Extending XACML Access Control Architecture for Allowing Preference-Based Authorisation

European data protection regulation states that organisations must have data subjects’ consent to use their personally identifiable information (PII) for a variety of purposes. Solutions have been proposed which generally handle consent in a coarse-grained way, by means of opt in/out choices. However, we believe that consent’s representation should be extended to allow data subjects to express a rich set of conditions under which their PII can be used. In this paper we introduce and discuss an approach enabling the representation of consent as fine-grained preferences. To enforce such consent, we leverage and extend the current standard XACML architecture and framework. As data collectors maintain links between PII and associated preferences, preferences should also be considered as part of this PII. Therefore our solution prevents access control components from directly accessing any PII. External Posting Date: November 21, 2009 [Fulltext] Approved for External Publication Internal Posting Date: November 21, 2009 [Fulltext] Published in the proceedings of the 7th International Conference, TrustBus 2010, Bilbao, Spain, August 30-31, 2010.  Copyright 2009 Hewlett-Packard Development Company, L.P.