Privacy-aware Resource Management in Processes

Recent initiatives such as the General Data Protection Regulation (GDPR) in the European Union put
privacy aspects in the centre of interest. The protection of personal data of individuals is no longer
solely an ethical consideration, but is widely enforced by legislation. At the same time, increasing
public awareness leads to a situation, where privacy breaches become a severe competitive
disadvantage for many organisations.

This trend has major implications for the domain of business analytics. Over the last decade, various
techniques to analyse the operations of large organisations based on data that was recorded during
the execution of business processes have been developed, known under the umbrella of process
mining. With the potential of these techniques unfolding, organisations intensify their efforts for
accurate and fine-granular recording of their processes. Once a process involves manual processing,
however, the resulting data enable sensitive conclusions on individual employees. As such, event logs
may breach privacy and violate informal self-determination, i.e., an individual’s ability to control,
who has access to their personal data.

An important branch of process mining is concerned with techniques for the analysis of resources in a
business process. In domains such as healthcare, logistics, or finance, the execution of business
processes is governed by the availability of resources. For instance, in treatment processes in a
hospital, patients compete for medical staff and equipment (CTs, X-rays, infusion stations); in logistics,
resources determine wait times at customs clearance; and in finance, loan approval processes are
highly influenced by the availability of specific knowledge workers. As a consequence, understanding
the availability and scheduling of resources is an important factor when striving for cost efficiency and
high customer satisfaction in process execution. Process mining for resource-centred processes, also
known as queue mining, provides means to generate insights about resource utilisation based on
process execution data. Earlier work by the German PI with a post-doc in the Canadian group, for
instance, showed how to construct queuing networks from such data, how to discover resource
scheduling protocols, and how to assess the conformance of scheduled and actual process
execution. However, as of now, no privacy-preserving methods that perform such analysis tasks
have been presented.

This joint effort sets out to bridge this gap and develop techniques for privacy-aware resource
management in business processes. The goal is to enable data-driven analysis of resource utilisation,
while protecting the privacy of the individuals involved in process execution. For the first time, we will
introduce formal privacy guarantees that have been proposed in the larger field of data management,
e.g., differential privacy and t-closeness, for the data-driven analysis of resource utilisation.
To achieve this goal, we will contribute formal notions and models necessary to reason about privacy
in resource management. This includes the formal specification of privacy risks encountered by the
individual persons, for which information systems store data during process execution (e.g. customers
and employees). The German partner has developed similar models for process mining techniques
that focus on a control-flow perspective, rather than the resources of a process. Based on these
formal foundations, we will develop algorithms that will provide a bound for the established privacy
risks when constructing performance models in an offline (based on event logs of past process
executions) and online (based on event streams of running process executions) manner and when
scheduling resources. We intend to evaluate our privacy-aware algorithms by comparing the resulting
utility against state-of-the-art algorithms that do not give any privacy guarantees, thereby making the
inherent trade-off explicit.

Weidlich, Matthias Prof. Dr. (Details) (Datenbanken und Informationssysteme)

Beteiligte Organisationseinheiten der HU

Projektstart: 01/2020
Projektende: 12/2021

Informatik, Privacy

Zuletzt aktualisiert 2021-04-01 um 17:51