Enabling Data Subjects to Remain Data Owners

Users have become used to accepting two unfortunate consequences of complying with requests to supply personal data to service providers. Firstly, the personal data that a user supplies becomes the property of the service provider, which means that the data subject loses control over what is subsequently done with their data. Secondly, provision of services is made on an “all or nothing” basis, being dependent upon the user supplying all the personal data requested by a service or forgoing use of that service entirely. We present an approach to personal data management which avoids these two unnecessary disadvantages. Personal Data Stores enable individuals to retain ownership and control of their personal data, granting service providers access to specific items of that data upon request whilst remaining the owners of their data. Trusted third parties will be required to curate the data in order to ensure that it is non-repudiatable. Privacy Policy Negotiation will enable data subjects to negotiate with service providers about how much of their personal data they disclose and how detailed that data is. Different levels of service can be provided depending on what personal data a user is prepared to disclose. In this paper we describe systems and algorithms for Personal Data Stores and Privacy Policy Negotiation which have been implemented and tested separately and show how they can be combined to the benefit of data subjects.