Skip to main content
SpringerLink
Log in

BPM Supported Privacy by Design for Cross-Organization Business Processes

  • Conference paper
  • First Online:
Service-Oriented Computing - ICSOC 2014 Workshops

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 8954))

Abstract

Satisfying privacy related obligations within IT systems that involve multiple organizations is one of the most important, yet challenging tasks in security engineering. When systems involve multiple actors, resources and computing devices, identifying data flows, actors’ liabilities and accesses on data become fundamental requisites for taking appropriate design choices to preserve privacy. To facilitate these tasks, principles such as Privacy by Design have been proposed. However, applying such principles implies rethinking the whole project development lifecycle in order to fulfil at the same time privacy, technical and administrative requirements from early stages of systems design.

This paper reports our work on a project undertaken by the Province of Trento (Italy) on integrating social, health and other assistance services for elders. Within the project, we used business processes to support systems’ design and development, from analysis to execution, while at the same time fulfilling privacy related objectives. Specifically, we show how by modelling cross-organization processes and by focusing on involved actors and managed resources, we can provide the necessary tools to involve analysts, designers, project managers and privacy experts during systems’ design and support them to satisfy both privacy and technical requirements. The resulting process models are also used for partial automation and integration of involved services.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Activiti BPM Platform. http://www.activiti.org/

  2. Audit Trail and Node Autentication (ATNA). http://wiki.ihe.net/index.php?title=Audit_Trail_and_Node_Authentication

  3. Barth, A., Mitchell, J.C., Datta, A., Sundaram, S.: Privacy and utility in business processes. CSF 7, 279–294 (2007)

    Google Scholar 

  4. Bellamy, R.K., Erickson, T., Fuller, B., Kellogg, W.A., Rosenbaum, R., Thomas, J.C., Vetting Wolf, T.: Seeing is believing: designing visualizations for managing risk and compliance. IBM Syst. J. 46(2), 205–218 (2007)

    Article  Google Scholar 

  5. Cavoukian, A.: Privacy by Design. Take the Challenge. Information and Privacy Commissioner of Ontario, Canada (2009)

    Google Scholar 

  6. de la Vara, J.L., Sánchez, J., Pastor, Ó.: Business process modelling and purpose analysis for requirements analysis of information systems. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 213–227. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  7. European Parliament and Council: Directive 95/46/EC: directive on protection of individuals with regard to the processing of personal data and on the free movement of such data (1995)

    Google Scholar 

  8. European Parliament and Council: Proposal for a regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (2014)

    Google Scholar 

  9. Himma, K.E., Tavani, H.T.: The Handbook of Information and Computer Ethics. Wiley, Hoboken (2008)

    Book  Google Scholar 

  10. Hoepman, J.-H.: Privacy design strategies. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 446–459. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  11. Hoffmann, J., Weber, I., Governatori, G.: On compliance checking for clausal constraints in annotated process models. Inf. Syst. Front. 14(2), 155–177 (2012)

    Article  Google Scholar 

  12. Italian Data Protection Authority: Personal Data Protection Code. Legislative Decree no. 196, 30 June 2003

    Google Scholar 

  13. Italian Ministry of Innovation and Technology: InFSE: Technical Infrastructure for Electronical Health Record Systems, v. 1.2 Legislative Decree no. 196/2003 (2012)

    Google Scholar 

  14. Küster, J.M., Ryndina, K., Gall, H.C.: Generation of business process models for object life cycle compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 165–181. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  15. Le Métayer, D.: Privacy by design: a matter of choice. In: Gutwirth, S., Poullet, Y., De Hert, P. (eds.) Data Protection in a Profiled World, pp. 323–334. Springer, Netherlands (2010)

    Chapter  Google Scholar 

  16. Lu, R., Sadiq, S.K., Governatori, G.: Compliance aware business process design. In: ter Hofstede, A.H.M., Benatallah, B., Paik, H.-Y. (eds.) BPM Workshops 2007. LNCS, vol. 4928, pp. 120–131. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  17. OMG: Business Process Model and Notation (BPMN) v2.0 specification (2011)

    Google Scholar 

  18. Pavlovski, C.J., Zou, J.: Non-functional requirements in business process modeling. In: Asia-Pacific conference on Conceptual Modelling, vol. 79, pp. 103–112. Australian Computer Society (2008)

    Google Scholar 

  19. Redding, G., Dumas, M., ter Hofstede, A.H.M., Iordachescu, A.: Reconciling object-oriented and process-oriented approaches to information systems engineering. In: Proceedings of the 3rd International Workshop on Business Process Design (2007)

    Google Scholar 

  20. Signavio BPM Editor. http://www.signavio.com/

  21. Stevovic, J., Bassi, E., Giori, A., Casati, F., Armellin, G.: Enabling privacy by design in medical records sharing. In: Proceedings of Computers, Privacy and Data Protection (CPDP) Reforming Data Protection: The Global Perspective. Springer, Netherlands (2014)

    Google Scholar 

  22. Stevovic, J., Li, J., Motahari-Nezhad, H.R., Casati, F., Armellin, G.: Business process management enabled compliance–aware medical record sharing. Int. J. Bus. Proc. Integr. Manage. 6(3), 201–223 (2013)

    Article  Google Scholar 

  23. Suitcase project. http://www.suitcaseproject.it/

  24. Wolter, C., Meinel, C.: An approach to capture authorisation requirements in business processes. Requirements Eng. 15(4), 359–373 (2010)

    Article  Google Scholar 

  25. Wright, D., de Hert, P.: Privacy Impact Assessment, vol. 6. Springer, Heidelberg (2012)

    Book  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centro Ricerche GPI, Trento, Italy

    Jovan Stevovic & Giampaolo Armellin

  2. Department of Information Engineering and Computer Science, University of Trento, Trento, Italy

    Paolo Sottovia & Maurizio Marchese

Authors
  1. Jovan Stevovic
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Paolo Sottovia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maurizio Marchese
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Giampaolo Armellin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jovan Stevovic .

Editor information

Editors and Affiliations

  1. Blaise Pascal University, Aubiere, France

    Farouk Toumani

  2. Politecnico di Milano, Milano, Italy

    Barbara Pernici

  3. Université Paris Dauphine, Paris, France

    Daniela Grigori

  4. Université Claude Bernard Lyon 1, Villeurbanne, France

    Djamal Benslimane

  5. Vienna University of Economics, Vienna, Austria

    Jan Mendling

  6. National Engineering School of Tunis, Tunis, Tunisia

    Nejib Ben Hadj-Alouane

  7. University of Miami, Coral Gables, Florida, USA

    Brian Blake

  8. University Lorraine, Nancy, France

    Olivier Perrin

  9. University of Miami, Coral Gables, Florida, USA

    Iman Saleh Moustafa

  10. Telecom SudParis, Evry, France

    Sami Bhiri

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Stevovic, J., Sottovia, P., Marchese, M., Armellin, G. (2015). BPM Supported Privacy by Design for Cross-Organization Business Processes. In: Toumani, F., et al. Service-Oriented Computing - ICSOC 2014 Workshops. Lecture Notes in Computer Science(), vol 8954. Springer, Cham. https://doi.org/10.1007/978-3-319-22885-3_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-22885-3_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-22884-6

  • Online ISBN: 978-3-319-22885-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation