Compliance with data protection laws using Hippocratic Database active enforcement and auditing

C. M. Johnson T. W. A. Grandison Governments worldwide are enacting data protection laws that restrict the disclosure and processing of personal information. These laws impose administrative and financial burdens on companies that manage personal information and may hinder the legitimate and valuable sharing and analysis of this information. In this paper we describe an integrated set of technologies, known as the Hippocratic Database (HDB), which enables compliance with security and privacy regulations without impeding the legitimate flow of information. HDB’s Control Center allows companies to specify finegrained disclosure policies based on the role of the user, the purpose of the access, the intended recipient, and other disclosure conditions. Its Active Enforcement component transparently enforces these policies by transforming user queries in a middleware layer to ensure that the database returns only policy-compliant information. HDB’s Compliance Auditing system efficiently tracks all database accesses and allows auditors to formulate precise audit queries to monitor compliance with privacy and security policies. In this paper, we outline the basic architecture of the HDB solution, discuss the advantages of our approach, and illustrate the features of each component with practical compliance scenarios from the financial services industry.