Automatically Proving Purpose Limitation in Software Architectures

  • Kai BavendiekEmail author
  • Tobias Mueller
  • Florian Wittner
  • Thea Schwaneberg
  • Christian-Alexander Behrendt
  • Wolfgang Schulz
  • Hannes Federrath
  • Sibylle Schupp
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 562)


The principle of purpose limitation is one of the corner stones in the European General Data Protection Regulation. Automatically verifying whether a software architecture is capable of collecting, storing, or otherwise processing data without a predefined, precise, and valid purpose, and more importantly, whether the software architecture allows for re-purposing the data, greatly helps designers, makers, auditors, and customers of software. In our case study, we model the architecture of an existing medical register that follows a rigid Privacy by Design approach and assess its capability to process data only for the defined purposes. We demonstrate the process by verifying one instance that satisfies purpose limitation and two that are at least critical cases. We detect a violation scenario where data belonging to a purpose-specific consent are passed on for a different and maybe even incompatible purpose.


Medical register GDPR Purpose limitation Compliance Data protection Privacy verification Software architectures 



The work is part of the Information Governance Technologies project which is funded by the Behörde für Wissenschaft, Forschung und Gleichstellung.

The IDOMENEO study is funded by the German Joint Federal Committee (Gemeinsamer Bundesausschuss, G-BA) (01VSF16008) and by the German Stifterverband as well as by the CORONA foundation (S199/10061/2015).


  1. 1.
    Akinyele, J.A., Lehmann, C.U., Green, M.D., Pagano, M.W., Peterson, Z.N.J., Rubin, A.D.: Self-protecting electronic medical records using attribute-based encryption. Technical report 565, November 2010Google Scholar
  2. 2.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL). Research report. IBM Research (2003)Google Scholar
  3. 3.
    Bavendiek, K., Adams, R., Schupp, S.: Privacy-preserving architectures with probabilistic guaranties. In: Proceedings of the 16th International Conference on Privacy, Security and Trust, pp. 1–10. IEEE, August 2018Google Scholar
  4. 4.
    Behrendt, C.A., Ir, A.J., Debus, E.S., Kolh, P.: The challenge of data privacy compliant registry based research. Eur. J. Vascul. Endovasc. Surg. 55(5), 601–602 (2018)CrossRefGoogle Scholar
  5. 5.
    Behrendt, C.A., Pridöhl, H., Schaar, K., Federrath, H., Debus, E.S.: Klinische Register im 21. Jahrhundert. Der Chirurg 88(11), 944–949 (2017)CrossRefGoogle Scholar
  6. 6.
    Berman, J.J.: Confidentiality issues for medical data miners. Artif. Intell. Med. 26(1), 25–36 (2002)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Breault, J.L., Goodall, C.R., Fos, P.J.: Data mining a diabetic data warehouse. Artif. Intell. Med. 26(1), 37–54 (2002)CrossRefGoogle Scholar
  8. 8.
    Cios, K.J., William Moore, G.: Uniqueness of medical data mining. Artif. Intell. Med. 26(1), 1–24 (2002)CrossRefGoogle Scholar
  9. 9.
    Drosatos, G., Efraimidis, P.S., Williams, G., Kaldoudi, E.: Towards privacy by design in personal e-Health systems. In: Proceedings of the 9th International Joint Conference on Biomedical Engineering Systems and Technologies, Rome, vol. 5, pp. 472–477, February 2016Google Scholar
  10. 10.
    Fischer-Hübner, S., Ott, A.: From a formal privacy model to its implementation. In: Proceedings of the 21st National Information Systems Security Conference (1998)Google Scholar
  11. 11.
    Forgó, N., Hänold, S., Schütze, B.: The principle of purpose limitation and big data. In: Corrales, M., Fenwick, M., Forgó, N. (eds.) New Technology, Big Data and the Law. PLBI, pp. 17–42. Springer, Singapore (2017). Scholar
  12. 12.
    Graf, C., Wolkerstorfer, P., Geven, A., Tscheligi, M.: A pattern collection for privacy enhancing technology, January 2010Google Scholar
  13. 13.
    Haas, S., Wohlgemuth, S., Echizen, I., Sonehara, N., Müller, G.: Aspects of privacy for electronic health records. Int. J. Med. Inform. 80(2), e26–e31 (2011)CrossRefGoogle Scholar
  14. 14.
    Hafiz, M.: A pattern language for developing privacy enhancing technologies. Softw.: Pract. Exp. 43(7), 769–787 (2013)Google Scholar
  15. 15.
    Karjoth, G., Schunter, M., Waidner, M.: Platform for enterprise privacy practices: privacy-enabled management of customer data. In: Dingledine, R., Syverson, P. (eds.) PET 2002. LNCS, vol. 2482, pp. 69–84. Springer, Heidelberg (2003). Scholar
  16. 16.
    Kaye, J., Boddington, P., de Vries, J., Hawkins, N., Melham, K.: Ethical implications of the use of whole genome methods in medical research. Eur. J. Hum. Genet. 18(4), 398–403 (2009)CrossRefGoogle Scholar
  17. 17.
    Kung, A.: PEARs: privacy enhancing architectures. In: Preneel, B., Ikonomou, D. (eds.) APF 2014. LNCS, vol. 8450, pp. 18–29. Springer, Cham (2014). Scholar
  18. 18.
    Mayer-Schönberger, V., Padova, Y.: Regime change? Enabling big data through Europe’s new data protection regulation. Columbia Sci. Technol. Law Rev. 17(315), 21 (2016)Google Scholar
  19. 19.
    Pilyankevich, E., Korchagin, I., Mnatsakanov, A.: Hermes. A framework for cryptographically assured access control and data security. Technical report 200, February 2018Google Scholar
  20. 20.
    Safran, C., et al.: Toward a national framework for the secondary use of health data: an American medical informatics association white paper. J. Am. Med. Inf. Assoc. 14(1), 1–9 (2007)CrossRefGoogle Scholar
  21. 21.
    Schulz: DS-GVO Art. 6 Rechtmäßigkeit der Verarbeitung. Gola, p. 210 (2018)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  • Kai Bavendiek
    • 1
    Email author
  • Tobias Mueller
    • 2
  • Florian Wittner
    • 3
  • Thea Schwaneberg
    • 4
  • Christian-Alexander Behrendt
    • 4
  • Wolfgang Schulz
    • 3
  • Hannes Federrath
    • 2
  • Sibylle Schupp
    • 1
  1. 1.Hamburg University of Technology (TUHH)HamburgGermany
  2. 2.University of Hamburg (UHH)HamburgGermany
  3. 3.Hans-Bredow-Institut for Media Research (HBI)HamburgGermany
  4. 4.University Medical Center Hamburg-Eppendorf (UKE)HamburgGermany

Personalised recommendations