A model for compound purposes and reasons as a privacy enhancing technology in a relational database

Abstract

The protection of privacy related information of the individual is receiving increasing attention. Particular focus is on the protection of user interaction with other users or service providers. Protection of this interaction centres on anonymising the user’s actions, or protecting “what we do”. An equally important aspect is protecting the information related to a user that is stored in some electronic way (or protecting “who we are”). This may be profile information on a social networking site, or personal information in a bank’s database. A typical approach to protecting the user (data owner) in this case is to tag their data with the “purpose” the collecting entity (data controller) has for the data. These purposes are in most cases singular in nature (there is “one” purpose – no combinations of purposes – of the data), and provide little in the way of flexibility when specifying a privacy policy. Moreover, in all cases the user accessing the data (data user) does little to state their intent with the data. New types of purposes called compound purposes, which are combinations of singular or other compound purposes, are proposed and examined in this text. In addition to presenting the notion of compound purposes, compound reasons are also presented. Compound reasons represent the intent of the entity using the data (the data user) with the data. Also considered are the benefits of having the data user specifying their intent with data explicitly, the verification of compound reasons (the data user’s statement of intent) against compound purposes, the integration of compound statements in existing technologies such as SQL by providing a model for using compound purposes and reasons in a relational database management system for protecting privacy, and the use of compounds (purposes and reasons) as a method for managing privacy agreements.