Dynamic generation of access control policies from social policies

Abstract

Access to and processing of personal data is regulated by norms that are written down in legal source documents, including laws, regulations and contracts. Compliance can be automated through the formalisation of these norms, reducing human effort and making the applied interpretations explicit. In addition, trust between parties may increase, thus promoting collaborations to gain more insights from sharing data. Although several policy specification languages have been proposed, there are not many that can be used to specify both social policies, such as privacy regulations and contracts, and system-level policies such as those used for access control. In this work, we present extensions to eFLINT, a domain-specific language developed to formalise norms from various sources. The extensions make it possible to interconnect social and system-level policies. We demonstrate the new features of eFLINT within the healthcare domain by formalising the regulatory document of the SIOPE DIPG/DMG Network, a consortium established to advance research into a rare form of pediatric brain cancer, and by showing how the resulting specifications are used to automate compliance checking of access and processing requests made by members of the consortium.