A Semantic Model for Personal Consent Management Ozgu Can Ege University, Department of Computer Engineering, 35100 Bornova-Izmir, Turkey ozgu.can@ege.edu.tr Abstract. Data protection and privacy has a significant importance in information sharing mechanisms, especially in domains that handle with sensitive information. The knowledge that can be inferred from this sensitive information may unveil the consumer’s personal information. Consumers should control who can access their consent data and for what purposes this data will be used. Therefore, information sharing requires effective policies to protect the personal data and to ensure the consumer’s privacy needs. As different consumers have different privacy levels, each consumer should determine one’s own consent policy. Besides ensuring personal privacy, information sharing to obtain personal data usage for acceptable reasons should be endorsed. This work proposes a semantic web based personal consent management model. In this model, consumers specify their consent data and create their personal consent policy for their consent data according to their privacy concerns. Thus, personalized consumer privacy for consent management will be ensured and reasonable information sharing for the personal data usage will be supported. Keywords: Consent Management, Privacy, Semantic Web. 1 Introduction The remarkable growth in digitization of records brings great advances for consumers. However, sharing personal information brings significant privacy risks for consumers, like linking attack. Linking attack is the leakage of a crucial private information by integrating released and publicly available data sets. Therefore, an adversary can track the individuals identity. According to the study of 1990 U.S. Census summary data in [1], 87% of the individuals in the United States are identifiable with their gender, date of birth and 5-digit zip code of their addresses. [2] presents problems and risks of data mining to patient privacy by cross linking the patient data with other publicly available databases, processes such as data mining may associate an individual with specific diagnoses. Thus, consumers must control the access to their personal records and give consent to others who want to access these records. Consent management is a policy that allows a consumer to determine rights for a provider’s access control request to one’s personal information. On the other hand, the balance between E. Garoufallou and J. Greenberg (Eds.): MTSR 2013, CCIS 390, pp. 146–151, 2013. c Springer-Verlag Berlin Heidelberg 2013  A Semantic Model for Personal Consent Management 147 the personal privacy and the quality of service should be ensured. The goal in consent management is stimulating information sharing to improve the quality of the personal data usage for specific acceptable reasons and protecting personal privacy according to personal consent policy. Medical domain is one of the inevitable field to realize the importance of consent management. Patients, who are the subjects of electronic health records (EHRs), have the right to know who is collecting, storing or processing their data and for what purpose this is being done [3]. Health information systems (HIS) must protect patient’s consent rights. As each patient may demand different privacy levels for their EHRs, it will not be efficient to use a standard privacy policy for EHRs. Therefore, in this work, a practical personal consent management model is proposed and illustrated for the healthcare domain. In the example model, each patient can specify one’s own consent data according to one’s personal privacy needs and create personal consent policy. Each access request to one’s EHRs are executed according to one’s personal consent policy. As a result, the decision of this access request should be a permission or a prohibition. The goal of the paper is to describe a semantic web based personal consent management model to protect consumer privacy while endorsing reasonable information sharing for personal data usage. In order to achieve this goal, patient information and HIS are chosen as the object and the domain of the sample consent policy, respectively. The paper is organized as follows: Section 2 informs the relevant related work. Section 3 explains the consent management model. Section 4 presents a case study example of the proposed model. Finally, Section 5 expresses the direction of the future work. 2 Related Work The protection of consumer’s user information, especially in health systems, is one of the crucial need for systems to provide consumer’s privacy. Recent works can be categorized in two forms that one is for the generalization of published records and the other is controlling access to records. The former work is based on record anonymization to protect user data before publishing it [4] [5] [6]. The latter work is based on access control techniques. [7] proposes a design principle of an electronic consent system and develops a health transaction model. In [8]; threats to the confidentiality, integrity and availability of personal health information are discussed and a security policy model for clinical information systems is given. The approach in [9] uses the domain model, the policy model, the role model, the privilege management model, the authorization model, the access control model and the information distance model for authorization and access control of electronic health record systems. Consentir, a system for patients information and their consent policies are presented in [10]. Consentir supports five different consent policies for patient consent management. Clinical Management of Behavioral Health Services (CMBHS, http://www.dshs.state.tx.us/cmbhs) is a web-based, open source electronic health record. Users of the system are assigned to roles that determines their access level. The system allows patients or 148 O. Can their legally authorized representative’s (LAR) to determine what data can be seen and by whom. Patients or their LAR can also revoke or modify the terms of their consent. The consent form is then integrated with the patient’s record in the Electronic Health Record (EHR) system. In Virtual Lifetime Electronic Record (VLER) Health Community project, patients can control access to their personal health information, including medication lists, lab test results and diagnoses. HIPAAT (http://www.hipaat.com) develops consent management and auditing software for personal health information (PHI) privacy. A trust management system, named as Cassandra, uses electronic health record system as a case study [11]. It is a role based trust management system for access control in a distributed system. The study in [12] focuses on creating and managing of patient consent with the integration of the Composite Privacy Consent Directive Domain Analysis Model of the HL7 and the IHE Basic Patient Privacy Consents (BPPC) profile. [13] describes a framework for enforcing consent policies for healthcare systems based on workflows. Permissions are assigned to subjects who want to access patient’s consent. The context of the framework is expressed in terms of workflows. The proposed consent management model differs from the relevant works in that we combine access control techniques with personalization based on semantic web technologies. In our work, the user manages the access to one’s records and controls the privacy of one’s data. In order to give the user full control of one’s own data, user data is differentiated in two directions: quasiidentifiers and medical data. The main goal in differentiating the user data is to eliminate the risk of linking attack. 3 Consent Management Model The consent management model consists of the following sets: Subject, User, Role, Organization, Action, Object, Quasi-Identifier, Constraint, Purpose, Policy Objects and Consent Data Policy. − A subject is the owner of data that is going to be accessed. − User is an entity that wants to access to the subject’s data and perform actions on this data. − Each user and subject has a role and a set of attributes. For example, users of the health care system can be in a nurse role or a doctor role or a lab technician role. − An organization is an entity where a user is an employee of. − An action indicates operations that a user can perform on an object. For example, updating, viewing or deleting a record. In consent management model, actions are also used by subjects to define operations that they permit or prohibit on their EHRs. − An object is an entity that a user wants to access and perform actions on. An object represents subject’s consent data. For example, in a HIS example, objects are medical records of patients’ personal health information. A Semantic Model for Personal Consent Management 149 − A quasi-identifier is an entity that is determined by a subject to define a privacy requirement value on. Quasi-identifier is a set of attributes in a table which can be linked with external information to re-identify the individuals identity [14]. This set consists of attributes that identify subjects from others uniquely e.g.,age, gender, social security number, zip code and so on. − A constraint is a condition that is used to limit the definitions of an entity related to policy objects. − Purpose states user’s intentions on an object. − Policy objects define what actions can a user perform on an object and under what circumstances. Policy object can be a permission or a prohibition. Permission means what an entity can do and prohibition means what an entity can’t do. − Consent data policy is the subject’s policy definition to finalize the access decision. The access request has a tuple of U ser, Subject, Object, Action, P urpose. Consent data policy, which is the respond of the request, is represented as a tuple of Subject, U ser, P olicyObject, ConsentData. Consent data set is a pair of Subject, Quasi − Identif iers or Subject, Object. Policy object is formed of Role, Action, P urpose, Constraint. The model is represented with a DL ALCQ language and has the following atomic concepts and roles: − atomic concepts are Subject, User, Role, Organization, Action, Object, Quasi-Identifier, Purpose, Policy Objects, Consent Data and Consent DataPolicy. − the atomic role hasRole links a user and a subject to a role. − the atomic role isAnEmployee links a users to an organization. − the atomic roles isOwnerOf and hasOwner are inverse roles and create a link between a subject and an object. − the atomic role hasRequest links a user to a subject and subject’s consent data. − the atomic role hasConsentPolicy links a subject’s consent to a user’s request. − the atomic role hasConsent links subject and consent data to policy objects. − the atomic role hasConstraint links actions and policy objects to constraints. − the atomic role hasQuasiIdentifier links a subject to a quasi-identifier. − the atomic role hasAction links a policy object to an action. The consent management model rules have the following forms: ∀Subject hasRole(Subject, Role), Role ⊑ hasRole.Subject ∀U ser hasRole(U ser, Role), Role ⊑ hasRole.U ser ∃U ser isAnEmployee(U ser, Organization) Organization ⊑ isAnEmployee.U ser ∀Object(hasOwner(Object, Subject)) ↔ ∃Subject(isOwnerOf (Subject, Object)) ∃Subject(hasQI(Subject, QuasiIdentif ier)) ∃Subject(hasConsentData(Subject, ConsentData)) ∀P olicyObjects(hasAction(P olicyObjects, Action)) CD ≡ S ⊓ (∃hasQuasiIdentif ier.Subject ⊔ ∃isOwnerOf.Subject) U × S × O × A × P → hasRequest.U ser S × U × P O × CD → hasConsentP olicy.Subject R × A × P × T× → PO P ermission ≡ ¬P rohibition and P rohibition ≡ ¬P ermission 150 4 O. Can A Case Study In this section, we illustrate a practical example of the consent management model for electronic health information systems. The example model is illustrated according to the syntax given in the previous section. In the case study, Bob is the doctor of Mary, who has quasi-identifiers and the owner of the BloodTest result file: hasRole(Bob) ≡ Doctor isAnEmployee(Bob, M edicalCityHospital) isDoctorOf (Bob, M ary) ≡ hasP atient(Bob, M ary) hasRole(M ary) ≡ P atient hasDoctor(M ary, Bob) ≡ isP atientOf (M ary, Bob) isOwnerOf (M ary, BloodT est) hasQuasiIdentif ier(M ary, (N ame, Gender, DateOf Birth, SocialSecurityN umber)) Bob makes two requests to publish his patient Mary’s quasi-identifiers and BloodTest result for his Research purpose: hasRequest1(Bob) = (Bob, M ary, P ublish, QuasiIdentif ier, Research) hasRequest2(Bob) = (Bob, M ary, P ublish, BloodT est, Research) Mary defines two consent data concept that includes her quasi-identifiers and BloodTest result, respectively: CD1(M ary) = hasConsentData(M ary, QuasiIdentif ier) CD2(M ary) = hasConsentData(M ary, BloodT est) Mary defines permission for the request to her BloodTest result from doctors who are her responsible doctors in order to publish her result for Research purpose: P ermissionDoctor = (Doctor, P ublish, Research, DoctorOf P atient(M ary)) On the other hand, Mary prohibits Bob to publish her quasi-identifiers for his Research purpose: P rohibitionQI = (Doctor, P ublish, Research, DoctorOf P atient(M ary)) The final responses to Bob’s requests will be Mary’s consent policies respective to requests: hasConsentP olicy1(M ary) = (M ary, Bob, P rohibitionQI, CD1(M ary)) hasConsentP olicy2(M ary) = (M ary, Bob, P ermissionDoctor, CD2(M ary)) The first consent policy includes the consent data concept named CD1(Mary). Similarly, the second consent policy includes CD2(Mary). In this manner, Mary can control who can access to her personal records and for what purposes these data can be used. She can categorize her records as consent data and determine access levels according to the request’s purpose. Eventually, she allows the usage of her personal data while protecting her privacy. A Semantic Model for Personal Consent Management 5 151 Conclusion In the proposed consent management model, users can manage who can access which part of their data under what circumstances and for what purposes. Thus, users not only protect their privacy, but also contribute to improve the quality of the personal data usage for specific acceptable reasons. As a future work, the consent policy ontologies of the proposed model will be created and queried to execute and test scenarios of the model. Roles of the consent management model will be represented with Friend-Of-A Friend (FOAF, http://www.foaf-project.org) profiles. A reasoning engine will also be developed to demonstrate the use of consent policy rules. References 1. Sweeney, L.: Uniqueness of Simple Demographics in the U.S. Population. Technical Report, Carnegie Mellon University (2000) 2. Cooper, T., Collman, J.: Managing Information Security and Privacy in Healthcare Data Mining: State of the Art. Medical Informatics: Knowledge Management and Data Mining in Biomedicine 8, 95–137 (2005) 3. Kluge, E.-H.W.: Informed consent and the security of the electronic health record (EHR): Some policy considerations. International Journal of Medical Informatics 73(3), 229–234 (2004) 4. Sweeney, L.: k -Anonymity: A Model for Protecting Privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems 10(5), 557–570 (2002) 5. Machanavajjhala, A., Gehrke, J., Kifer, D., Venkitasubramaniam, M.: ℓ-Diversity: Privacy Beyond k -Anonymity. In: Proceedings of the 22nd International Conference on Data Engineering (ICDE 2006), p. 24 (2006) 6. Li, N., Li, T., Venkatasubramanian, S.: t-Closeness: Privacy Beyond k -Anonymity and ℓ-Diversity. In: Proc. of Int. Conf. on Data Engineering (ICDE 2007) (2007) 7. Coiera, E., Clarke, R.: e-Consent: The Design and Implementation of Consumer Consent Mechanisms in an Electronic Environment. Journal of the American Medical Informatics Association 11(2), 129–140 (2004) 8. Anderson, R.J.: A Security Policy Model for Clinical Information Systems. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy (1996) 9. Blobel, B.: Authorisation and Access Control for Electronic Health Record Systems. International Journal of Medical Informatics 73(3), 251–257 (2004) 10. Khan, A., Nadi, S.: Consentir: An Electronic Patient Consent Management System. In: 4th Annual Symposium of Health Technology (2010) 11. Becker, M.Y., Sewell, P.: Cassandra: Flexible Trust Management, Applied to Electronic Health Records. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW 2004), pp. 139–154 (2004) 12. Ko, Y.-Y., Liou, D.-M.: The Study of Managing the Personal Consent in the Electronic Healthcare Environment. World Academy of Science, Engineering and Technology 65, 314 (2010) 13. Russello, G., Dong, C., Dulay, N.: Consent-based Workflows for Healthcare Management. In: Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks (2008) 14. Samarati, P.: Protecting Respondents Identities in Microdata Release. IEEE Transactions on Knowledge and Data Engineering 13(6), 1010–1027 (2001)