SlideShare a Scribd company logo

The Regorous Approach to Business Process Compliance

Guido Governatori
Guido Governatori

Slide of the paper presented at the 8th International Workshop on Evolutionary Business Process (EVL-BP 2015), Adelaide, September 2015. We propose an ITC (Information and Communication Technology) approach to support regulatory compliance for business processes, and we report on the development and evaluation of a business process compliance checker called Regorous, based on the compliance-by-design methodology proposed by Governatori and Sadiq

Education
1 of 26
Download to read offline
The Regorous Approach to Process Compliance Guido Governatori 22 September 2015 www.data61.csiro.au
A Privacy Act Section 1: (Prohibition to collect personal medical information) Offence: It is an offence to collect personal medical information. Defence: It is a defence to the prohibition of collecting personal medical information, if an entity immediately destroys the illegally collected personal medical information before making any use of the personal medical information Section 2: An entity is permitted to collect personal medical information if the entity acts under a Court Order authorising the collection of personal medical information. Section 3: (Prohibition to collect personal information) It is forbidden to collect personal information unless an entity is permitted to collect personal medical information. Offence: an entity collected personal information Defence: an entity being permitted to collect personal medical information. 2 | The Regorous Approach to Process Compliance | Guido Governatori
Making Sense of the Act • Collection of medical information is forbidden. • Destruction of the illegally collected medical information excuses the illegal collection. • Collection of medical information is permitted if there is an authorising court order. • Collection of personal information is forbidden. • Collection of personal information is permitted if the collection of medical information is permitted 3 | The Regorous Approach to Process Compliance | Guido Governatori
Are We Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End 4 | The Regorous Approach to Process Compliance | Guido Governatori
No Time for Compliance Governatori and Hashmi [1] showed that compliance frameworks based on (linear) temporal logic are not able to handle the scenario correctly 5 | The Regorous Approach to Process Compliance | Guido Governatori
The Regorous Approach 1. Annotated business process models 2. Proper representation of norms based on PCL (Process Compliance Logic) 3. Simulate execution of traces and round trips to PCL reasoner 1. Determine what are the obligations in force for each state 2. Determine which obligations have been fulfilled, violated, or pending 3. Determine which violations have been compensated for http://www.regorous.com 6 | The Regorous Approach to Process Compliance | Guido Governatori
Modelling Processes A B D C E F G H t1 : A, B, C, D, E, F, H t2 : A, B, D, C, E, F, H t3 : A, D, B, C, E, F, H t4 : A, B, C, D, E, G, H t5 : A, B, D, C, E, G, H t6 : A, D, B, C, E, G, H 7 | The Regorous Approach to Process Compliance | Guido Governatori
Annotated Traces Let Lit be a set of literals, T be the set of traces of a process and N be the set of natural numbers State : T × N → 2Lit The function State returns the set of literals describing “what’s going on in a trace t after the execution of the n-th task in the process”. 8 | The Regorous Approach to Process Compliance | Guido Governatori
Example A B C D Tasks • A: “turn the light on” • B: “check if glass is empty” • C: “fill glass with water” • D: “turn glass upside-down” Propositions • p: “the light is on” • q: “the glass is full” Trace 1: A, B, D Trace 2: A, B, C, D • State(i, 1) = { p }, i ∈ { 1, 2 } • State(1, 2) = { p, q } • State(2, 2) = { p, ¬q } • State(2, 3) = { p, q } • State(1, 3) = { p, ¬q } • State(2, 4) = { p, ¬q } 9 | The Regorous Approach to Process Compliance | Guido Governatori
Modelling Norms Norms are modelled as if . . . then . . . rules • norms are defeasible (handling exceptions) • two types of norms constitutive rules: defining terms used in a legal context A1, . . . , An ⇒ C prescriptive rules: defining “normative effects” (i.e., obligations, permissions, prohibitions . . . ) A1, . . . , An ⇒ [O]C1 ⊗ [O]C2 ⊗ · · · ⊗ [O]Cm A1, . . . , An ⇒ [P]C 10 | The Regorous Approach to Process Compliance | Guido Governatori
Reasoning with Norms 1. A is a fact; or 2. there is an applicable rule for A, and either 1. all the rules for ¬A are discarded (i.e., not applicable) or 2. every applicable rule for ¬A is weaker than an applicable rule for A. 11 | The Regorous Approach to Process Compliance | Guido Governatori
The Regorous Architecture Compliance Checker Logical State Representation State(t,1) State(t,2) State(t,3) State(t,4) Rule1 Rule2 Rule3 Rule4 Rule5 Rule6 Rule7 Rule8 Rule9 ... Compliance Rule Base Obligations Input ... Annotated Business Process T2 T5 T3 T1 T4 T7 T6 Legalese Formalisation Recommendation Sub-system recommendations whatif analysis StatusReport 12 | The Regorous Approach to Process Compliance | Guido Governatori
Privacy Regorously • collection of medical information is forbidden c destruction of medical information compensates the illegal collection r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy • collection of medical information is permitted if acting under a court order r2 : courtOrder ⇒ [P]medicalInfo • collection of personal information is forbidden r3 : ⇒ [O]¬personalInfo • collection personal information is permitted if collection of medical information is permitted r4 : [P]medicalInfo ⇒ [P]personalInfo 13 | The Regorous Approach to Process Compliance | Guido Governatori
Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder 14 | The Regorous Approach to Process Compliance | Guido Governatori
Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo Force(T2) : [O]destroy 14 | The Regorous Approach to Process Compliance | Guido Governatori
Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo Force(T2) : [O]destroy State(T2) : personalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo Force(T2) : [O]destroy State(T2) : personalInfo Violated(T2) : [O]¬persoanlInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo Force(T2) : [O]destroy State(T2) : personalInfo Violated(T2) : [O]¬persoanlInfo State(T3) : destroy 14 | The Regorous Approach to Process Compliance | Guido Governatori
Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo Force(T2) : [O]destroy State(T2) : personalInfo Violated(T2) : [O]¬persoanlInfo State(T3) : destroy Compensated(T3) : [O]¬medicalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
The Regorous Evaluation Formalised Chapter 8 (Complaints) of TCPC 2012. Modelled the compliant handling/management processes of an Australian telco. 41 tasks, 12 decision points (xor), 2 loops shortest trace: 6 traces longest trace (loop): 33 tasks longest trace (no loop): 22 tasks over 1000 traces, over 25000 states 15 | The Regorous Approach to Process Compliance | Guido Governatori
The Regorous Evaluation TCPC 2012 Chapter 8. Contains over 100 commas, plus 120 terms (in Terms and Definitions Section). Required 223 propositions, 176 rules. Punctual Obligation 5 (5) Achievement Obligation 90 (110) Preemptive 41 (46) Non preemptive 49 (64) Non perdurant 5 (7) Maintenance Obligation 11 (13) Prohibition 7 (9) Non perdurant 1 (4) Permission 9 (16) Compensation 2 (2) 16 | The Regorous Approach to Process Compliance | Guido Governatori
Questions? Guido Governatori guido.governatori@nicta.com.au 17 | The Regorous Approach to Process Compliance | Guido Governatori

Recommended

FCC Info Book
FCC Info BookFCC Info Book
FCC Info BookAdam Zavalney
 
Student survey question 2
Student survey question 2Student survey question 2
Student survey question 2andrea7411
 
Resumengramtical
ResumengramticalResumengramtical
ResumengramticalJavier García Casares
 
Bestmattresshub.com
Bestmattresshub.com Bestmattresshub.com
Bestmattresshub.comchilvirginia
 
DIS certified.PDF
DIS certified.PDFDIS certified.PDF
DIS certified.PDFwael salim
 
Thriller poster analysis
Thriller poster analysisThriller poster analysis
Thriller poster analysisRhiannaWalsh
 
Accesibilidad en las Aulas Virtuales
Accesibilidad en las Aulas VirtualesAccesibilidad en las Aulas Virtuales
Accesibilidad en las Aulas VirtualesVeronica Gomez
 
The Journey to Business Process Compliance. Are We There Yet?
The Journey to Business Process Compliance. Are We There Yet?The Journey to Business Process Compliance. Are We There Yet?
The Journey to Business Process Compliance. Are We There Yet?Guido Governatori
 

Recommended

FCC Info Book
FCC Info BookFCC Info Book
FCC Info BookAdam Zavalney
 
Student survey question 2
Student survey question 2Student survey question 2
Student survey question 2andrea7411
 
Resumengramtical
ResumengramticalResumengramtical
ResumengramticalJavier García Casares
 
Bestmattresshub.com
Bestmattresshub.com Bestmattresshub.com
Bestmattresshub.comchilvirginia
 
DIS certified.PDF
DIS certified.PDFDIS certified.PDF
DIS certified.PDFwael salim
 
Thriller poster analysis
Thriller poster analysisThriller poster analysis
Thriller poster analysisRhiannaWalsh
 
Accesibilidad en las Aulas Virtuales
Accesibilidad en las Aulas VirtualesAccesibilidad en las Aulas Virtuales
Accesibilidad en las Aulas VirtualesVeronica Gomez
 
The Journey to Business Process Compliance. Are We There Yet?
The Journey to Business Process Compliance. Are We There Yet?The Journey to Business Process Compliance. Are We There Yet?
The Journey to Business Process Compliance. Are We There Yet?Guido Governatori
 
Data61's Regulation as a Platform (RaaP)
Data61's Regulation as a Platform (RaaP)Data61's Regulation as a Platform (RaaP)
Data61's Regulation as a Platform (RaaP)Guido Governatori
 
Computational Law at Data61
Computational Law at Data61Computational Law at Data61
Computational Law at Data61Guido Governatori
 
Automated Recommendation of Templates for Legal Requirements
Automated Recommendation of Templates for Legal RequirementsAutomated Recommendation of Templates for Legal Requirements
Automated Recommendation of Templates for Legal RequirementsLionel Briand
 
Overview of HR monitoring, fact finding and documentation
Overview of HR monitoring, fact finding and documentationOverview of HR monitoring, fact finding and documentation
Overview of HR monitoring, fact finding and documentationNone
 
Records Management and ediscovery as Risk
Records Management and ediscovery as RiskRecords Management and ediscovery as Risk
Records Management and ediscovery as RiskMSpadea
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
03/22/2012 Meeting - Background Checks in Employment
03/22/2012 Meeting - Background Checks in Employment03/22/2012 Meeting - Background Checks in Employment
03/22/2012 Meeting - Background Checks in Employmentacfesj
 
Thou Shalt is not You Will
Thou Shalt is not You WillThou Shalt is not You Will
Thou Shalt is not You WillGuido Governatori
 
Data Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance StrategiesData Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance StrategiesShyamMishra72
 
Nebosh nat general cert 4 (1)
Nebosh nat general cert 4 (1)Nebosh nat general cert 4 (1)
Nebosh nat general cert 4 (1)sudi115844
 
The pandemic and privacy
The pandemic and privacyThe pandemic and privacy
The pandemic and privacyDan Michaluk
 
Public health surveillance
Public health surveillancePublic health surveillance
Public health surveillanceDr Khyati Boriya -BDS (MHA)
 
Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Robert MacLean
 
Whistle blowing
Whistle blowingWhistle blowing
Whistle blowingOfqual Slideshare
 
Slides ensae 10
Slides ensae 10Slides ensae 10
Slides ensae 10Arthur Charpentier
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorMSpadea
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processingTim Gough
 
Implementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy ProgramImplementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy ProgramMSpadea
 
Customer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of MichiganCustomer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of MichiganAtlantic Training, LLC.
 
GDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxGDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxpixvilx
 
Australia's RegTech Opportunities (in a digital-first world)
Australia's RegTech Opportunities (in a digital-first world)Australia's RegTech Opportunities (in a digital-first world)
Australia's RegTech Opportunities (in a digital-first world)Guido Governatori
 
Sequence Semantics for Norms and Obligations
Sequence Semantics for Norms and ObligationsSequence Semantics for Norms and Obligations
Sequence Semantics for Norms and ObligationsGuido Governatori
 

More Related Content

Similar to The Regorous Approach to Business Process Compliance

Data61's Regulation as a Platform (RaaP)
Data61's Regulation as a Platform (RaaP)Data61's Regulation as a Platform (RaaP)
Data61's Regulation as a Platform (RaaP)Guido Governatori
 
Automated Recommendation of Templates for Legal Requirements
Automated Recommendation of Templates for Legal RequirementsAutomated Recommendation of Templates for Legal Requirements
Automated Recommendation of Templates for Legal RequirementsLionel Briand
 
Overview of HR monitoring, fact finding and documentation
Overview of HR monitoring, fact finding and documentationOverview of HR monitoring, fact finding and documentation
Overview of HR monitoring, fact finding and documentationNone
 
Records Management and ediscovery as Risk
Records Management and ediscovery as RiskRecords Management and ediscovery as Risk
Records Management and ediscovery as RiskMSpadea
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
03/22/2012 Meeting - Background Checks in Employment
03/22/2012 Meeting - Background Checks in Employment03/22/2012 Meeting - Background Checks in Employment
03/22/2012 Meeting - Background Checks in Employmentacfesj
 
Data Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance StrategiesData Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance StrategiesShyamMishra72
 
Nebosh nat general cert 4 (1)
Nebosh nat general cert 4 (1)Nebosh nat general cert 4 (1)
Nebosh nat general cert 4 (1)sudi115844
 
The pandemic and privacy
The pandemic and privacyThe pandemic and privacy
The pandemic and privacyDan Michaluk
 
Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Robert MacLean
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorMSpadea
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processingTim Gough
 
Implementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy ProgramImplementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy ProgramMSpadea
 
Customer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of MichiganCustomer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of MichiganAtlantic Training, LLC.
 
GDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxGDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxpixvilx
 

Similar to The Regorous Approach to Business Process Compliance (20)

Data61's Regulation as a Platform (RaaP)
Data61's Regulation as a Platform (RaaP)Data61's Regulation as a Platform (RaaP)
Data61's Regulation as a Platform (RaaP)
 
Computational Law at Data61
Computational Law at Data61Computational Law at Data61
Computational Law at Data61
 
Automated Recommendation of Templates for Legal Requirements
Automated Recommendation of Templates for Legal RequirementsAutomated Recommendation of Templates for Legal Requirements
Automated Recommendation of Templates for Legal Requirements
 
Overview of HR monitoring, fact finding and documentation
Overview of HR monitoring, fact finding and documentationOverview of HR monitoring, fact finding and documentation
Overview of HR monitoring, fact finding and documentation
 
Records Management and ediscovery as Risk
Records Management and ediscovery as RiskRecords Management and ediscovery as Risk
Records Management and ediscovery as Risk
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
03/22/2012 Meeting - Background Checks in Employment
03/22/2012 Meeting - Background Checks in Employment03/22/2012 Meeting - Background Checks in Employment
03/22/2012 Meeting - Background Checks in Employment
 
Thou Shalt is not You Will
Thou Shalt is not You WillThou Shalt is not You Will
Thou Shalt is not You Will
 
Data Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance StrategiesData Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance Strategies
 
Nebosh nat general cert 4 (1)
Nebosh nat general cert 4 (1)Nebosh nat general cert 4 (1)
Nebosh nat general cert 4 (1)
 
The pandemic and privacy
The pandemic and privacyThe pandemic and privacy
The pandemic and privacy
 
Public health surveillance
Public health surveillancePublic health surveillance
Public health surveillance
 
Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)
 
Whistle blowing
Whistle blowingWhistle blowing
Whistle blowing
 
Slides ensae 10
Slides ensae 10Slides ensae 10
Slides ensae 10
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services Sector
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
 
Implementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy ProgramImplementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy Program
 
Customer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of MichiganCustomer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of Michigan
 
GDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxGDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptx
 

More from Guido Governatori

Australia's RegTech Opportunities (in a digital-first world)
Australia's RegTech Opportunities (in a digital-first world)Australia's RegTech Opportunities (in a digital-first world)
Australia's RegTech Opportunities (in a digital-first world)Guido Governatori
 
Sequence Semantics for Norms and Obligations
Sequence Semantics for Norms and ObligationsSequence Semantics for Norms and Obligations
Sequence Semantics for Norms and ObligationsGuido Governatori
 
Practical Non-Monotonic Reasoning
Practical Non-Monotonic ReasoningPractical Non-Monotonic Reasoning
Practical Non-Monotonic ReasoningGuido Governatori
 
Strategic Argumentation is NP-complete
Strategic Argumentation is NP-completeStrategic Argumentation is NP-complete
Strategic Argumentation is NP-completeGuido Governatori
 
Modelling and Reasoning Languages for Social Networks Policies
Modelling and Reasoning Languages for Social Networks PoliciesModelling and Reasoning Languages for Social Networks Policies
Modelling and Reasoning Languages for Social Networks PoliciesGuido Governatori
 
ICT Support for Business Process Compliance
ICT Support for Business Process ComplianceICT Support for Business Process Compliance
ICT Support for Business Process ComplianceGuido Governatori
 

More from Guido Governatori (8)

Australia's RegTech Opportunities (in a digital-first world)
Australia's RegTech Opportunities (in a digital-first world)Australia's RegTech Opportunities (in a digital-first world)
Australia's RegTech Opportunities (in a digital-first world)
 
Sequence Semantics for Norms and Obligations
Sequence Semantics for Norms and ObligationsSequence Semantics for Norms and Obligations
Sequence Semantics for Norms and Obligations
 
No Time for Compliance
No Time for ComplianceNo Time for Compliance
No Time for Compliance
 
Thou Shalt is not You Will
Thou Shalt is not You WillThou Shalt is not You Will
Thou Shalt is not You Will
 
Practical Non-Monotonic Reasoning
Practical Non-Monotonic ReasoningPractical Non-Monotonic Reasoning
Practical Non-Monotonic Reasoning
 
Strategic Argumentation is NP-complete
Strategic Argumentation is NP-completeStrategic Argumentation is NP-complete
Strategic Argumentation is NP-complete
 
Modelling and Reasoning Languages for Social Networks Policies
Modelling and Reasoning Languages for Social Networks PoliciesModelling and Reasoning Languages for Social Networks Policies
Modelling and Reasoning Languages for Social Networks Policies
 
ICT Support for Business Process Compliance
ICT Support for Business Process ComplianceICT Support for Business Process Compliance
ICT Support for Business Process Compliance
 

Recently uploaded

Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.arsicmarija21
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationAadityaSharma884161
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 

Recently uploaded (20)

Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint Presentation
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 

The Regorous Approach to Business Process Compliance

  • 1. The Regorous Approach to Process Compliance Guido Governatori 22 September 2015 www.data61.csiro.au
  • 2. A Privacy Act Section 1: (Prohibition to collect personal medical information) Offence: It is an offence to collect personal medical information. Defence: It is a defence to the prohibition of collecting personal medical information, if an entity immediately destroys the illegally collected personal medical information before making any use of the personal medical information Section 2: An entity is permitted to collect personal medical information if the entity acts under a Court Order authorising the collection of personal medical information. Section 3: (Prohibition to collect personal information) It is forbidden to collect personal information unless an entity is permitted to collect personal medical information. Offence: an entity collected personal information Defence: an entity being permitted to collect personal medical information. 2 | The Regorous Approach to Process Compliance | Guido Governatori
  • 3. Making Sense of the Act • Collection of medical information is forbidden. • Destruction of the illegally collected medical information excuses the illegal collection. • Collection of medical information is permitted if there is an authorising court order. • Collection of personal information is forbidden. • Collection of personal information is permitted if the collection of medical information is permitted 3 | The Regorous Approach to Process Compliance | Guido Governatori
  • 4. Are We Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End 4 | The Regorous Approach to Process Compliance | Guido Governatori
  • 5. No Time for Compliance Governatori and Hashmi [1] showed that compliance frameworks based on (linear) temporal logic are not able to handle the scenario correctly 5 | The Regorous Approach to Process Compliance | Guido Governatori
  • 6. The Regorous Approach 1. Annotated business process models 2. Proper representation of norms based on PCL (Process Compliance Logic) 3. Simulate execution of traces and round trips to PCL reasoner 1. Determine what are the obligations in force for each state 2. Determine which obligations have been fulfilled, violated, or pending 3. Determine which violations have been compensated for http://www.regorous.com 6 | The Regorous Approach to Process Compliance | Guido Governatori
  • 7. Modelling Processes A B D C E F G H t1 : A, B, C, D, E, F, H t2 : A, B, D, C, E, F, H t3 : A, D, B, C, E, F, H t4 : A, B, C, D, E, G, H t5 : A, B, D, C, E, G, H t6 : A, D, B, C, E, G, H 7 | The Regorous Approach to Process Compliance | Guido Governatori
  • 8. Annotated Traces Let Lit be a set of literals, T be the set of traces of a process and N be the set of natural numbers State : T × N → 2Lit The function State returns the set of literals describing “what’s going on in a trace t after the execution of the n-th task in the process”. 8 | The Regorous Approach to Process Compliance | Guido Governatori
  • 9. Example A B C D Tasks • A: “turn the light on” • B: “check if glass is empty” • C: “fill glass with water” • D: “turn glass upside-down” Propositions • p: “the light is on” • q: “the glass is full” Trace 1: A, B, D Trace 2: A, B, C, D • State(i, 1) = { p }, i ∈ { 1, 2 } • State(1, 2) = { p, q } • State(2, 2) = { p, ¬q } • State(2, 3) = { p, q } • State(1, 3) = { p, ¬q } • State(2, 4) = { p, ¬q } 9 | The Regorous Approach to Process Compliance | Guido Governatori
  • 10. Modelling Norms Norms are modelled as if . . . then . . . rules • norms are defeasible (handling exceptions) • two types of norms constitutive rules: defining terms used in a legal context A1, . . . , An ⇒ C prescriptive rules: defining “normative effects” (i.e., obligations, permissions, prohibitions . . . ) A1, . . . , An ⇒ [O]C1 ⊗ [O]C2 ⊗ · · · ⊗ [O]Cm A1, . . . , An ⇒ [P]C 10 | The Regorous Approach to Process Compliance | Guido Governatori
  • 11. Reasoning with Norms 1. A is a fact; or 2. there is an applicable rule for A, and either 1. all the rules for ¬A are discarded (i.e., not applicable) or 2. every applicable rule for ¬A is weaker than an applicable rule for A. 11 | The Regorous Approach to Process Compliance | Guido Governatori
  • 12. The Regorous Architecture Compliance Checker Logical State Representation State(t,1) State(t,2) State(t,3) State(t,4) Rule1 Rule2 Rule3 Rule4 Rule5 Rule6 Rule7 Rule8 Rule9 ... Compliance Rule Base Obligations Input ... Annotated Business Process T2 T5 T3 T1 T4 T7 T6 Legalese Formalisation Recommendation Sub-system recommendations whatif analysis StatusReport 12 | The Regorous Approach to Process Compliance | Guido Governatori
  • 13. Privacy Regorously • collection of medical information is forbidden c destruction of medical information compensates the illegal collection r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy • collection of medical information is permitted if acting under a court order r2 : courtOrder ⇒ [P]medicalInfo • collection of personal information is forbidden r3 : ⇒ [O]¬personalInfo • collection personal information is permitted if collection of medical information is permitted r4 : [P]medicalInfo ⇒ [P]personalInfo 13 | The Regorous Approach to Process Compliance | Guido Governatori
  • 14. Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
  • 15. Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder 14 | The Regorous Approach to Process Compliance | Guido Governatori
  • 16. Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
  • 17. Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
  • 18. Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
  • 19. Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo Force(T2) : [O]destroy 14 | The Regorous Approach to Process Compliance | Guido Governatori
  • 20. Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo Force(T2) : [O]destroy State(T2) : personalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
  • 21. Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo Force(T2) : [O]destroy State(T2) : personalInfo Violated(T2) : [O]¬persoanlInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
  • 22. Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo Force(T2) : [O]destroy State(T2) : personalInfo Violated(T2) : [O]¬persoanlInfo State(T3) : destroy 14 | The Regorous Approach to Process Compliance | Guido Governatori
  • 23. Are We Regorously Compliant? Collect Medical Information Collect Personal Information Destroy Medical Information T1 T2 T3 Start End r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy r2 : courtOrder ⇒ [P]medicalInfo r3 : ⇒ [O]¬personalInfo r4 : [P]medicalInfo ⇒ [P]personalInfo State(start) : ¬courtOrder Force(T1) : [O]¬medicalInfo [O]¬personalInfo State(T1) : medicalInfo Violated(T1) : [O]¬medicalInfo Force(T2) : [O]destroy State(T2) : personalInfo Violated(T2) : [O]¬persoanlInfo State(T3) : destroy Compensated(T3) : [O]¬medicalInfo 14 | The Regorous Approach to Process Compliance | Guido Governatori
  • 24. The Regorous Evaluation Formalised Chapter 8 (Complaints) of TCPC 2012. Modelled the compliant handling/management processes of an Australian telco. 41 tasks, 12 decision points (xor), 2 loops shortest trace: 6 traces longest trace (loop): 33 tasks longest trace (no loop): 22 tasks over 1000 traces, over 25000 states 15 | The Regorous Approach to Process Compliance | Guido Governatori
  • 25. The Regorous Evaluation TCPC 2012 Chapter 8. Contains over 100 commas, plus 120 terms (in Terms and Definitions Section). Required 223 propositions, 176 rules. Punctual Obligation 5 (5) Achievement Obligation 90 (110) Preemptive 41 (46) Non preemptive 49 (64) Non perdurant 5 (7) Maintenance Obligation 11 (13) Prohibition 7 (9) Non perdurant 1 (4) Permission 9 (16) Compensation 2 (2) 16 | The Regorous Approach to Process Compliance | Guido Governatori
  • 26. Questions? Guido Governatori guido.governatori@nicta.com.au 17 | The Regorous Approach to Process Compliance | Guido Governatori