: Achieving privacy preservation in a data-sharing computing environment is becoming a challenging problem. Some organisations may have published privacy policies, which promise privacy protection practices on data collection, use and disclosure, but these practices may not be implemented. To maintain consistency between the privacy policy and the practices, privacy protection requirements in privacy policy should be formally specified. In specifying privacy policy, we use purpose as the basis of access control. In this paper, we extend our previous work to specify purpose management. Purpose can be divided into two categories: intended purpose and access purpose. Privacy policy is to ensure that data can only be used for its intended purpose, and the access purpose should be compliant with the data’s intended purpose. We specify entities in the purpose-based access control model. Using the technique of VDM, we then specify the invariants corresponding to the privacy requirements in...