Privacy-Aware Workflow Management

Information security policies play an important role in achieving information security. Confidentiality, Integrity, and Availability are classic information security goals attained by enforcing appropriate security policies. Workflow Management Systems (WfMSs) also benefit from inclusion of these policies to maintain the security of business-critical data. However, in typical WfMSs these policies are designed to enforce the organisation’s security requirements but do not consider other external security requirements. Privacy is an important security requirement that concerns the subject of data held by an organisation. WfMSs often process sensitive data related to subjects who demand that their data is properly protected, but WfMSs fail to enforce the subjects’ privacy desire due to their inability to capture and enforce privacy policies. In this paper, we illustrate existing WfMS privacy weaknesses and introduce the WfMS extensions required to enforce data privacy. We implemented the extensions in the YAWL WfMS environment and present a case study to demonstrate how our extended WfMS enforces a subject’s privacy policy.