A Data-Centric Approach for Privacy-Aware Business Process Enablement

  • Stuart Short
  • Samuel Paul Kaluvuri
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 76)


In a SOA context, enterprises can use workflow technologies to orchestrate available business processes and their corresponding services and apply business rules or policies to control how they can be used and who can use them. This approach becomes a bit more complex when a set of business processes includes services that derive outside the company’s domain and therefore can be difficult to align with existing rules/policies. In the privacy and security domain, access control and policy languages are used to define what actions can be performed on resources, by whom, for what purpose and in what context. In this paper we propose an approach for dealing with the inclusion of internal and/or external services in a business process that contains data handling policies.


privacy policy BPM SOA web services 


  1. 1.
    Platform for Privacy Preferences (P3P) Project,
  2. 2.
    Primelife, European project,
  3. 3.
    WSDL specifications,
  4. 4.
  5. 5.
    Miller, S., Weckert, J.: Privacy, the Workplace and the Internet. Journal of Business Ethics, 255–265 (2000)Google Scholar
  6. 6.
    Eddy, E.R., Stone, D.L., Stone-Romero, E.F.: The effects of information management policies on reactions to human resource information systems: An integration of privacy and procedural justice perspectives. Personnel Psychology 52(2), 335–358 (1999)CrossRefGoogle Scholar
  7. 7.
    Culnan, M., Smith, H., Bies, R.: Law Privacy and Organizations: The Corporate Obsession to know v. the individual right not to be known. In: Sitkin, S., Bies, R. (eds.) The Legalistic Organization, Thousand Oaks, CA, pp. 199–211 (1994)Google Scholar
  8. 8.
    Milne, G.R., Gordon, M.E.: Direct mail privacy-efficiency trade-offs within an implied social contract framework. Journal of Public Policy & Marketing 12(2), 206–215 (1993)Google Scholar
  9. 9.
    Milberg, S.J., Smith, H., Burke, S.J.: Information Privacy: Corporate Management and National Regulation. Organization Science, 35–57 (2000)Google Scholar
  10. 10.
    Dresner, S.: Data protection roundup. Privacy Laws Bus (U.K.), January, vol. (33), pp. 2–8 (1996)Google Scholar
  11. 11.
    Noel, J.: BPM and SOA: Better Together. White paper, IBM (2005)Google Scholar
  12. 12.
    Malinverno, P., Hill, J.B.: SOA and BPM are Better Together. Gartner, 3–11 (2007)Google Scholar
  13. 13.
    Chen, Q., Hsu, M.: Inter-Enterprise Collaborative Business Process Management. In: International Conference on Data Engineering, pp. 253–260 (2001)Google Scholar
  14. 14.
    Jafari, M., Safavi-Naini, R., Sheppard, N.P.: Enforcing Purpose of User via workflows. WPES (November 2009)Google Scholar
  15. 15.
    Chebbi, I., Tata, S.: Workflow abstraction for privacy preservation. In: Weske, M., Hacid, M., Godart, C. (eds.) WISE Workshops 2007. LNCS, vol. 4832, pp. 166–177. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Chinosi, M., Trombetta, A.: Integrating Privacy Policies into Business Processes. Journal of Research and Practice in Information Technology 41(2), 155–170 (2009)Google Scholar
  17. 17.
    Alhaqbani, B., Adams, M., Fidge, C., ter Hofstede, A.H.M.: Privacy-Aware Workflow Management. BPM Center Report BPM-09-06, (2009)Google Scholar
  18. 18.
    Sarbanes Oxley Act of 2002 (2002),
  19. 19.
    Information Systems Audit and Control Association (ISACA), CobiT4.1:
  20. 20.
    Ashley, P., Powers, C., Schunter, M.: From privacy promises to privacy management: a new approach for enforcing privacy throughout an enterprise. In: NSPW 2002: Proceedings of the 2002 Workshop on New Security Paradigms, pp. 43–50. ACM, New York (2002)CrossRefGoogle Scholar
  21. 21.
    Bandhakavi, S., Zhang, C.C., Winslett, M.: Super-sticky and declassifiable release policies for flexible information dissemination control. In: WPES 2006: Proceedings of the 5th ACM Workshop on Privacy in Electronic Society, pp. 51–58. ACM, New York (2006)CrossRefGoogle Scholar
  22. 22.
    EPAL: Enterprise privacy authorisation language,
  23. 23.
    Prime: Privacy and identity management for europe (prime),
  24. 24.
    Mont, M.C., Pearson, S., Bramhall, P.: Towards accountable management of identity and privacy: Sticky policies and enforceable tracing services. Technical report (2003),
  25. 25.
  26. 26.
    Grandison, T., Bilger, M., Graf, M., Swimmer, M., Schunter, M., Wespi, A., Zunic, N., O’Connor, L.: Elevating the Discussion on Security Management - The Data Centric Paradigm. In: Proceedings of the 2nd IEEE/IFIP International Workshop on Business-driven IT Management, pp. 89–93. IEEE Press, Piscataway (2007)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Stuart Short
    • 1
  • Samuel Paul Kaluvuri
    • 1
  1. 1.Sap Labs FranceMougins CedexFrance

Personalised recommendations