IBM®
Skip to main content
    Privacy Research Institute      Terms of use
 
 
 
     Home      Products      Services & solutions      Support & downloads      My account     
IBM Research

SPARCLE (Server Privacy ARrchitecture and CapabiLity Enablement)

 


Project overview
Privacy Policy Workbench: SPARCLE

The rapid advancement of the use of information technology in industry, government, and academia makes it much easier to collect, transfer, and store personal identifiable information (PII) around the world. A number of studies show that customers expect organization with which they have relationship to use their PII in the manner they intended and protect it as they would as their own assets. However, many organizations store PII in heterogeneous server system environments and currently do not have a unified way of defining or implementing privacy policies. This makes managing data privacy difficult for organizations working to put in place proper management and control of PI, the data users who access and work with the PI, and the data subjects who have rights regarding use of their PII.

SPARCLE is an ongoing research project conducted by Clare-Marie Karat (ckarat@us.ibm.com), John Karat (jkarat@us.ibm.com) and Carolyn Brodie (brodiec@us.ibm.com) at the IBM T. J. Watson Research Center in Hawthorne, NY. SPARCLE enables privacy professionals in an any given industry to author policies, to translate these policies into system readable commands, implement these with an enforcement engine and finally run reports to monitor the effectiveness of the policy implementation and accesses of individual data subject personal information.

The policy creation capabilities in SPARCLE allow organizational users to create
» rules that define the types of data user,
» the data they can access,
» the actions they can take,
» the purpose for using the PII,
» the conditions they need to abide by while processing PII, and
» the obligations they must fulfill if they do use the data.

SPARCLE was designed to support users with a variety of skills by allowing individuals responsible for the creation of privacy policies to define the policies using natural language or to use a structured format to define the elements and rule relationships that will be directly used in the machine readable policy.

SPARCLE keeps the two formats synchronized. For users who prefer authoring with natural language, SPARCLE transforms the policy into a structured form so that the author can review it and then transforms it into a machine readable format. SPARCLE translates the policies of organizational users who prefer to author rules using a structured format into both a natural language format and the machine readable version. During the entire privacy policy authoring phase, users can switch between the natural language and structured views of the policy for viewing and editing purposes. Once the machine readable policy is created, it is possible to employ any enforcement engine that is capable of using the elements of the standardized privacy policy language to ensure the policy is enforced for data stored in the organization's on-line data stores.

The policy implementation Using SPARCLE, the team is exploring methods for implementing their privacy policies within their organization by providing methods for mapping policy elements to access control lists, databases, and applications within their configurations.

Finally, the compliance checking functionality in SPARCLE allows organizations to run reports to understand what data accesses are being allowed and denied by the policy and to see all accesses to particular customers, patients, or constituents data.

What are SPARCLE project's business value: According to May 2002 survey, 42% of the sample of 170 Web sites did not provide any kind of privacy statement even though all sites surveyed collected at least some personally identifiable information. Having privacy statements displayed on enterprises' Web site is a good practice; however, execution of the privacy policies and the PII management at the application and business process level are challenges that enterprises face today. SPARCLE provide a privacy policy management ability both at the online and legacy applications levels across different server platforms.

Business value
SPARCLE provides the ability to
» Author privacy policies with ease,
» Execute enterprise privacy policies systematically,
» Audit compliance of the privacy policies.
     
back to top    
    About IBM Privacy Contact