in Proceedings of 19th ACM Symposium on Applied Computing (SAC), pp. 375-382, March 2004.
Enterprise privacy enforcement allows enterprises to internally enforce a privacy policy that the enterprise has decided to comply to, often reflecting different legal regulations, promises made to customers, as well as more restrictive internal practices of the enterprise. The notion of policy refinement is fundamental for privacy policies, as it allows to check whether a company’s policy fulfills regulations or adheres to standards set by customer organizations, to realize the “sticky policy paradigm” that addresses transferring data from one realm to another in a privacy-preserving way, and much more. Although well-established in theory, the problem of how to efficiently check whether one policy refines another has been left open in the privacy policy literature. We present a practical algorithm for this task, concentrating on those aspects that make refinement of privacy policies more difficult than, e.g., refinement for access control policies, like a more sophisticated treatment of deny-rules and a suitable way for dealing with obligations and conditions on context information.
This publication is accompanied by links to downloadable versions of this publication. These documents do not necessarily correspond exactly to the cited version. Instead, in most cases full or updated versions are provided. For access to the official version, follow the "Official version" link to the publishers site.