ENDORSE

Project Overview


ENDORSE logo

ENDORSE is an EU funded project which is concerned with providing a Technical Legal Framework for Privacy Preserving Data Management. The output of the project will be an open source toolset to provide guarantees to Data Controllers as well as Data Subjects that personal data is being handled in legally compliant manner. The project will also produce a certification methodology to help increase trustworthiness in ICT products with respect to privacy and data protection.

Organisations collecting personal data need to ensure that the data management practices employed are in compliance with legal requirements and not subject to misuse by its employees. These data protection requirements introduce an overhead (both financial and operational).
Project Implementation

Project Implementation


ENDORSE will bring together a consortium of data protection legal experts, academic computer science partners, software implementors and interested industry players. The project will produce a privacy rule definition language which will be used to express the appropriate European directives together with national legislative implementations. The language and these legislative instances along with the toolset to create legally compliant privacy policies will be released as open source.

Key Objectives


The primary objective of ENDORSE is to create an open and freely available legal technical toolset for privacy preserving data management that can be adopted by public bodies and enterprises to offer solid guarantees to service subscribers regarding the range of use of personal information on their systems.

This framework will consist of a legal and a technical component:

The legal component, informed by social science, the principles of human rights, data protection law and the limitations of technology, will create a specification for data access and manipulation within digital systems that can be adhered to by accumulators and aggregators of personal information. This component will also provide a roadmap for how this specification could be adopted as a standard for privacy preserving personal information storage in law and/or by voluntarily compliant parties.

The technical component will provide an architecture, a privacy rule definition language and a toolset for management of data access and manipulation that complies with the specification produced by the legal component, which provides a definition of a filtered scheme of access to data according to role-based policies, respecting data collection rationale, and utilising the state of the art in secure communication and encryption technologies and methods.

A major outcome of this project will be the enforcement of data protection compliant data access logic, clear definitions for responsibilities of compliant data controllers and processors, with additional specification for web applications, such as definition and generation of comprehensible privacy policies and consistent interface for data subjects. This effort to standardise and harmonise data management practices and ensure legal compliance will be facilitated and enforced by the technological component of this project.

ENDORSE is concerned with addressing the following requirements:

• Data should be gathered for a particular purpose and the framework will ensure that this purpose is explicit and that data is not accessed or manipulated outside of that scope.

• Data should be accessible via a policy-driven data access interface, taking into account factors such as the accessing party’s role and the scope of data availability for the given access purpose.

• The data access interface should not admit direct access to raw data and will instead provide meaningful derived data units to fulfill agreed, contractual ‘data needs’ between data holder and service subscriber indicated by the data subject’s explicit consent.

• Personal data should remain accessible and alterable to subscribers, and personal information entered into a digital database should be limited to that which is sufficient for the subscriber to participate in the service they have subscribed to.

• Data stores should only be merged with explicit consent from subscribers according to a new contract agreeing the new ‘data needs’ between service provider and subscriber.

• Data store access should be determined by role, and the ‘data needs’ and/or rights associated with that role is a system wide concept.

ENDORSE will achieve this by bringing together a consortium of data protection legal experts with academic computer science partners and interested industry players.

The project will produce a privacy rule definition language which will be used to express data access and data processing requirements derived from the appropriate European directives together with the national implementations of the directives.

The language and these legislative instances along with the toolset to create legally compliant privacy policies that can be enforced by IT systems will be released as open source.

Two industry players will perform trials using this toolset. One of these partners is a large multi-national insurance organisation and the other a start-up web based organisation providing communications services online for end users.

Funding


EU FP7.

Contact


For more information please visit ENDORSE project website OR email the Project Manager Paul Malone

Ph:- 00353 (0) 51 302924