Incorporating Privacy Patterns Into Semi-Automatic Business Process Derivation

The design of systems capable of protecting users' privacy is a challenging endeavour. Since users are becoming more concerned about the amounts of their personal data handled, stored and shared by such systems it is imperative to identify methods for developing privacy-aware information systems. Current approaches either focus on the elicitation of user requirements at an abstract high level or approach the issue of privacy exclusively from a technical point of view. As a result, privacy implementations are often misaligned with the overarching system goals. This work improves the current situation by presenting an approach for the design of privacy-aware business processes. Goal models are created as a first step, for privacy requirements elicitation, and are then transformed into process models, thus bridging the gap between high level goals and low level processes. Privacy process patterns are utilised for the final instantiation of process models, achieving the satisfaction of the identified privacy objectives through the integration of privacy enhancing technologies. The main advantage of the proposed approach is its ability to map privacy from the strategic to the operational level through a semi-automatic process while offering designers adequate guidance to its operationalisation via the use of process patterns.