*Important: the venue is changed from Shonan Village Center to Shonan OVA (update on October 13, 2022).

A technology-agnostic definition of policy (from the OED) is “ a course or principle of action adopted or proposed by an organization or individual”. The notion of policy that is the focus of this proposed workshop is the same, but specialised in the sense that we are concerned with how a policy may be made available as an explicit knowledge-based machine processable representation within a computational system, so that both humans and software can read, process, and reason with respect to its contents. This raises transduction problems (in both directions), as well as the adequacy of the cyber-representation to capture the physical-world intent.

Research on policy modelling and reasoning currently spans several communities (Semantic Web, Normative Multiagent Systems, Logic Programming, Knowledge representation, Legal Informatics, Privacy and Security), however there is no dedicated venue for researchers interested in policy modelling and reasoning to come together. This objective of this seminar is to provide a platform for researchers from these different communities to meet and discuss the state of the art and to devise a research roadmap for a policy modelling and reasoning community. The agenda will be driven by needs coming from a range of domains, for instance, government, social services, finance, taxation, and the services sector, who are all reflected in our invitee list, and informed by the responses to the pre-meeting questionnaire.

The following is a non exhaustive list of challenges that could be addressed in the context of the seminar:

• Several formalisms exist, however it remains to be seen which are most appropriate for which task: need use cases and experience reports.
• Data processing and sharing, transparency, compliance and governance mechanisms are much needed from both a societal and an economical perspective.
• Policy conformance with natural language statements and legislation needs effective verification (“did we build the policy right?”) and validation (“did we build the right policy?”) mechanisms, compliance monitoring tools and enforcement mechanisms, and human-in-the-loop revision mechanisms.
• How to combine various policies and policy mechanisms: policy interoperation at model and technical levels.
• Derived policies for derived data. Correctness of derivation processes. Does it eventually become too restrictive through the repeated addition of conditions or is some kind of automated refactoring possible to recover generalisations.

Most real world policies are written in natural language, while formal policy languages are largely stuck in the research world. What makes a formal policy language adequate for modelling real policies? Is it always necessary to start from natural language representations? What kinds of policies can be modelled directly in machine-processable formats? Once there is a formal representation, which representation is the reference? Should it be possible to render the formal policy back into natural language? How does any/all of this fit with the policy-making process? Ambiguity and lack of precision are often important in real-world policies but hard to handle in machine-interpreted policies: how to approach this problem?

Once a policy has been captured in a formal model there are two basic questions: the correctness of the process and the correctness of the product. Does a policy do what it was designed to do, what it was intended to do and what happens when it operates alongside other policies? What approaches are appropriate for policy debugging? How much coverage is acceptable/realistic? Are use cases sufficient? How to share them between policy models? Would it be useful to visualise policy activations in response to actions? What degree of monitoring of deployed policies is desirable/practical? How to understand the impact of one policy on another (and by generalisation, collections of policies)? Who are the stakeholders in the process of policy revision?

Considering that knowledge is often distributed across a variety of data sources, how do we attach usage policies in a manner that enables policies to flow with data (i.e., sticky policies)? What enforcement, compliance and conformance mechanisms are needed to support various policies (i.e., access, usage control, social norms, legal) that are needed to govern decentralised applications (e.g. cyber physical social systems, normative multi agent systems, intelligent agents)? Can policies be used to support automated negotiation of credentials and constraints? Can transparency of policies help with query planning and encourage trust in decentralised applications? Are existing rule interchange formats suitable for supporting interoperability between policy driven systems? What are the possible attacker models for such systems?

A policy may be defined to govern a business (or other) process, but its existence is typically due to (national) legislation and its function is to be a bridge between the provisions and requirements of the law and the implementation of a process that must comply with the law. This gives rise to a different compliance perspective from that above, namely whether the policy is consistent with the overarching legislation and does the policy allow for outcomes denied by the legislation (bugs) or not foreseen by the legislation (which may lead to revision). How is such compliance to be tested and how is the feedback loop to be realised? A second substantive topic arises from actors operating in several legal domains, or perhaps different parts of a business process taking place in different jurisdictions. What (legal, and other) remedies are available to synchronise policies across domains? Can such policies faithfully represent the essence of the legislation?

The primary outcome of the proposed seminar will be a joint policies research roadmap, including but not limited to identifying gaps and possible avenues for future work on:

• Use cases
• Topics
• Tooling
• Standardisation

Other potential longer term outcomes include:

• Joint publication(s)
• Position paper(s)
• Encyclopedia article(s)
• Community building (e.g., setup workshop / conference series)

The seminar days will be structured as follows:

• Day 1: knowledge sharing - The seminar will begin with lightning talks by all participants followed by a select number of invited talks on the state of the art on core topics of interest arising from a pre-seminar questionnaire. The input from the pre-seminar questionnaire, together with the feedback gained from the knowledge sharing presentations will be used to agree on topics and objectives for the week, and to form groups based on the relatedness of the topics and the interests of the participants.
• Days 2-3: brainstorming - Although the plan for the week will be decided jointly with participants, we envisage short plenary sessions in the morning and after lunch, intermingled with working group breakout sessions throughout the day. Such an approach ensures that outputs from the various working groups are aligned, possible content crossovers are detected, and seminar participants have the ability to rework the agenda if so desired.
• Day 4: roadmapping - the final day of the seminar will be dedicated to using the outputs from the week, in order to collectively derive a research roadmap.