On Handling Data Minimisation for Workflows

Transcript

1. On Handling Data Minimisation for Workflows: Preliminary Approach ‣Slides at

   https://irem.dev Saliha Irem BESIK [email protected] Supervisor: Prof. Johann-Christoph Freytag, Ph.D. @irembesik

2. G E N E R A L D ATA P

   R O T E C T I O N R E G U L AT I O N GDPR Article 5 - Principles relating to processing of personal data Lawful processing Purpose Limitation Data Minimisation Accuracy Integrity & Confidentiality Storage Limitation S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 2

3. G E N E R A L D ATA P

   R O T E C T I O N R E G U L AT I O N GDPR Article 5 - Principles relating to processing of personal data Data Minimisation S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 2

4. W H AT I S D ATA M I N

   I M I S AT I O N ? Personal data should be • adequate • relevant and • limited to what is necessary in relation to the purposes for which they are processed S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 3

5. W H AT I S D ATA M I N

   I M I S AT I O N ? Personal data should be • adequate • relevant and • limited to what is necessary in relation to the purposes for which they are processed S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 3

6. O U T L I N E Motivation Research Problem

   Summary § Outlook Approach Foundation S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 4

7. O U T L I N E Research Problem Approach

   Summary § Outlook Foundation Motivation Privacy by Design via Workflows S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 4

8. M O T I VAT I N G E X

   A M P L E : N E W B O R N S C R E E N I N G S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 5

9. M O T I VAT I N G E X

   A M P L E : N E W B O R N S C R E E N I N G Lab sensitive blood data Pediatrician medical data Desk demographic data S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 5

10. GDPR says: Consider privacy at design phase… Good News: Workflows

    might help! M O T I VAT I O N : P R I VA C Y B Y D E S I G N A Workflow includes a series of tasks to achieve a goal ‣ also how tasks are performed, in what order, and by whom S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 6

11. Workflow (Model) ≈ Business Process Modeling Notation (BPMN) Model P

    R I VA C Y B Y D E S I G N V I A W O R K F L O W S Da a S e Da a Objec Te A a P La e Ta S a E e E d E e E c e Ga e a I c e Ga e a Pa a e Ga e a Se e ce F Me a e F Da a A c a A c a BPMN Core Elements S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 7

12. O U T L I N E Motivation Research Problem

    Summary § Outlook Approach Foundation Data-Aware Workflow Privacy Policy S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 8

13. Which sources needed to handle data minimisation? 1- Data-Aware Workflow

    Which data attributes are required to accomplish a certain purpose 2- Privacy Policy Which data attributes are (potentially) used for which purpose in the Workflow F O U N D AT I O N S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 9

14. + Data-Aware Workflow BPMN Core Elements Da a S e

    Da a Objec Te A a P La e Ta S a E e E d E e E c e Ga e a I c e Ga e a Pa a e Ga e a Se e ce F Me a e F Da a A c a A c a Workflow S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 10

15. + Data-Aware Workflow BPMN Core Elements Da a S e

    Da a Objec Te A a P La e Ta S a E e E d E e E c e Ga e a I c e Ga e a Pa a e Ga e a Se e ce F Me a e F Da a A c a A c a Workflow * Different types of Data Handling in BPMN are stated in [1] [1] Besik, Saliha Irem, and Johann-Christoph Freytag. "Ontology-Based Privacy Compliance Checking for Clinical Workflows." Data Annotation S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 10

16. • what data is collected for what purposes P R

    I VA C Y P O L I C Y • the modality of data processing, whether it is obligatory or voluntary • how long it is retained S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 11

17. • what data is collected for what purposes Data Minimization

    P R I VA C Y P O L I C Y [2] Besik, Saliha Irem, and Johann-Christoph Freytag. "A formal approach to build privacy-awareness into clinical workflows." SICS (2019): 1-12. [3] Shastri, Supreeth, et al. "Understanding and Benchmarking the Impact of GDPR on Database Systems.” appears in VLDB`2020. Privacy Metadata • the modality of data processing, whether it is obligatory or voluntary • how long it is retained S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 11

18. O U T L I N E Motivation Research Problem

    Summary § Outlook Approach Foundation S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 12

19. R E S E A R C H P R

    O B L E M might violate data minimisation How to recover WFs from data minimisation violations? How to detect data minimisation violations? S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 13

20. Personal data should be • adequate • relevant and •

    limited to what is necessary in relation to the purposes for which they are processed When a Workflow violate data minimisation? S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 14

21. Personal data should be Privacy violation occurs when there is

    • adequate • relevant and • limited to what is necessary 1. Missing Data 2. Irrelevant Data or 3. Redundant Data in relation to the purposes for which they are processed When a Workflow violate data minimisation? S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 14

22. O U T L I N E Motivation Research Problem

    Approach Detection Recovery Summary § Outlook Foundation Missing Data Irrelevant Data Redundant Data Irrelevant Data S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 15

23. M I S S I N G D ATA -

    D E T E C T I O N 1- When a data object is to be read without having been written by any preceding task or event S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 16

24. M I S S I N G D ATA -

    D E T E C T I O N 1- When a data object is to be read without having been written by any preceding task or event “Potential” Violator & Close World Assumption S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 16

25. M I S S I N G D ATA -

    D E T E C T I O N 2- When some data attributes are not adequate to accomplish the stated purpose Policy: treatment requires name, age and blood-type S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 17

26. When some data attributes in the WF are not relevant

    to the stated purpose I R R E L E VA N T D ATA - D E T E C T I O N Policy: treatment requires name, age and blood-type S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 18

27. 1- When a data object written by a task if

    it is neither read by any subsequent task nor passed to outside by an event R E D U N D A N T D ATA - D E T E C T I O N S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 19

28. 1- When a data object written by a task if

    it is neither read by any subsequent task nor passed to outside by an event R E D U N D A N T D ATA - D E T E C T I O N “Potential” Violator & Close World Assumption S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 19

29. R E D U N D A N T D

    ATA - D E T E C T I O N 2- When the same piece of data is stored in different files or in different tables within a single database Lost update NOT redundancy S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 20

30. *[4] Reichert, Manfred, and Barbara Weber. “Enabling flexibility in process-aware

    information systems: challenges, methods, technologies.” *Exception Handler: Trying Alternatives, Inserting / Cancelling Behavior… Data anonymization, undetectability, unobservability… 2- Data Layer Recovery Strategies 1- Business Layer Recovery Strategies How to recover WFs from data minimisation violations? S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 21

31. Policy: treatment requires name, age and blood-type 1- If there

    is no data dependency I R R E L E VA N T D ATA - R E C O V E RY Strategy: canceling behaviour by deleting irrelevant data S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 22

32. Policy: treatment requires name, age and blood-type 1- If there

    is no data dependency I R R E L E VA N T D ATA - R E C O V E RY Problem: deleting the data / task might violate the temporal dependency, also result in information loss Strategy: canceling behaviour by deleting irrelevant data S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 22

33. 2- If it is writing operation & no data dependency

    I R R E L E VA N T D ATA - R E C O V E RY Policy: treatment requires name, age and blood-type Strategy: Inserting behaviour - Handle Data Handle Data: Make the irrelevant data anonymized, unobservable etc. S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 23 Error Event

34. Policy: payment requires SSN 3- If there is data dependency

    I R R E L E VA N T D ATA - R E C O V E RY Problem: might trigger new violations! Both Strategies Canceling & Inserting behaviour can be applied S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 24

35. Policy: payment requires SSN 3- If there is data dependency

    I R R E L E VA N T D ATA - R E C O V E RY Problem: might trigger new violations! Might become redundant Both Strategies Canceling & Inserting behaviour can be applied S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 24

36. I R R E L E VA N T D

    ATA - R E C O V E RY Problem: might trigger new violations! Policy#1: payment requires SSN Policy#2: treatment requires name, age and blood-type S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 25

37. I R R E L E VA N T D

    ATA - R E C O V E RY Problem: might trigger new violations! Might trigger missing data issue Policy#1: payment requires SSN Policy#2: treatment requires name, age and blood-type S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 25

38. S U M M A RY ‣ What is Data

    Minimisation? ‣ Personal data must be adequate, relevant and limited to what is necessary ‣ What are needed to handle data minimisation for workflows? ‣ Data-Aware Workflow ‣ Privacy Policy S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 26

39. O U T L O O K ๏ Analysis of

    the optimality of the recovery strategies ๏ Conducting a use case study to show applicability might violate data minimisation ‣ How to detect data minimisation violations? ‣ How to recover WFs from data minimisation violations? S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 27