Umeå University's logo

Within the Ontology Based Data Access (OBDA) framework, users can query relational data sources using an ontology to which the source is linked via declarative mappings. In a world where data sharing is widespread, ensuring privacy while managing data poses a significant challenge. Controlled Query Evaluation (CQE) is a privacy preserving query answering framework in the presence of ontologies, where policies representing confidential information are used to devise suitable censors that enforce data protection. The integration of CQE within OBDA was recently proposed through the Policy-Protected OBDA (PPOBDA) framework, which is based on embedding policies into mappings. Such framework is essentially theoretical, and the effectiveness with which PPOBDA policies are able to capture real-world privacy requirements has not been assessed so far. In this work, we carry out such an evaluation, utilizing the well-known MIMIC-III hospital dataset, which recently has been mapped, by adopting the OBDA framework, to the Fast Healthcare Interoperability Resources (FHIR) ontology. We identify relevant privacy requirements by analyzing the legal regulations on data sharing expressed in HIPAA of US Federal Law and GDPR of the EU, show how they can be expressed via PPOBA policies, and analyze the impact of these policies on the answers to a set of representative queries. Our analysis exposes both strengths and weaknesses of the PPOBA framework in relation to these practically relevant privacy regulations. Furthermore, we perform a performance evaluation of the OBDA framework implemented over the MIMIC-III dataset via the FHIR ontology, assessing the overhead introduced by the PPOBDA policies and its implications on such real-world use case.

Virtual Knowledge Graph (VKG) is a well-established framework in which users can access a relational data source through an ontology and declarative mappings. VKG systems traditionally assume uniform access rights for all users, an assumption that does not always hold in real-world scenarios involving diverse user roles and sensitive information requiring protection. Controlled Query Evaluation (CQE) provides a privacy-preserving framework by enforcing policies that define confidential information and implementing censors to prevent policy violations. However, it does not account for differences in user privileges during query answering. To address this gap, we extend the Policy-Protected VKG (PPVKG) framework, which embeds CQE policies into VKG mappings, by enabling role-sensitive query answering. Specifically, we incorporate Role-Based Access Control (RBAC) into PPVKG, by associating to each user role a specific set of policies, and ensuring that during query evaluation, only the policies relevant to the user’s role are applied. We validate our RBAC enhanced PPVKG approach using the MIMIC-III critical-care database, mapped to the Fast Healthcare Interoperability Resources (FHIR) ontology. Our experiments, conducted with the open-source VKG system Ontop, demonstrate effective policy enforcement with RBAC.

In the Ontology Based Data Access (OBDA) framework, users access a relational data source by querying a domain ontology, whose classes and properties are connected to the data via declarative mappings. OBDA is adopted for data management in various sectors, notably healthcare, where confidentiality of information is a key concern that requires data to be properly protected from unauthorized accesses. Controlled Query Evaluation (CQE) is a framework for privacy-preserving query answering in the presence of an ontology. In CQE, policies are used to represent the information that should be kept confidential, and the aim is to devise from policy specifications suitable censors that enforce data protection. Therefore, it is desirable to integrate CQE in OBDA to obtain a robust privacy-aware data management framework. This has been done in the recently proposed Policy-Protected OBDA (PPOBDA) framework, which ensures the integration of CQE within OBDA by embedding policies into mappings. In this paper, we present an open-source solution that implements PPOBDA and a simplified algorithm for policy embedding, compared to previously proposed ones. This facilitates the adoption of PPOBDA using any OBDA query engine capable of translating SPARQL queries into SQL. In our implementation, we rely on Ontop, a state-of-the-art open-source OBDA tool.