A
database system (1) and a method (100), comprising a
database system memory (3) and at least a first
database server (9). The database
system memory (3) stores a database of
data records (7) and shared program instructions (51) between first and second database users (21, 31). The shared program instructions (51) define a
privacy model (13) comprising privacy restrictions (14, 23, 33) for the first and second database users (21, 31), respectively, and specify an
authorization model (19) comprising a first set of authorizations (25', 35') that permit the first database user (21) to manipulate a first subset (27) of the
data records consistent with the first user's privacy restrictions (23', 33') and a second set of authorizations (25'', 35'') that permit the second user (31) to manipulate a second subset (37) of the
data records consistent with the second user's privacy restrictions (23'', 33''). The
database server (9) includes a processor (11) configured to execute the shared program instructions (51), wherein the shared program instructions (51), when executed by the processor (11): (1) process (110) a transaction (53) submitted by the first or second database user (21, 31); (2) determine (120) whether the transaction (53) conforms to the privacy and
authorization models (13, 19); and (3) if the transaction passes step 2,
commit (130) the transaction (53) and manipulate (55) the first or second subset of data records (27, 37) consistent with privacy and
authorization models (13, 19).