On Handling Data Minimisation for Workflows: Preliminary Approach ‣Slides at https://irem.dev Saliha Irem BESIK [email protected] Supervisor: Prof. Johann-Christoph Freytag, Ph.D. @irembesik 

G E N E R A L D ATA P R O T E C T I O N R E G U L AT I O N GDPR Article 5 - Principles relating to processing of personal data Lawful processing Purpose Limitation Data Minimisation Accuracy Integrity & Confidentiality Storage Limitation S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 2 

G E N E R A L D ATA P R O T E C T I O N R E G U L AT I O N GDPR Article 5 - Principles relating to processing of personal data Data Minimisation S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 2 

W H AT I S D ATA M I N I M I S AT I O N ? Personal data should be • adequate • relevant and • limited to what is necessary in relation to the purposes for which they are processed S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 3 

W H AT I S D ATA M I N I M I S AT I O N ? Personal data should be • adequate • relevant and • limited to what is necessary in relation to the purposes for which they are processed S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 3 

O U T L I N E Motivation Research Problem Summary § Outlook Approach Foundation S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 4 

O U T L I N E Research Problem Approach Summary § Outlook Foundation Motivation Privacy by Design via Workflows S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 4 

M O T I VAT I N G E X A M P L E : N E W B O R N S C R E E N I N G S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 5 

M O T I VAT I N G E X A M P L E : N E W B O R N S C R E E N I N G Lab sensitive blood data Pediatrician medical data Desk demographic data S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 5 

GDPR says: Consider privacy at design phase… Good News: Workflows might help! M O T I VAT I O N : P R I VA C Y B Y D E S I G N A Workflow includes a series of tasks to achieve a goal ‣ also how tasks are performed, in what order, and by whom S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 6 

Workflow (Model) ≈ Business Process Modeling Notation (BPMN) Model P R I VA C Y B Y D E S I G N V I A W O R K F L O W S Da a S e Da a Objec Te A a P La e Ta S a E e E d E e E c e Ga e a I c e Ga e a Pa a e Ga e a Se e ce F Me a e F Da a A c a A c a BPMN Core Elements S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 7 

O U T L I N E Motivation Research Problem Summary § Outlook Approach Foundation Data-Aware Workflow Privacy Policy S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 8 

Which sources needed to handle data minimisation? 1- Data-Aware Workflow Which data attributes are required to accomplish a certain purpose 2- Privacy Policy Which data attributes are (potentially) used for which purpose in the Workflow F O U N D AT I O N S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 9 

+ Data-Aware Workflow BPMN Core Elements Da a S e Da a Objec Te A a P La e Ta S a E e E d E e E c e Ga e a I c e Ga e a Pa a e Ga e a Se e ce F Me a e F Da a A c a A c a Workflow S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 10 

+ Data-Aware Workflow BPMN Core Elements Da a S e Da a Objec Te A a P La e Ta S a E e E d E e E c e Ga e a I c e Ga e a Pa a e Ga e a Se e ce F Me a e F Da a A c a A c a Workflow * Different types of Data Handling in BPMN are stated in [1] [1] Besik, Saliha Irem, and Johann-Christoph Freytag. "Ontology-Based Privacy Compliance Checking for Clinical Workflows." Data Annotation S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 10 

• what data is collected for what purposes P R I VA C Y P O L I C Y • the modality of data processing, whether it is obligatory or voluntary • how long it is retained S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 11 

• what data is collected for what purposes Data Minimization P R I VA C Y P O L I C Y [2] Besik, Saliha Irem, and Johann-Christoph Freytag. "A formal approach to build privacy-awareness into clinical workflows." SICS (2019): 1-12. [3] Shastri, Supreeth, et al. "Understanding and Benchmarking the Impact of GDPR on Database Systems.” appears in VLDB`2020. Privacy Metadata • the modality of data processing, whether it is obligatory or voluntary • how long it is retained S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 11 

O U T L I N E Motivation Research Problem Summary § Outlook Approach Foundation S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 12 

R E S E A R C H P R O B L E M might violate data minimisation How to recover WFs from data minimisation violations? How to detect data minimisation violations? S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 13 

Personal data should be • adequate • relevant and • limited to what is necessary in relation to the purposes for which they are processed When a Workflow violate data minimisation? S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 14 

Personal data should be Privacy violation occurs when there is • adequate • relevant and • limited to what is necessary 1. Missing Data 2. Irrelevant Data or 3. Redundant Data in relation to the purposes for which they are processed When a Workflow violate data minimisation? S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 14 

O U T L I N E Motivation Research Problem Approach Detection Recovery Summary § Outlook Foundation Missing Data Irrelevant Data Redundant Data Irrelevant Data S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 15 

M I S S I N G D ATA - D E T E C T I O N 1- When a data object is to be read without having been written by any preceding task or event S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 16 

M I S S I N G D ATA - D E T E C T I O N 1- When a data object is to be read without having been written by any preceding task or event “Potential” Violator & Close World Assumption S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 16 

M I S S I N G D ATA - D E T E C T I O N 2- When some data attributes are not adequate to accomplish the stated purpose Policy: treatment requires name, age and blood-type S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 17 

When some data attributes in the WF are not relevant to the stated purpose I R R E L E VA N T D ATA - D E T E C T I O N Policy: treatment requires name, age and blood-type S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 18 

1- When a data object written by a task if it is neither read by any subsequent task nor passed to outside by an event R E D U N D A N T D ATA - D E T E C T I O N S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 19 

1- When a data object written by a task if it is neither read by any subsequent task nor passed to outside by an event R E D U N D A N T D ATA - D E T E C T I O N “Potential” Violator & Close World Assumption S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 19 

R E D U N D A N T D ATA - D E T E C T I O N 2- When the same piece of data is stored in different files or in different tables within a single database Lost update NOT redundancy S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 20 

*[4] Reichert, Manfred, and Barbara Weber. “Enabling flexibility in process-aware information systems: challenges, methods, technologies.” *Exception Handler: Trying Alternatives, Inserting / Cancelling Behavior… Data anonymization, undetectability, unobservability… 2- Data Layer Recovery Strategies 1- Business Layer Recovery Strategies How to recover WFs from data minimisation violations? S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 21 

Policy: treatment requires name, age and blood-type 1- If there is no data dependency I R R E L E VA N T D ATA - R E C O V E RY Strategy: canceling behaviour by deleting irrelevant data S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 22 

Policy: treatment requires name, age and blood-type 1- If there is no data dependency I R R E L E VA N T D ATA - R E C O V E RY Problem: deleting the data / task might violate the temporal dependency, also result in information loss Strategy: canceling behaviour by deleting irrelevant data S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 22 

2- If it is writing operation & no data dependency I R R E L E VA N T D ATA - R E C O V E RY Policy: treatment requires name, age and blood-type Strategy: Inserting behaviour - Handle Data Handle Data: Make the irrelevant data anonymized, unobservable etc. S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 23 Error Event 

Policy: payment requires SSN 3- If there is data dependency I R R E L E VA N T D ATA - R E C O V E RY Problem: might trigger new violations! Both Strategies Canceling & Inserting behaviour can be applied S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 24 

Policy: payment requires SSN 3- If there is data dependency I R R E L E VA N T D ATA - R E C O V E RY Problem: might trigger new violations! Might become redundant Both Strategies Canceling & Inserting behaviour can be applied S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 24 

I R R E L E VA N T D ATA - R E C O V E RY Problem: might trigger new violations! Policy#1: payment requires SSN Policy#2: treatment requires name, age and blood-type S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 25 

I R R E L E VA N T D ATA - R E C O V E RY Problem: might trigger new violations! Might trigger missing data issue Policy#1: payment requires SSN Policy#2: treatment requires name, age and blood-type S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 25 

S U M M A RY ‣ What is Data Minimisation? ‣ Personal data must be adequate, relevant and limited to what is necessary ‣ What are needed to handle data minimisation for workflows? ‣ Data-Aware Workflow ‣ Privacy Policy S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 26 

O U T L O O K ๏ Analysis of the optimality of the recovery strategies ๏ Conducting a use case study to show applicability might violate data minimisation ‣ How to detect data minimisation violations? ‣ How to recover WFs from data minimisation violations? S.I. Besik, On Handling Data Minimisation for Workflows, December 12, ’19 / 27 27