Extracting Access Control and Conflict Resolution Policies from European Data Protection Law
نویسندگان
چکیده
This paper presents the extraction of a legal access control policy and a conflict resolution policy from the EU Data Protection Directive [1]. These policies are installed in a multi-policy authorization infrastructure described in [2, 3]. A Legal Policy Decision Point (PDP) is constructed with a legal access control policy to provide automated decisions based on the relevant legal provisions. The legal conflict resolution policy is configured into a Master PDP to make sure that the legal access control policy gets priority over access control policies provided by other authorities i.e. the data subject, the data issuer and the data controller. We describe how clauses of the Directive are converted into access control rules based on attributes of the subject, action, resource and environment. There are currently some limitations in the conversion process, since the majority of provisions requires additional interpretation by humans. These provisions cannot be converted into deterministic rules for the PDP. Other provisions do allow for the extraction of PDP rules but need to be tailored to the application environment before they are configured into the Legal PDP.
منابع مشابه
Sunshine Policies and Murky Shadows in Europe: Disclosure of Pharmaceutical Industry Payments to Health Professionals in Nine European Countries
Relationships between health professionals and pharmaceutical manufacturers can unduly influence clinical practice. These relationships are the focus of global transparency efforts, including in Europe. We conducted a descriptive content analysis of the transparency provisions implemented by February 2017 in nine European Union (EU) countries concerning payments to health professionals, with du...
متن کاملA Logical Language for Expressing Authorizations
A major drawback of existing access control systems is that they have all been developed with a specific access control policy in mind. This means that all protection requirements (i.e., accesses to be allowed or denied) must be specified in terms of the policy enforced by the system. While this may be trivial for some requirements, specification of other requirements may become quite complex o...
متن کاملManagerial Approaches to Support Intellectual Property Rights in Museums
Some of the cultural works which are considered as cultural heritage, regardless of their antiquity and precedence, are simultaneously subject of the legal systems of intellectual property rights and cultural heritage law. This situation can lead to a conflict of interest between private ownership and public law which, in turn, may create many problems for the management of cultural heritage wh...
متن کاملControlling Access to Published Data Using Cryptography
We propose a framework for enforcing access control policies on published XML documents using cryptography. In this framework the owner publishes a single data instance, which is partially encrypted, and which enforces all access control policies. Our contributions include a declarative language for access policies, and the resolution of these policies into a logical “protection model” which pr...
متن کاملManagerial Approaches to Support Intellectual Property Rights in Museums
Some of the cultural works which are considered as cultural heritage, regardless of their antiquity and precedence, are simultaneously subject of the legal systems of intellectual property rights and cultural heritage law. This situation can lead to a conflict of interest between private ownership and public law which, in turn, may create many problems for the management of cultural heritage wh...
متن کامل