Lead Institution: Vanderbilt University

Project Leader: Mark Frisse

Research Progress

• Abstract
  Privacy policy templates simplify the translation of policies into logical expressions by mapping prose statements into a formal expression. The creation of privacy language based on policy templates enables the use of policy modeling across different organizations and stakeholders.

• Focus of the research/Market need for this project
  Policies are often subject to multiple interpretations. These intermediate templates help ensure that interpretations mapped into formal systems are consistent with policy intent and context. As HIE expands nationwide, policies from different institutions often conflict with one another. Sometimes internal policies are incomplete or contradictory. Policies at the “last mile” have great impact on HIE and on enforcement cost.

• Project Aims/Goals
  Research and develop means to create Privacy Policy templates in large scale to support the wide-scale adoption of privacy policy formalization.

• Key Conclusions/Significant Findings/Milestones reached/Deliverables
  First we addressed the technical aspects of handling multiple Privacy Policy Template languages. The formalization paradigm we created for the PATRN and POVER tools enables the creation and application of different template languages. The semantic framework under POVER also enables the reasoning on and between these different template languages. This new reasoning capability enables the detection of interpretation differences in the formal policy models.

  In 2012 and 2013, we collaborated with K. Krasnow Waterman from MIT in order to evaluate the usefulness of their intermediate policy representation to our goal of developing privacy policy templates. The format of the MIT intermediate representation itself forms a template language that is materialized in a table structure. This intermediate representation is different from our modeling paradigm. First, it is purely textual. It is created by cutting the policy texts at grammatical boundaries and then organizing the snippets into a predefined table structure. Second, the policy representations are not tied to any formal framework; hence the representations are only intermediary. We hoped that template creation would scale better using intermediate representation, as a result of these differences. However, at the end of the collaboration we came to the same conclusion as was published in the article “Pre-processing Legal Text: Policy Parsing and Isomorphic Intermediate Representation”¹ . The complexity of the formalization process does not come from the representation, but from bridging the gap between the intent of the law and the context it is applied on.

  During our research into template representations and the formalization paradigm, we realized that multiple interpretations and the ambiguity of policies are inherent and necessary part of the legal privacy frameworks. As the policy writers cannot foresee all future applications of the privacy framework, the framework has to be kept open for refinement and adaption for new contexts. Such adaption is the application of privacy policies designed for human workflows (such as use of PHI by provider) for data flows in information systems (HIE systems). The policy formalization process has to support such adaptation for new contexts and instead of eradicating multiple interpretations of the same policies their creation need to be supported. While this enables easier adaption of policies for a system, it still has be ensured that the policy interpretations are consistent throughout a system. These consistent interpretations must be engineered together with the system.

  The scalability issues with policy template creation and formalization do not come from technical issues but rather, the inherent complexity of the socio-technical environment of policies and the governed systems. The templates have to be curated and agreed on by the stakeholders in order to achieve wide scale adoption. During our research we concluded that to achieve this, template construction has to be a large scale collaborative effort. Fortunately, with the prevalence of large scale open source hubs such large scale collaboration is now possible. To support the Privacy Policy template construction in such manner we provide all our tools on the PolicyForge.org open collaboration website.

• Materials Available for Other Investigators/interested parties

  • The publication “A model-integrated authoring environment for privacy policies.” describing the framework of policy templates is available online.

  The policy formalization tool suite that enables large scale, distributed and collaborative Privacy Policy template construction is available on https://policyforge.org/.

• Market entry strategies
  PolicyForge.org is an open collaboration website that is similar to the established open source community sites such as SourceForge or GitHUB, but it is specifically tailored for policy formalization. We designed the policy formalization tool suite available on the PolicyForge.org website to enable large scale use of policy formalization. The policy formalization tool suite together with the collaboration tools provided by the platform enables the creation, curation and harmonization of policy template languages on a large scale.

Bibliography
PolicyForge: A Collaborative Environment for Formalizing Privacy Policies in Health Care
Andras Nadas, Laszlo Juracz, Janos Sztipanovits, Mark E. Frisse, and Ann J. Olsen
Software Engineering in Health Care (SEHC), 5th International Workshop, May 2013

A Model-Integrated Authoring Environment for Privacy Policies
Andras Nadas, Tihamer Levendovszky, Ethan K. Jackson, Istvan Madari, and Janos Sztipanovits
Science of Computer Programming, January 2013

Modeling Privacy Aware Health Information Exchange Systems
Andras Nadas, Mark E. Frisse, and Janos Sztipanovits
The 1st International Workshop on Engineering EHR Solutions (WEES) at Amsterdam Privacy Conference 2012, Amsterdam, the Netherlands; October 2012