Privacy-aware Resource Management in Processes

Recent initiatives such as the General Data Protection Regulation (GDPR) in the European Union put privacy aspects in the centre of interest. The protection of personal data of individuals is no longer solely an ethical consideration, but is widely enforced by legislation. At the same time, increasing public awareness leads to a situation, where privacy breaches become a severe competitive disadvantage for many organisations.

This trend has major implications for the domain of business analytics. Over the last decade, various techniques to analyse the operations of large organisations based on data that was recorded during the execution of business processes have been developed, known under the umbrella of process mining [1]. With the potential of these techniques unfolding, organisations intensify their efforts for accurate and fine-granular recording of their processes. Once a process involves manual processing, however, the resulting data enable sensitive conclusions on individual employees. As such, event logs may breach privacy [2] and violate informal self-determination, i.e., an individual’s ability to control, who has access to their personal data [3].

An important branch of process mining is concerned with techniques for the analysis of resources in a business process. In domains such as healthcare, logistics, or finance, the execution of business processes is governed by the availability of resources. For instance, in treatment processes in a hospital, patients compete for medical staff and equipment (CTs, X-rays, infusion stations); in logistics, resources determine wait times at customs clearance; and in finance, loan approval processes are highly influenced by the availability of specific knowledge workers. As a consequence, understanding the availability and scheduling of resources is an important factor when striving for cost efficiency and high customer satisfaction in process execution. Process mining for resource-centred processes, also known as queue mining, provides means to generate insights about resource utilisation based on process execution data. Earlier work by the German PI with a post-doc in the Canadian group, for instance, showed how to construct queuing networks from such data [4], how to discover resource scheduling protocols [5], and how to assess the conformance of scheduled and actual process execution [6]. However, as of now, no privacy-preserving methods that perform such analysis tasks have been presented.

This joint effort sets out to bridge this gap and develop techniques for privacy-aware resource management in business processes. The goal is to enable data-driven analysis of resource utilisation, while protecting the privacy of the individuals involved in process execution. For the first time, we will introduce formal privacy guarantees that have been proposed in the larger field of data management, e.g., differential privacy [7] and t-closeness [8], for the data-driven analysis of resource utilisation.

To achieve this goal, we will contribute formal notions and models necessary to reason about privacy in resource management. This includes the formal specification of privacy risks encountered by the individual persons, for which information systems store data during process execution (e.g. customers and employees). The German partner has developed similar models for process mining techniques that focus on a control-flow perspective, rather than the resources of a process [9]. Based on these formal foundations, we will develop algorithms that will provide a bound for the established privacy risks when constructing performance models in an offline (based on event logs of past process executions) and online (based on event streams of running process executions) manner and when scheduling resources. We intend to evaluate our privacy-aware algorithms by comparing the resulting utility against state-of-the-art algorithms that do not give any privacy guarantees, thereby making the inherent trade-off explicit.

The developed algorithms will be bundled in an open-source toolkit to ensure reproducibility of our results and foster the uptake of our results in academia and industry. The German partner is already developing a web platform, referred to as ELPaaS (Event Log Privacy as a Service), that offers privacy-related pre-processing of process execution data. We intend to use this platform as the basis for the prototypical implementation of techniques for privacy-aware resource management.

Principal Investigators
Weidlich, Matthias Prof. Dr. (Details) (Data Bases and Information Systems)

participating organizational facilities of the HU

Duration of Project
Start date: 01/2020
End date: 12/2021

Research Areas
Informatik, Privacy

Last updated on 2021-04-01 at 17:51