Privacy in Business Processes - Disclosure of Personal Data to 3rd Parties

1 Sven Wohlgemuth On Privacy by Observable Delegation of Personal Data

National Institute of Informatics

Privacy in Business Processes

– Disclosure of Personal Data to 3rd Parties –

Dagstuhl Perspectives Workshop 11061 Online Privacy: Towards Informational Self-Determination on the Internet

February 6-11, 2011


Dr. Sven Wohlgemuth Prof. Dr. Isao Echizen

Prof. Dr. Noboru Sonehara National Institute of Informatics, Japan

Prof. Dr. Günter Müller

University of Freiburg, Germany

Access control No usage control for the disclosure of personal data

2


1. Privacy and Disclosure of Personal Data to Third Parties

User

d

Privacy legislation: „Privacy is the claim of individuals, groups and institutions to determine for themselves, when, how and to what extent information about them is communicated to others.“ (Westin, 1967 è regulations of Germany/EU, Japan and HIPAA)

DP = Data provider DC = Data consumer d, d’ = Personal data

Disclosure of personal data to third parties

d, d’

d

Services

d, d’

d, d’

DP

DC / DP

DC / DP DC / DP

DC

Privacy in Business Processes Dr. Sven Wohlgemuth Wohlgemuth, S., Echizen I., Müller, G., and Sonehara, N., 2010


Patient “inherits” responsibility and risk. Dishonest parties may modify or disclose personal data to 3rd parties without authorization.

Ø  Privacy Problem How can the patient control the disclosure of medical data to 3rd parties?

Hospital

Examination

Dentist

Pharmacy

Laboratory

Advertiser

Employer

Patient

Example: Cloud Computing

(e.g. Patient and Electronic Health Card Infrastructure)

Haas, S., Wohlgemuth, S., Echizen. I, Sonehara, N., and Müller, G., 2009

Drug maker

Different data protection legislations (e.g. EC 95/46/EC, Japan, HIPAA)

3 Privacy in Business Processes Dr. Sven Wohlgemuth


Safety of Data and Liveness of Services

Safety: Authorized execution Liveness: Desireable execution

t

Provisions

request access

Provisions: cover the time up to the access (“past and present”)

Obligations

Obligations: cover the time after the access (“future”)


Access control Usage control Wohlgemuth, S., Echizen I., Müller, G., and Sonehara, N., 2010


2. Usage Control by Data Provenance (1/2)

Reactive Preventive

Mechanisms & Methods

Before the execution

During the execution

After the execution

Policies

-  Process Rewriting -  Workflow Patterns -  Vulnerability Analysis

-  Enterprise Privacy Authorization Language (EPAL) -  Extended Privacy Definition Tools (ExPDT)

-  Model Reconstruction -  Audits / Forensics - Architectures for Data Provenance

-  Execution Monitoring -  Non-linkable Delegation of Rights

Müller, G., Accorsi, R., Höhn, S. and Sackmann, S., 2010



Usage Control by Data Provenance (2/2)

- Data provenance –  Information to determine the derivation history

- In an audit, data provenance can be used to restore the information flow.

Example

Medical Data

Patient Advertiser

Medical Data

Patient Advertiser

Medical Data

Patient Advertiser Laboratory

Medical Data


Data Provenance

Advertiser Laboratory Drug maker Drug maker

6 Privacy in Business Processes Dr. Sven Wohlgemuth Wohlgemuth, S., Echizen. I, Sonehara, N., and Müller, G., 2010


3. DETECTIVE: Data Provenance with Digital Watermarking

Watermarking is a method to bind provenance information as a tag to data. The EHR/Medical system must enforce that

–  disclosed data is tagged with updated provenance information –  provenance information is authentic.

EHR/Medical system

Data Data consumer (e.g. Advertiser)

Watermarking Service

2) Fetch data

3) Apply tag 4) Deliver tagged data

Steps of a disclosure:

1) Access request

Data provider (e.g. Local Clinic)


National Institute of Informatics Data provenance information

–  Linking identities of data provider and data consumer with access to personal data.

Detection by the patient via delegated rights (privacy policy) to personal data.

Data provider Data consumer

Apply Tag

Auditor Data provider

Verify Tag

Data consumer


Patient (rights)

Advertiser Laboratory Patient (rights)


Advertiser

Laboratory

Laboratory

Advertiser

寿

DETECTIVE: Digital Watermarking Scheme

Patient Advertiser Laboratory Laboratory Advertiser

寿



DETECTIVE: Proof-of-Concept Implementation

Case study: Telemedicine – Consulting a clinic abroad

9 Privacy in Business Processes Dr. Sven Wohlgemuth Wohlgemuth, S., Echizen I., Müller, G., and Sonehara, N., 2010


Dr. Sven Wohlgemuth DAAD Postdoctoral Scholar

National Institute of Informatics 2-1-2 Hitotsubashi, Chiyoda-ku Tokyo 101-8430 Japan

E-Mail: [email protected] WWW: http://research.nii.ac.jp/~iechizen/official/content_e_sven.html

Wohlgemuth, S., Echizen, I., Müller, G., Sonehara, N., Privacy-compliant Disclosure of Personal Data to Third Parties, it – Information Technology 52(6), Oldenbourg, pp. 350-355, 2010. Wohlgemuth, S., Echizen, I., Sonehara, N., Müller, G., Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy, IFIP SEC 2010, IFIP AICT 330, pp. 241-252, 2010. Selected as one the best papers of IFIP SEC 2010 Haas, S., Wohlgemuth, S., Echizen, I., Sonehara, N., Müller, G., Aspects of Privacy for Electronic Health Records, Int. Journal of Medical Informatics 80(2), Elsevier, pp. e26-e31, 2011. Haas, S., Wohlgemuth, S., Echizen, I., Sonehara, N., Müller, G., On Privacy in Medical Services with Electronic Health Records, IMIA SiHIS 2009 workhops on CoHMI, 2009. Gerd Griesser Award 2009


4. Contact

Privacy in Business Processes - Disclosure of Personal Data to 3rd Parties

Internet

Transcript of Privacy in Business Processes - Disclosure of Personal Data to 3rd Parties