A Policy Framework for Subject-Driven Data Sharing

Organizations (e.g., hospitals, university etc.) are custodians of data on their clients and use this information to improve their service. Personal data of an individual therefore ends up hosted under the administration of different data custodians. Individuals (data subjects) may want to share their data with others for various reasons. However, existing data sharing mechanisms provided by the data custodians do not provide individuals enough flexibility to share their data, especially in a cross-domain (data custodian) environment. In this paper, we propose a data sharing policy language and related framework for a data subject to capture their fine-grained data sharing requirements. This proposed language allows the data subject to define data sharing policies that consider context conditions, privacy obligations and re-sharing restrictions. Furthermore, we have implemented a prototype to demonstrate how data subjects can define their data sharing policies and how the policies can be used and enforced at runtime.

[1]  Md. Moniruzzaman,et al.  Delegation of access rights in a privacy preserving access control model , 2011, 2011 Ninth Annual International Conference on Privacy, Security and Trust.

[2]  Alfons H. Salden,et al.  Context sensitive access control , 2005, SACMAT '05.

[3]  Gerrit Hornung,et al.  A General Data Protection Regulation for Europe? Light and shade in the Commission’s draft of 25 January 2012 , 2012 .

[4]  Luigi Logrippo,et al.  Access Control Policies: Modeling and Validation , 2005 .

[5]  Ulf Schreier,et al.  RestACL: An Access Control Language for RESTful Services , 2016, ABAC '16.

[6]  Savas Parastatidis,et al.  REST in Practice - Hypermedia and Systems Architecture , 2010 .

[7]  Antonio Corradi,et al.  Context-based access control management in ubiquitous environments , 2004, Third IEEE International Symposium on Network Computing and Applications, 2004. (NCA 2004). Proceedings..

[8]  James B. D. Joshi,et al.  LoT-RBAC: A Location and Time-Based RBAC Model , 2005, WISE.

[9]  Maciej P. Machulak,et al.  User-Managed Access (UMA) Profile of OAuth 2.0 , 2016 .

[10]  Liang Chen,et al.  Set Covering Problems in Role-Based Access Control , 2009, ESORICS.

[11]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[12]  Daniel Jackson,et al.  Alcoa: the Alloy constraint analyzer , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[13]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[14]  Elisa Bertino,et al.  GEO-RBAC: a spatially aware RBAC , 2005, SACMAT '05.

[15]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[16]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[17]  Tobias Maier,et al.  JSON - JavaScript Object Notation , 2012 .

[18]  Ann Cavoukian,et al.  Privacy by Design [Leading Edge] , 2012, IEEE Technol. Soc. Mag..