Using organisational safeguards to make justifiable privacy decisions when processing personal data

Privacy-enhancing technologies can be used to enhance the privacy of individuals who interact with information processing systems. This paper considers such technologies that can be used by the organisation to safeguard personal information it processes. The paper focuses on how access control could be used to protect the individual against misuse of personal data inside the organisation. More specifically the paper considers how such a privacy-enhancing technology can make a just choice when deciding whether an access request to personal data should be allowed or not. Access control decisions in this paper are based on the regulations that govern the interaction, the organisational policies that apply and the individual’s privacy preferences. The proposed model forms part of the organisational safeguards layer of the Layered Privacy Architecture (LaPA) proposed earlier.