The protection of privacy is an increasing concern in today's global infrastructure. One of the most important privacy protection principles states that personal information collected for one purpose may not be used for any other purpose without the specific informed consent of the person it concerns. Although users provide personal information for use in one specific context, they often have no idea on how such a personal information may be used subsequently. In this paper, we introduce a new type of privacy policy, called data handling policy, which defines how the personal information release will be (or should be) dealt with at the receiving party. A data handling policy allows users to define simple and appropriate levels of control over who sees what information about them and under which circumstances.