to deal with conflicting rules within a policy How to select “relevant” rules Goal: Explicit Management of Rule/Policy selection: Go beyond the current approach based on positional “precedence” Ensure Portability across different Privacy Frameworks Define evaluation mechanisms adaptive to Context, Localization (EU,US, …) … 4/7/2019

EPAL: Additional Long-term Requirements Extending the Expressiveness of Policy Rules to deal with: Trust Constraints on Systems (Requestor, Policy Evaluator, etc.) and Entities based on Contextual Information Selective Disclosure of data, for example based on the Current Level of Trust i.e. Privacy driven by Trust Accountability, for example declaring actions that require authenticated Audit and Interactions with Trusted Third Parties 4/7/2019

Conclusions HP supports the Standardisation Process of EPAL HP Labs are interested in Investigating and Researching the usage of EPAL, including leveraging EPAL for Privacy Obligation Management EPAL could be extended to: - Describe Policies/Rules that are not based on Authorisation - Add “Meta-Rules” to increase policy portability, explicitly address conflicts and define additional requirements In the longer-term EPAL could deal with trust constraints, selective disclosure and accountability 4/7/2019

BACKUP Slides 4/7/2019

Example of Technical Representation of Privacy Obligation - <Obligations>   <ObligationId>oblId1</ObligationId>   <Description>Delete Confidential Data for Pseudonym: uid1</Description> - <ObligationTriggerDescriptor>   <Type>Event</Type>   <SubType>TimeBasedEvent</SubType> - <Parameters> - <TriggerTime>   <Year>2007</Year>   <Month>4</Month>   <Day>28</Day>   <Hour>13</Hour>   <Minute>30</Minute>   </TriggerTime>   </Parameters>   </ObligationTriggerDescriptor> - <Target>   <DataOwner>uid1</DataOwner>   <DataType>Database</DataType>   <DataLocator>SELECT * FROM Customers WHERE CustomerId='uid1'</DataLocator>   </Target> <Actions>   <Action>Delete</Action>   </Actions>   </Obligations> 4/7/2019

Presentation Title