Enterprise Privacy Authorization Language
Enterprise Privacy Authorization Language , or EPAL for short, is a technical term from the field of information security . It is an XML -based description language for companies. It makes it possible to transfer company-specific data protection guidelines (English: privacy policies) into a machine-readable set of rules. The focus is on personal data.
EPAL sees itself as a further development of P3P . The fundamentally new aspect is the idea of formulating access rules centrally for the company.
Details
EPAL is a "general language for describing data protection rules" developed by IBM that can be evaluated by products such as application programs for enforcing the rules. The mechanisms of classic access control models (such as RBAC ) have been expanded: Access rules can now also be formulated from a description of the purpose of the stored data.
An EPAL user uses a vocabulary for his rules : He defines elements that are based on the natural language expression of access rules . These are the users (or groups) concerned, the data categories, the actions to be carried out, the purpose of the data, conditions of access (e.g. must be over 18 years old ) and restrictions on data storage ( to be deleted after about 90 days ). These elements are summarized in a rule that either allows or denies access.
example
The following rule stipulates that, with the consent of the chief physician and the patient, an X-ray doctor may view his or her X-ray data for diagnostic purposes, but these are not kept for longer than five years.
<rule id="radiodata" ruling="allow">
<data-user id="radiologist"/>
<data-category id="radiograph"/>
<purpose id="diagnosis"/>
<action id="read"/>
<condition id="chiefPhysicianConsent"/>
<condition id="patientHasAccepted"/>
<obligation id="retention">
<parameter id="years">5</parameter>
</obligation>
</rule>