Abstract
Satisfying privacy related obligations within IT systems that involve multiple organizations is one of the most important, yet challenging tasks in security engineering. When systems involve multiple actors, resources and computing devices, identifying data flows, actors’ liabilities and accesses on data become fundamental requisites for taking appropriate design choices to preserve privacy. To facilitate these tasks, principles such as Privacy by Design have been proposed. However, applying such principles implies rethinking the whole project development lifecycle in order to fulfil at the same time privacy, technical and administrative requirements from early stages of systems design.
This paper reports our work on a project undertaken by the Province of Trento (Italy) on integrating social, health and other assistance services for elders. Within the project, we used business processes to support systems’ design and development, from analysis to execution, while at the same time fulfilling privacy related objectives. Specifically, we show how by modelling cross-organization processes and by focusing on involved actors and managed resources, we can provide the necessary tools to involve analysts, designers, project managers and privacy experts during systems’ design and support them to satisfy both privacy and technical requirements. The resulting process models are also used for partial automation and integration of involved services.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Activiti BPM Platform. http://www.activiti.org/
Audit Trail and Node Autentication (ATNA). http://wiki.ihe.net/index.php?title=Audit_Trail_and_Node_Authentication
Barth, A., Mitchell, J.C., Datta, A., Sundaram, S.: Privacy and utility in business processes. CSF 7, 279–294 (2007)
Bellamy, R.K., Erickson, T., Fuller, B., Kellogg, W.A., Rosenbaum, R., Thomas, J.C., Vetting Wolf, T.: Seeing is believing: designing visualizations for managing risk and compliance. IBM Syst. J. 46(2), 205–218 (2007)
Cavoukian, A.: Privacy by Design. Take the Challenge. Information and Privacy Commissioner of Ontario, Canada (2009)
de la Vara, J.L., Sánchez, J., Pastor, Ó.: Business process modelling and purpose analysis for requirements analysis of information systems. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 213–227. Springer, Heidelberg (2008)
European Parliament and Council: Directive 95/46/EC: directive on protection of individuals with regard to the processing of personal data and on the free movement of such data (1995)
European Parliament and Council: Proposal for a regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (2014)
Himma, K.E., Tavani, H.T.: The Handbook of Information and Computer Ethics. Wiley, Hoboken (2008)
Hoepman, J.-H.: Privacy design strategies. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 446–459. Springer, Heidelberg (2014)
Hoffmann, J., Weber, I., Governatori, G.: On compliance checking for clausal constraints in annotated process models. Inf. Syst. Front. 14(2), 155–177 (2012)
Italian Data Protection Authority: Personal Data Protection Code. Legislative Decree no. 196, 30 June 2003
Italian Ministry of Innovation and Technology: InFSE: Technical Infrastructure for Electronical Health Record Systems, v. 1.2 Legislative Decree no. 196/2003 (2012)
Küster, J.M., Ryndina, K., Gall, H.C.: Generation of business process models for object life cycle compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 165–181. Springer, Heidelberg (2007)
Le Métayer, D.: Privacy by design: a matter of choice. In: Gutwirth, S., Poullet, Y., De Hert, P. (eds.) Data Protection in a Profiled World, pp. 323–334. Springer, Netherlands (2010)
Lu, R., Sadiq, S.K., Governatori, G.: Compliance aware business process design. In: ter Hofstede, A.H.M., Benatallah, B., Paik, H.-Y. (eds.) BPM Workshops 2007. LNCS, vol. 4928, pp. 120–131. Springer, Heidelberg (2008)
OMG: Business Process Model and Notation (BPMN) v2.0 specification (2011)
Pavlovski, C.J., Zou, J.: Non-functional requirements in business process modeling. In: Asia-Pacific conference on Conceptual Modelling, vol. 79, pp. 103–112. Australian Computer Society (2008)
Redding, G., Dumas, M., ter Hofstede, A.H.M., Iordachescu, A.: Reconciling object-oriented and process-oriented approaches to information systems engineering. In: Proceedings of the 3rd International Workshop on Business Process Design (2007)
Signavio BPM Editor. http://www.signavio.com/
Stevovic, J., Bassi, E., Giori, A., Casati, F., Armellin, G.: Enabling privacy by design in medical records sharing. In: Proceedings of Computers, Privacy and Data Protection (CPDP) Reforming Data Protection: The Global Perspective. Springer, Netherlands (2014)
Stevovic, J., Li, J., Motahari-Nezhad, H.R., Casati, F., Armellin, G.: Business process management enabled compliance–aware medical record sharing. Int. J. Bus. Proc. Integr. Manage. 6(3), 201–223 (2013)
Suitcase project. http://www.suitcaseproject.it/
Wolter, C., Meinel, C.: An approach to capture authorisation requirements in business processes. Requirements Eng. 15(4), 359–373 (2010)
Wright, D., de Hert, P.: Privacy Impact Assessment, vol. 6. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Stevovic, J., Sottovia, P., Marchese, M., Armellin, G. (2015). BPM Supported Privacy by Design for Cross-Organization Business Processes. In: Toumani, F., et al. Service-Oriented Computing - ICSOC 2014 Workshops. Lecture Notes in Computer Science(), vol 8954. Springer, Cham. https://doi.org/10.1007/978-3-319-22885-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-22885-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22884-6
Online ISBN: 978-3-319-22885-3
eBook Packages: Computer ScienceComputer Science (R0)