An ontology based approach for managing and maintaining privacy in information systems

Nowadays enforcing privacy in enterprises is recognised as an issue of impact. In fact, it is a big challenge to adapt normative laws and regulations in a software system. It is a challenging task to include the formalised laws and rules in software systems, since more than one act/regulation affect the terms of privacy concerning one situation. Traditional access control provides a general mechanism for assigning rights to individual users or roles. In the context of privacy this is insufficient; it offers no means to fulfil certain aspects such as limitations to the duration for which private data may be stored. To enforce privacy in enterprises we further need a fine granular access control on the data entities to ensure that every aspect of privacy can be reflected. This thesis provides a novel solution for the problem of adopting privacy laws and regulations in information systems. In order to solve the problem specified above, we apply the term „ontology“ to the representation of privacy laws and regulations for automatic generation of access control information. The usage of ontology in our approach differs from the conventional form in focusing on generating access control lists/matrices which are adopted from our software framework to provide fine granular access to the diverse data sources.