Towards Scalable Management of Privacy Obligations in Enterprises

  • Marco Casassa Mont
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4083)


Privacy management is important for enterprises that collect, store, access and disclose personal data. Among other things, the management of privacy includes dealing with privacy obligations that dictate duties and expectations an enterprise has to comply with, in terms of data retention, deletion, notice requirements, etc. This is still a green area open to research and innovation: it is about enabling privacy-aware information lifecycle management. This paper provides an overview of the work we have done in this space: definition of an obligation management model and a related framework; implementation of a prototype of an obligation management system integrated both in the context of the PRIME project and with an HP identity management solution. This paper then focuses on an important open issue: how to make our approach scalable, in case large amounts of personal data have to be managed. Thanks to our integration work and the feedback we received, we learnt more about how users and enterprises are likely to deal with privacy obligations. We describe these findings and how to leverage them. Specifically, in the final part of this paper we introduce and discuss the concepts of parametric obligation and “hybrid” obligation management and how this can improve the scalability and flexibility of our system. Our work is in progress. Further research and development is going to be done in the context of the PRIME project and an HP Labs project.


Personal Data Scalability Issue Scalable Management Privacy Preference Prime Project 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Rotemberg, M., Laurant, C.: Privacy International: Privacy and Human Rights 2004: An International Survey of Privacy Laws and Developments, Electronic Privacy Information Center (EPIC), Privacy International (2004),
  2. 2.
    OECD: OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980),
  3. 3.
    Online Privacy Alliance: Guidelines for Online Privacy Policies. Online Privacy Alliance (2004),
  4. 4.
    Casassa Mont, M.: Dealing with Privacy Obligations: Important Aspects and Technical Approaches, TrustBus 2004 (2004)Google Scholar
  5. 5.
    Casassa Mont, M.: Dealing with Privacy Obligations in Enterprises, HPL-2004-109 (2004)Google Scholar
  6. 6.
    PRIME Project: Privacy and Identity Management for Europe, European RTD Integrated Project under the FP6/IST Programme (2006),
  7. 7.
    Hewlett-Packard (HP): HP OpenView Select Identity: Overview and Features (2005),
  8. 8.
    OASIS: Extensible Access Control Markup Language (XACML) 2.0 (2005),
  9. 9.
    Casassa Mont, M.: A System to Handle Privacy Obligations in Enterprises, HP Labs Technical Report, HPL-2005-180 (2005)Google Scholar
  10. 10.
    IBM: The Enterprise Privacy Authorization Language (EPAL), EPAL 1.2 specification. IBM (2004),
  11. 11.
    Karjoth, G., Schunter, M.: A Privacy Policy Model for Enterprises. IBM Research, Zurich. In: 15th IEEE Computer Foundations Workshop (2002)Google Scholar
  12. 12.
    Casassa Mont, M., Thyne, R., Chan, K., Bramhall, P.: Extending HP Identity Management Solutions to Enforce Privacy Policies and Obligations for Regulatory Compliance by Enterprises - HPL-2005-110 (2005)Google Scholar
  13. 13.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic Databases, IBM Almaden Research Center (2002),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Marco Casassa Mont
    • 1
  1. 1.Hewlett-Packard Labs, Trusted Systems LabBristolUK

Personalised recommendations