SPECIAL usage-policy

From Data Privacy Vocabularies and Controls Community Group

A vocabulary to express both the data subjects’ consent and the data usage policies of data controllers in formal terms, understandable by a computer, so as to automatically verify that the usage of personal data complies with data subjects’ consent.

The SPECIAL's Usage Policy Language (SPL)

The SPECIAL's Usage Policy Language considers that, according to the GDPR, usage policies consist of the following five elements, referred to as the minimum core model (MCM):

  • the data processed by the operation;
  • the purpose of the operation;
  • a description of the processing operation itself (e.g. “query”, “classification”, “disclosure”, etc.);
  • a description of where the result is stored and for how long (storage);
  • the entities that can access the result of the operation (recipients).

SPECIAL’s usage policies are encoded in OWL2, where authorizations that conceptually constitute the policy are naturally represented by OWL2 classes, and single authorizations by class instances. In addition, SPECIAL auxiliary vocabularies are defined to specify each of the five categories of the minimum core model above. These vocabularies partially re-use some previously defined privacy-related vocabularies (such as those introduced in P3P and ODRL) with minimal modifications and extensions needed to support SPECIAL’s pilots and the relevant GDPR concepts.


Covered Requirements

  • Taxonomy of regulatory privacy terms (including all GDPR terms) : specifies some GDPR terms in relation to the MCM
  • Taxonomy for personal data : specifies some categories of personal data
  • Taxonomy of purposes : specifies some categories of purposes
  • Taxonomy of disclosure : N/A
  • Metadata related to the details of anonymisation : N/A
  • Log vocabularies for immutably and securely recording: N/A
    • disclosure of consent :
    • revocation of consent :
    • policy changes :
    • transparency :
  • Taxonomy of linkage operations: N/A
  • Taxonomies of human behavior: N/A

Uptake and Covered Use-cases

Primary use-case: Can represent policies precisely and unambiguously, possibly by representing large sets of authorizations in a concise way. The policy language is equipped with an inference engine capable of checking reliably and exhaustively whether the usage policy adopted by the data controller complies with the usage policy in the data subject’s consent.

Reference use-cases:

  • SPECIAL/Proximus use case - personalized touristic recommendations : pending documentation of use-case
  • SPECIAL/DT use case - mobile network quality measurements : pending documentation of use-case
  • SPECIAL/TR use case - ‘Know Your Customer’ (finance, anti-money-laundering) : pending documentation of use-case

Terms and Concepts