Individualized Privacy Policy Based Access Control

Privacy regulations, industry practices, OECD [1] privacy guidelines, and policy languages such as the P3P [2] encourage companies to define their practices for handling and sharing personal information, including reasonable communication of these policies to individuals. All of these efforts focus on enterprises and the policies those enterprises set and support for personal data they collect or generate about individuals. However, one popular definition of privacy, by Alan Westin [3] , is “The right of individuals to determine for themselves when, how, and to what extent information about them is communicated to others. ” This paper proposes a model for individualized privacy policies as an alternative to today’s common use of enterprise-wide policies. We describe how this policy information can be used to authorize actions on personal data, replacing traditional permission or role based access control.

By: Kathryn A. Bohrer, Stephen E. Levy, Xuan Liu, Edith G. Schonberg

Published in: RC22756 in 2003


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .