Protecting access to data that can be linked to an individual (or personal identifiable information (PII)), thereby seeking to protect the individual's privacy can be accomplished through legislation, organisational safeguards, and technology. Of particular interest and the focus of this paper is the technological means by which data is protected, in particular we are considering the mechanisms of purpose binding and limitation which facilitate the organisational safeguards. Purpose binding allows an enterprise to specify their purpose with collected data, and purpose limitation controls access to information based on these purpose bindings.

Technologies that implement the aforementioned safeguards of PII forms a subset of a set of technologies commonly referred to as Privacy Enhancing Technologies (PETs). Many legacy systems do not employ these safeguards, even though it can be accomplished by providing "wrapper" technologies which reside on top of these legacy systems.

This article continues work done by the authors in which extensions to SQL was proposed in order to integrate PETs with structured databases. The extensions showed that access to data through SQL can be controlled non-intrusively, and that the general discretionary access control model provided by many database management systems can still be enforced. In our previous work the extensions were limited to the SQL grant and select statements.

In this article we propose a model for revoking privileges from database users, and thus consider the SQL revoke statement. We also show that the general principles of revoking privileges remain true for our proposed model. We also briefly consider extensions to the commands from the Data Manipulation Language (DML) that was not considered, being insert, delete, and update.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Rakesh Agrawal , Jerry Kiernan , Ramakrishnan Srikant , Yirong Xu, Hippocratic databases, Proceedings of the 28th international conference on Very Large Data Bases, p.143-154, August 20-23, 2002, Hong Kong, China
	2	P. Ashley, S. Hada, G. Karjoth, C. Powers, and M. Schunter. Enterprise privacy authorisation language (EPAL 1.1). Technical report, International Business Machines Corporation, 2003.
	3	Ji-Won Byun , Elisa Bertino , Ninghui Li, Purpose based access control of complex data for privacy protection, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden  [doi>10.1145/1063979.1063998]
	4	David L. Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms, Communications of the ACM, v.24 n.2, p.84-90, Feb. 1981  [doi>10.1145/358549.358563]
	5	George Danezis , Roger Dingledine , Nick Mathewson, Mixminion: Design of a Type III Anonymous Remailer Protocol, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.2, May 11-14, 2003
	6	C. J. Date, Introduction to Database Systems, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2002
	7	Roger Dingledine , Nick Mathewson , Paul Syverson, Tor: the second-generation onion router, Proceedings of the 13th conference on USENIX Security Symposium, p.21-21, August 09-13, 2004, San Diego, CA
	8	Simone Fischer-Hubner, IT-security and privacy: design and use of privacy-enhancing security mechanisms, Springer-Verlag New York, Inc., New York, NY, 2001
	9	R. Hes and J. Borking, editors. Privacy Enhancing Technologies: The Road to Anonimity. Dutch DPA, revised edition, 1998.
	10	Günter Karjoth , Matthias Schunter, A Privacy Policy Model for Enterprises, Proceedings of the 15th IEEE workshop on Computer Security Foundations, p.271, June 24-26, 2002
	11	OASIS Access Control TC. OASIS extensible access control markup language (xacml) version 2.0. Technical report, OASIS, February 2005.
	12	H. J. Oberholzer and M. S. Olvier. Privacy contracts incorporated in a privacy protection framework. International Journal of Computer Systems Science and Engineering, 21(1):5--16, 2006.
	13	OECD guidelines on the protection of privacy and transborder flows of personal data. Technical report, Organisation for Economic Co-operation and Development, 1980.
	14	Martin S. Olivier, Flocks: distributed proxies for browsing privacy, Proceedings of the 2004 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries, p.79-88, October 04-06, 2004, Stellenbosch, Western Cape, South Africa
	15	A. Pfitzmann and M. Hansen. Anonymity, unobservability, and pseudonymity: A consolidated proposal for terminology. Electronically Published, July 2007.
	16	M. Schunter and P. Ashley. The platform for enterprise privacy practices. Technical report, IBM, 2002.
	17	W. J. van Staden and M. S. Olivier. Purpose organisation. In Proceedings of the fifth annual Information Security South Africa (ISSA) Conference, Sandton, Johannesburg, South Africa, June 2005.
	18	W. J. van Staden and M. S. Olivier. Extending SQL to allow active secification of purposes. In Third International Conference on Trust and Privacy for Digital Bussines, Krakow, Poland, 2006. Springer-Verlag.
	19	W. J. van Staden and M. S. Olivier. Using purpose lattices to facilitate the customisation of privacy agreements. In Accepted for publication in the proceedings of the Fourth International Conference on Trust and Privacy for Digital Business, Regensburg, Germany, September 2007. Springer-Verlag.