Managing and Enforcing Privacy-aware Policies in IT Systems

  • Thavy Mony Annanda Rath

Student thesis: Doc typesDoctor of Sciences


Given the raise of privacy issues and a demand for the better protection of private data of individual when sharing them between different parties in the network, many private and state entities (e.g. healthcare institutions) are on demand for data usage control system that is able to provide sufficient protection in line with legislations (e.g. EU directive 95/46/EC). Access to private data is generally governed by privacy policy, which defines the rules and procedures for the processing of such data and such policy often places restrictions on the purposes for which a governed entity may use data. Basically, privacy policy needs to be enforced to ensure the proper protection of the private data as required by Laws. To enforce privacy policy using formal or automated methods requires semantics of purpose restrictions to determine whether an action is for a purpose and that purpose could be achieved or not once access permission is granted.
We introduce in this thesis a novel approach for managing and enforcing purpose of data usage for privacy policy based on the modelling of purpose as a workflow. We argue that an action is for a purpose if and only if that action is part of a plan for the satisfaction of that purpose. In our approach, the access authorisation to data is based not only on the control of workflow process, but also on the estimation of the level of certainty of purpose achievement, which is determined by purpose achievement prediction (a probabilistic system estimating how likely user can reach his claimed purpose after access permission is granted). The prediction module is built using Association Rule Learning method where user’s access history and contextual information are used as the input data for rule analysis. The semantics of purpose with our enforcement approach enable us to create and implement an algorithm for enforcing the privacy policies, and to describe formally and compare rigorously with previous enforcement methods. To validate our semantics, we provide an example application, build a prototype and validate it against the existing enforcement methods with the specific validation criteria.
Date of Award1 Dec 2015
Original languageEnglish
Awarding Institution
  • University of Namur
SupervisorJean-Noel COLIN (Supervisor), Jean-Marie JACQUET (President), Michael Petit (Jury), Benoît Frénay (Jury), Denis Zampunieris (Jury) & Rudiger Grimm (Jury)


  • Access control
  • usage control
  • privacy policy enforcement
  • privacy-aware
  • purpose enforcement
  • privacy-aware access and usage control model
  • policy management
  • usage control architecture
  • IT Systems

Cite this