EPAL is the first language that allows organizations to express privacy policies
of rule-based complexity directly in a standards-based markup language
The Enterprise Privacy Authorization Language is the first XML-based mark up
language designed to enable organizations to translate their privacy policies
into IT control statements and enforce policies that may be declared and communicated
in P3P. It is also the first markup language that empowers organizations to
build policies that authorize access to data based on purpose specification.
EPAL is an enhancement to P3P that extends enterprise control over privacy
policies from the systems that collect personal information to the applications
that use that information allowing enterprises to create rule-based data handling
practices that can be declared centrally and enforced simultaneously across
disparate systems.
This "write policy once, deploy it everywhere" strategy enables the
enterprise to ensure that its data handling practices match its external privacy
obligations.
EPAL was submitted to W3C
in November 2003.
|
 |
| The Enterprise Privacy Authoring Language is
the first enterprise privacy language that provides fine-grained and portable
control over IT systems use of personal information according to privacy
policies. |
| » |
EPAL supports business-to-business and business-to-consumer, |
| » |
Policy itself provides flexible vocabulary, |
| » |
Rich condition language (Boolean-based condition language),
not limited to opt-in/opt-out conditions, |
| » |
Two-way internal enforcement. |
|
| |
|
|
| |
Traditional access control policies define access control rules using a set of
three factors, the identity of the data user, the resource being accessed, and
the action being performed on the resource.
Privacy policies and privacy regulations extend the traditional access control
rules with the following dimensions:
| » |
Purpose |
| » |
Data categories |
| » |
User groups |
| » |
Actions |
| » |
Obligations |
| » |
Data object context |
|
|
|
Members of a group of doctors can read protected health information for
medical treatment if the doctor is the patient's primary care physician
and the transaction is logged for seven years.
In this example:
|
| » |
the doctors are members of a user group, |
| » |
the data category is protected health information, |
| » |
the action is read, |
| » |
the purpose is medical treatment, |
| » |
the condition that the doctor is the patient's primary care
physician is the data subject context, and |
| » |
the obligation is the transaction logging. |
|
| |
|
| |
|
EPAL is the first language that allows organizations to express this kind of
rule-based complexity directly in a standards-based markup language.
Purpose-based authorization goes beyond traditional role-based access control
(RBAC). RBAC evaluates authorization decisions based on who is accessing the
data. Traditional RBAC requires multiple roles per individual data user, and
multiple access control lists per data object for each role. It's a precise
mapping exercise designed to anticipate all potential uses of data without actually
evaluating business purpose.
EPAL provides linguistic structures to identify business purpose and evaluate
authorization decisions based directly on the purpose specification. This greatly
simplifies data authorization decisions by making it possible for any number
of roles to make valid requests for data based on permitted purposes in the
policy. This is a fundemental shift in traditional data security and enables
fine-grained access control to data with fairly simple rules and structures.
|
|
 |
|
| |
EPAL is designed to make it easy to translate human-readable privacy policies
into a machine-interpretable description of data handling practices that can be
enforced as part of a data access authorization decision.
EPAL has been designed to:
| » |
Create a precise, fine-grained description of a policy, |
| » |
Enable complex, purpose-based conditions on policy rules, |
| » |
Create portable, reusable policies, |
| » |
Allow for sector and regulatory-specific policy vocabularies, |
| » |
Enable positive and negative data handling conditions |
|
|
|
|
| |
EPAL seperates privacy policies into two components. The first component is the
policy vocabulary. The vocabulary represents the concepts and classifications
found in the natural language policy or law that needs to be implemented.
An EPAL vocabulary definition consists of the following:
| » |
Categories of users making an access request, |
| » |
Categories of data (protected health information, order history,
political party affiliation), |
| » |
Actions being performed on the data (creation, read, update, delete, etc.), |
| » |
Business purpose associated with the access request (medical
research, order fulfillment, serving warrant), |
| » |
Data subject context and conditions (opted in to marketing
newsletter, primary care physician, is legal adult, etc.), |
| » |
Obligations incurred on access (data subject must be notified
within 30 days, data must be deleted after 7 years. |
The second component of an EPAL policy is the rule component, which
expresses the terms and conditions of the policy using the concepts found in the
vocabulary.
When a policy author is implementing a specific law or policy, he or she extracts
the vocabulary concepts from the human text and defines them in an EPAL policy
vocabulary.
|
|
|
|
|
