SAN FRANCISO - IBM Wednesday introduced a set of tools that will help companies automatically set and manage privacy policies that govern access to sensitive data stored in corporate applications and databases.

IBM's new XML-based programming language called Enterprise Privacy Authorization Language (EPAL) allows developers to build policy enforcement directly into enterprise applications. The move is another in a series by IBM to create a suite of tools and software to support identity management, a broad initiative that relies on user identity to control access and secure systems.

EPAL allows companies to translate clearly stated privacy policies into a language a machine can read and act upon.

“You may have a policy that says your primary care physician can look at some private patient data, but only in specific situations,” says Arvind Krishna, vice president of security products for IBM. “We don’t know how to do that with technology, we need a common language. With EPAL, you can go from an English language description of a policy to an XML-based representation of that policy.”

Krishna says the key is that privacy is based on the purpose for accessing the information and not just on an identity of the person seeking access.

EPAL builds on current privacy specifications, namely the Platform for Privacy Preferences (P3P) that provide privacy controls for information passed between business applications and consumers with browsers. EPAL lets companies use those privacy controls internally with their corporate users.

The language will be part of an infrastructure that will include monitors that are built into the interface of corporate applications and databases and perform the enforcement of policies. IBM will use its Tivoli Privacy Manager as a hub that the monitors plug into to check policies. The Privacy Manager will store policies, as well as, log and audit access to data as a means to document policy enforcement.

“EPAL can express issues of time, data, what application is being accessed and from where and what role the person accessing the information is in,” says Fred Cohen, an analyst with the Burton Group. “It means you can express more interesting things. You could express HIPAA rules, although that would be complex.”