A privacy-aware access control system

The protection of privacy is an increasing concern in our networked society because of the growing amount of personal information that is being collected by a number of commercial and public services. Emerging scenarios of user-service interactions in the digital world are then pushing toward the development of powerful and flexible privacy-aware models and languages. This paper aims at introducing concepts and features that should be investigated to fulfill this demand. We identify different types of privacy-aware policies: access control, release and data handling policies. The access control policies govern access/release of data/services managed by the party (as in traditional access control), and release policies govern release of personal identifiable information (PII) of the party and specify under which conditions it can be disclosed. The data handling policies allow users to specify and communicate to other parties the policy that should be enforced to deal with their data. We also discuss how data handling policies can be integrated with traditional access control systems and present a privacy control module in charge of managing, integrating, and evaluating access control, release and data handling policies.