Dealing with Privacy Obligations: Important Aspects and Technical Approaches

obligations, privacy, policies, enforcement, monitoring, stickiness, accountability, identity management The management and enforcement of privacy obligations is a challenging task: it involves legal, organizational, behavioral and technical aspects. In particular, the management of privacy obligations for identity and confidential data can require ongoing efforts, both in the short and very long term. It can be affected by events. Work has already been done for the management of obligations subordinated to authorization aspects (triggered by interactions and transactional events) and simple long-term obligations for data retention. Dealing with ongoing and long-term aspects of obligations is still a green field and open to research. This area is of particular relevance for enterprises, organizations and government agencies that deal with personal identity information. Privacy and data protection laws already dictate obligations involving ongoing and longterm constraints and duties. This paper explores and analyses the explicit management of privacy obligations for identity information by considering privacy obligations as first-class citizens. We focus on the technical aspects even if we recognize that the problem cannot be solved only by deploying technological solutions. Mechanisms are required to represent, manage, monitor and enforce obligation policies in complex and heterogeneous environments. Policy-driven scheduling mechanisms coupled with secure workflows and auditing techniques can be useful to address aspects of the problem. It is also important to be able to strongly couple these policies to confidential data, track their storage, distribution and deal with relevant events. Our research is work in progress: we illustrate some of our technical work and investigation in this space.