Privacy Preserving Data Integration And Mining : Privacy Policies

Along with privacy views, it is necessary to have a notion of privacy policies. The database administrator can decide which policy applies to each view. The following describes privacy policy each of the views described above

PRIVACY-POLICY individualData
ALLOW-ACCESS-TO y
FROM Consent x, patientAddressDob y
WHERE x.pid = y.owner and x.type = ’yes’
BENEFICIARY *

PRIVACY-POLICY defaultPolicy
ALLOW-ACCESS-TO x
FROM patientName x
BENEFICIARY x.owner
BENEFICIARY *

PRIVACY-POLICY militaryPersonellWaiver
ALLOW-ACCESS-TO x
FROM patientName x, Patient y
WHERE x.owner=y.pid and y.employer=’Military’
BENEFICIARY Government
The first privacy policy states that y can be allowed access only if patient x has given explicit consent ,that is private data patientAddressDob (defined above) can be released if the owner has given explicit consent, as registered in a Consent table.
The second is a default policy which allows access to patient names as long as benefit accrues to the patient. The second policy says that any patient name can be released as long as the application using it runs on behalf of (for the benefit of) that patient.
The third says that Military patientNames can be released for use by the Government. As with privacy views, more complex privacy policies are also possible.
Privacy policies can be enforced by the server holding the data: data items will be shared only if the purpose statement of the requester (see below) satisfies the policy. But, in addition, every data item leaving the server should be annotated with privacy metadata expressing the privacy policies that have to be applied. These annotations travel with the data, and are preserved and perhaps modified when the data is
integrated with data from other sources or transformed.
Query execution becomes much harder, since all privacy views and policies must result in a single piece of privacy metadata; it is not obvious how to do that. Prior work addresses a similar but not identical challenge: how a set of access control policies result in a single, multiple encrypted data instance