Privacy promises, access control, and privacy management. Enforcing privacy throughout an enterprise by extending access control

Abstract

Regulations and consumer backlash force many organizations to re-evaluate the way they manage private data. As a first step, they publish privacy promises as text or P3P. These promises are not backed up by privacy technology that enforces the promises throughout the enterprise. Privacy tools cover fractions of the problem while leaving the main challenge unanswered. This article describes a new approach towards enterprisewide enforcement of the privacy promises. Its core is a new framework for managing collected personal data in a sensitive, trustworthy way. The framework enables enterprises to publish clear privacy promises, to collect and manage user preferences and consent, and to enforce the privacy promises throughout the enterprise. This article shows how this new approach extends the traditional view of access control to provide a more complete coverage of privacy management issues.