Privacy obligations dictate expectations and duties that need to be carried out by enterprises when storing, processing and disclosing personal data. Privacy obligations can be defined by data subjects, by laws and/or enterprises' internal guidelines. They require enterprises to deal with data governance and data lifecycle management activities, including data retention and deletion aspects, notifications, data transformation and execution of complex workflows. The management and enforcement of privacy obligations is a challenging task: it involves legal, organizational, behavioral and technical aspects. It is still a green area open to research. Our goal is to introduce degrees of automation and a systemic approach to the problem in order to allow enterprises to reduce the involved costs and simplify their overall management process. This document (based on the author's MSc thesis on this topic) provides a detailed analysis of privacy obligations in an identity management context, within enterprises: it describes their core properties and highlights key requirements. A model to represent, manage, enforce and monitor privacy obligations is introduced. In this model, obligations are "first class" entities, not subordinated to access control criteria. We compare it against related work and highlight its advantages. We describe the architecture of an obligation management system, based on this model: we also provide technical and implementation details about a working prototype, that has been implemented by HP Labs (in the context of the EU PRIME project) to demonstrate the feasibility of our approach. Our obligation management system can be exploited right now by current, state-of-the-art, identity management solutions: in particular, we analyse how to achieve this in the context of user provisioning and account management. We describe how we have successfully integrated our obligation management system prototype with HP Select Identity (HP leading edge solution in the area of user provisioning and account management) by: enabling the definition of fine-grained privacy obligations on personal data when disclosing and provisioning this data; scheduling, enforcing and monitoring privacy obligations on personal data by leveraging HP Select Identity's web service APIs and its workflow capabilities. The final part of this document discusses the results we have achieved so far, it describes a few open issues that must be addressed and introduces our next research activities, to be done in the context of HP Labs and EU PRIME project. Notes: MSc thesis 104 Pages
PDF
download
878987797
028-85220240
