Browse Prior Art Database

A Mechanism for Providing and Enforcing Privacy Policy Information to Data Users

IP.com Disclosure Number: IPCOM000019966D
Original Publication Date: 2003-Oct-14
Included in the Prior Art Database: 2003-Oct-14
Document File: 1 page(s) / 47K

Publishing Venue

IBM

Abstract

Information systems and their users are being confronted increasingly with issues of Data Privacy (meaning issues of who has what rights to information for what purposes). Data Users of information systems (sometimes referred to as subjects) must be able to easily view the privacy policy for information they are viewing (or attempting to view) in order to understand what they should and should not do with the information. At the current time, there are insufficient techniques for conveying such information. An example is the use of a field to mark a message as "confidential". Such a field does not include the rich set of distinctions involved in Privacy standards such as P3P. Even if lengthier text descriptions of the privacy policy associated with data are provided, these can be difficult for a human data user to understand, and rely on human interpretation for compliance. A technique which both conveys to a human reader what privacy policy is associated with a data item and can be used to allow or restrict actions that a data user could carry out on the data is required for meaningful privacy implementation in information systems.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 1 of 1

  A Mechanism for Providing and Enforcing Privacy Policy Information to Data Users

   This disclosure proposes the use of a contextual interaction method involving use of a graphical indicator of privacy policy that would be displayed along with data objects to indicate to the data user the content of the policy. The Privacy Policy information would be captured in a label associated with the data object (a privacy label). For viewing the data, such a graphical indicator might be implemented as a "watermark" on a page displaying a document (e.g., an overlay indicating that the document was for "one time use only" and that copying actions would not be allowed), or could be implemented as a graphical symbol in an appropriate area of a data viewer (e.g., as a symbol in the border of a browser window). Such a presentation could become part of standard data presentation and would become easily recognized by data users. Additionally, the burden of enforcement could be largely shifted to information systems that made use of the privacy policy indicator to enable and disable functions impacted by the privacy policy. Thus actions such as copy or modify could be enabled or prevented automatically as indicated. Data users would easily be able to understand when actions were disabled as a part of the privacy policy associated with data.

Example of How It Works

The invention will be described through the use of a medical scenario. PII data about patients (called data owners) is kept in software on data processing devices that a number of different categories of data users
(e.g., doctors, nurses, financial and billing administrative staff, applications) can access and use for a variety of different purposes (e.g., medical treatment, summary medical reporting, billing). There are professional guidelines and laws about what data users can access patient PII data and for what purposes. In many legal systems, patients have the right to review the PII data associated with medical treatments, summary medical reporting, and billing about themselves. In many legal systems, patients also have the right to know what data users (subjects) are accessing that PII data and for what purposes in order to give consent to t...