The Privacy Requirements Specification Language
The Eddy language was designed by analyzing privacy policies that govern data practices. The language kernel supports expressions about data collection, use, and transfer, including ontological expressions about the types of actors, information types and purposes for which data is used.
Privacy requirements are expressed in an SQL-like specification syntax that binds information types to data purposes. A parser and compiler are used to transform these specifications into Description Logic (DL) for analysis.
SPEC HEADER
A medical-professional > phlebotomist,doctor
D medical-information \ ip-address
SPEC POLICY
P COLLECT bloodwork FROM phlebotomist FOR diagnosis
P TRANSFER medical-information TO medical-professional FOR treatment
The DL formalization is used to perform conflict detection, data flow tracing, and checking whether the specifications embody the Collection and Use Limitation Principles from the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. For more information, see our project website, publications and demo: https://gaius.isri.cmu.edu:8210/eddy/