A Systematic Approach to Privacy Enforcement and Policy Compliance Checking in Enterprises

  • Marco Casassa Mont
  • Siani Pearson
  • Robert Thyne
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4083)


Privacy management is important for enterprises that handle personal data: they must deal with privacy laws and people’s expectations. Currently much is done by means of manual processes, which make them difficult and expensive to comply. Key enterprises’ requirements include: automation, simplification, cost reduction and leveraging of current identity management solutions. This paper describes a suite of privacy technologies that have been developed by HP Labs, in an integrated way, to help enterprises to automate the management and enforcement of privacy policies (including privacy obligations) and the process of checking that such policies and legislation are indeed complied with. Working prototypes have been implemented to demonstrate the feasibility of our approach. In particular, as a proof-of-concept, the enforcement of privacy policies and obligations has been integrated with HP identity management solutions. Part of this technology is currently under productisation. Technical details are provided along with a description of our next steps.


Access Control Privacy Policy Personal Data Access Control Policy Access Control Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Casassa Mont, M., Thyne, R., Bramhall, P.: Privacy Enforcement with HP Select Access for Regulatory Compliance, HP Labs Technical Report, HPL-2005-10 (2005)Google Scholar
  2. 2.
    Casassa Mont, M.: Dealing with Privacy Obligations in Enterprises, HPL-2004-109 (2004)Google Scholar
  3. 3.
    Casassa Mont, M., Thyne, R., Chan, K., Bramhall, P.: Extending HP Identity Management Solutions to Enforce Privacy Policies and Obligations for Regulatory Compliance by Enterprises - HPL-2005-110 (2005)Google Scholar
  4. 4.
    Hewlett-Packard (HP): HP Openview Select Access: Overview and Features (2005),
  5. 5.
    Hewlett-Packard (HP): HP OpenView Select Identity: Overview and Features (2005),
  6. 6.
    IBM Tivoli Privacy Manager: Privacy manager main web page (2005),
  7. 7.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic Databases, IBM Almaden Research Center (2002),
  8. 8.
    IBM: The Enterprise Privacy Authorization Language (EPAL), EPAL 1.2 specification, IBM (2004),
  9. 9.
    Synomos: Synomos Align 3.0 (2005),
  10. 10.
    SenSage: SenSage Web site (2005),
  11. 11.
    PRIME Project: Privacy and Identity Management for Europe, European RTD Integrated Project under the FP6/IST Programme (2006),
  12. 12.
    Casassa Mont, M.: Dealing with Privacy Obligations: Important Aspects and Technical Approaches, TrustBus 2004 (2004)Google Scholar
  13. 13.
    Laurant, C.: Privacy International: Privacy and Human Rights 2004: an International Survey of Privacy Laws and Developments, Electronic Privacy Information Center (EPIC), Privacy International (2004),
  14. 14.
    OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980),
  15. 15.
    Casassa Mont, M., Thyne, R., Bramhall, P.: Privacy Enforcement for IT Governance in Enterprises: Doing it for Real, TrustBus 2005 (2005)Google Scholar
  16. 16.
    Casassa Mont, M., Bramhall, P., Pato, J.: On Adaptive Identity Management: The Next Generation of Identity Management Technologies, HPL-2003-149 (2003)Google Scholar
  17. 17.
    Casassa Mont, M., Thyne, R.: Privacy Policy Enforcement in Enterprises with Identity Management Solutions, HP Labs Technical Report, HPL-2006-72 (2006)Google Scholar
  18. 18.
    Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled Services for Enterprises, IBM Zurich Research Laboratory, TrustBus 2002 (2002)Google Scholar
  19. 19.
    Byun, J., Bertino, E., Li, N.: Purpose based access control for privacy protection in Database Systems, Technical Report 2004-52, Purdue University (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Marco Casassa Mont
    • 1
  • Siani Pearson
    • 1
  • Robert Thyne
    • 2
  1. 1.Hewlett-Packard Labs, Trusted Systems LabBristolUK
  2. 2.Hewlett-Packard, Software Business OrganisationTorontoCanada

Personalised recommendations