Research Article Open Access

Purpose-based Versus Flow-Based Access Control for Privacy

Sabah Al-Fedaghi, Bashayer Al-Babtain and Maha Al-Fahad

Abstract

Problem statement: Data protection legislation requires handling of Personal Identifiable Information (PII) in special ways to guarantee privacy. Specifically, the notion of handling purpose plays an important role in current access control mechanisms that allow only actions corresponding to intended purposes. A problem that arises in this context is how to ensure that PII is used solely for the intended purpose. Approach: This study shows that problems in the context of purpose access control can be avoided by using flow-based specifications that map users to a sequence of stages of flows of PII. The methodology is used as a tracking apparatus as it specifies the types of operations a user can perform on such information. The flow system of PII is constructed from six generic operations. Results: The resultant maps of flows of PII are used to assign flow systems to users that represent access control instruments to specify permissible operations and PII streams, preventing use of PII for purposes not corresponding to intended purposes. Conclusion: The resultant flow-based access map demonstrates a viable description method that can be adopted for controlling access to PII. It also presents a uniform methodology that can be applied at various levels such as privacy policies.

Journal of Computer Science
Volume 8 No. 4, 2012, 564-572

DOI: https://doi.org/10.3844/jcssp.2012.564.572

Submitted On: 6 January 2012 Published On: 8 February 2012

How to Cite: Al-Fedaghi, S., Al-Babtain, B. & Al-Fahad, M. (2012). Purpose-based Versus Flow-Based Access Control for Privacy. Journal of Computer Science, 8(4), 564-572. https://doi.org/10.3844/jcssp.2012.564.572

  • 3,232 Views
  • 2,673 Downloads
  • 1 Citations

Download

Keywords

  • Conceptual modeling
  • purpose control
  • PII handling
  • information flow
  • privacy policies
  • information technology
  • privacy protection
  • information systems
  • access control