Abstract
Problem statement: Data protection legislation requires handling of Personal Identifiable Information (PII) in special ways to guarantee privacy. Specifically, the notion of handling purpose plays an important role in current access control mechanisms that allow only actions corresponding to intended purposes. A problem that arises in this context is how to ensure that PII is used solely for the intended purpose. Approach: This study shows that problems in the context of purpose access control can be avoided by using flow-based specifications that map users to a sequence of stages of flows of PII. The methodology is used as a tracking apparatus as it specifies the types of operations a user can perform on such information. The flow system of PII is constructed from six generic operations. Results: The resultant maps of flows of PII are used to assign flow systems to users that represent access control instruments to specify permissible operations and PII streams, preventing use of PII for purposes not corresponding to intended purposes. Conclusion: The resultant flow-based access map demonstrates a viable description method that can be adopted for controlling access to PII. It also presents a uniform methodology that can be applied at various levels such as privacy policies.
Highlights
Advances in information technology and the emergence of privacy-invasive technologies have made it necessary to introduce privacy regulations that impose restrictions on handling of Personal Identifiable Information (PII)
We do not hastily import the notion of. They propose the following solution: purpose from privacy legislation and guidelines; rather, we suggest that instead of such a verbose and conceptually difficult concept, access control to PII ought to be based on the sequence of flows of operations performed on PII
Since there are several definitions of PII, we introduce the definition of PII adopted in this study
Summary
Advances in information technology and the emergence of privacy-invasive technologies have made it necessary to introduce privacy regulations that impose restrictions on handling of Personal Identifiable Information (PII). Data protection commissioners are demanding that legal privacy requirements should be technically enforced and should be a design criteria for information systems” (Fischer-Hubner and Ott, 1998). This means that privacy requirements should be incorporated into automated methods of handling PII. Handling of PII (input, output, processing) leads to development of access control mechanisms for this type of information. Access control is a means for restricting access (e.g., who, what, what type) to resources (e.g., files or data, programs, devices) and functionality provided by computer applications. Many types of access control methodologies exist, including Discretionary Access Control, Mandatory Access Control and Role-based Access Control (RBAC)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
