Enterprise Privacy Authorization Language (EPAL)

This is the Enterprise Privacy Authorization Language (EPAL) technical specification. EPAL is a formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights. It concentrates on the core privacy
authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication.
An EPAL policy defines lists of hierarchies of data-categories, data-users, and purposes, and sets of (privacy) actions, obligations, and conditions. Data-users are the entities (users/groups) that use collected data (e.g., travel expense department or tax auditor). Data-categories define different categories of collected data that are handled differently from a privacy perspective (e.g., medical-record vs. contact-data). Purposes model the intended service for which data is used (e.g., processing a travel expense reimbursement or auditing purposes).
Actions model how the data is used (e.g., disclose vs. read). Obligations define actions that must be taken by the environment of EPAL (e.g., delete after 30 days or get consent). Conditions are Boolean expressions that evaluate the context (e.g., "the data-user must be an adult" or "the data-user must be the primary care physician of the data-subject").
These elements are then used to formulate privacy authorization rules that allow or deny actions on data-categories by data-users for certain purposes under certain conditions while mandating certain obligations.
EPAL aims at formalizing enterprise-internal privacy policies. While P3P formalizes privacy promises to be advertized (i.e., business to consumer), EPAL formalizes privacy authorization for actual enforcement within an enterprise or for business-to-business privacy control.
Feedback and comments are welcome and should be sent to Matthias Schunter mts@zurich.ibm.com.

By: Paul Ashley, Satoshi Hada, Günter Karjoth, Calvin Powers, and Matthias Schunter

Published in: RZ3485 in 2003


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .