Hanene Boussi Rahmouni

Privacy compliance and enforcement on European healthgrids: an approach through ontology

The sharing of medical data between different healthcare organizations in Europe must comply with the legislation of the Member State where the data were originally collected. These legal requirements may differ from one state to another. Privacy requirements such as patient consent may be subject to conflicting conditions between different national frameworks as well as between different legal and ethical frameworks within a single Member State. These circumstances have made the compliance management process in European healthgrids very challenging. In this paper, we present an approach to tackle these issues by relying on several technologies in the semantic Web stack. Our work suggests a direct mapping from high-level legislation on privacy and data protection to operational-level privacy-aware controls. Additionally, we suggest an architecture for the enforcement of these controls on access control models adopted in healthgrid security infrastructures.

Privacy compliance in european healthgrid domains: An ontology-based approach

The integration of different European medical systems by means of grid technologies will continue to be challenging if technology does not intervene to enhance interoperability between national regulatory frameworks on data protection. Achieving compliance in European healthgrid domains is crucial but challenging because of the diversity and complexity of Member State legislation across Europe. Lack of automation and inconsistency of processes across healthcare organizations increase the complexity of the compliance task. In the absence of automation, the compliance task entails human intervention. In this paper we present an approach to automate privacy requirements for the sharing of patient data between Member States across Europe in a healthgrid [1] domain and ensure its enforcement internally and within external domains where the data might travel. This approach is based on the semantic modelling of privacy obligations that are of legal, ethical or cultural nature. Our model reflects both similarities and conflicts, if any, between the different Member States. This will allow us to reason on the safeguards a data controller should demand from an organization belonging to another Member State before disclosing medical data to them. The system will also generate the relevant set of policies to be enforced at the process level of the grid to ensure privacy compliance before allowing access to the data.

MedMatch - towards domain specific semantic matching

Ontologies are increasingly being used to address the problems of heterogeneous data sources. This has in turn often led to the challenge of heterogeneity between ontologies themselves. Semantic Matching has been seen as a potential solution to resolving ambiguities between ontologies . Whilst generic algorithms have proved successful in fields with little domain specific terminology, they have often struggled to be accurate in areas such as medicine which have their own highly specialised terminology. The MedMatch algorithm was initially created to apply semantic matching in the medical domain through the use of a domain specific background resource. This paper compares a domain specific algorithm (MedMatch) against a generic (S-Match) matching technique, before considering if MedMatch can be tailored to work with other background resources. It is concluded that this is possible, raising the prospect of domain specific semantic matching in the future.

A SWRL Bridge to XACML for Clouds Privacy Compliant Policies

The management of privacy and personal information within multi-cultural domain such as clouds and other universal collaborative systems requires intrinsic compliance-checking and assurance modules in order to increase social trust and acceptance. Focusing mainly on medical domains, this issue is particularly important due to the sensitivity of health related data in international data protection law. The use of ontologies and semantic technologies can provide relatively easy interpretation of legislation at run time, and can allow the logging of data access events to serve for future audits. However, the enforcement of semantic web rules (SWRL rules) on complex and heterogeneous architectures is expensive and might present runtime overheads. We believe a mapping of our semantic web privacy policies to a standard access control language such as XACML would be a useful alternative. A translation to XACML, would allow the integration of these policies with existing security and privacy policies being adopted on clouds environments. This paper describes a mathematical formalism for mapping SWRL (Semantic Web Rule Language) privacy rules to XACML policies and also explains the underline implementation requirements of this formalism.

Semantic Generation of Clouds Privacy Policies

The governance of privacy and personal information on cloud environments is challenging and complex. Usually many regulatory frameworks intervene to reflect diverse privacy wishes from several stakeholders. This includes data owners, data and services providers and also the end users. Focusing mainly on medical domains, this issue is particularly important due to the sensitivity of health related data in international data protection law. It is therefore essential to integrate heterogeneous privacy requirements in a semantic model and rules. Thereafter, overlaps, contradictions and similarities of privacy wishes could be detected and a final access control context would be captured before it is finally mapped to clouds operational policies. This paper describes a ontology-based semantic model of privacy requirements along with a logical formalism for mapping SWRL (Semantic Web Rule Language) privacy rules to a policy language that is implementable on clouds environments namely XACML. The underline implementation requirements for our formalism will be also explained.