Legal Aspects of Process Mining

Modern information systems used in organizations typically register information about activities performed by employees in the form of event logs. Process mining involves analyzing those data to gain information about the real manner in which an organization operates. The dynamic development of applications of process mining implies a number of legal issues which companies should bear in mind when deciding to mine their behavior.

In this Article we first outline the concept of data-driven business analysis and focus on process mining. Then we address legal issues that are associated with practical utilization of process mining techniques. The set of discussed legal issues include handling privacy in the work place, processing of personal data, as well as copyright and protection of databases.

Screening Organizations Using Data

Business analysis is a collection of methods and tools employed to analyze an organization's operations. Its purpose is to gain a new understanding of the manner in which the organization operates. “New”, i.e., covering facts which have not previously been known or used in managing the organization. The “understanding” gained is intended to lead to solutions being proposed that serve to improve the efficiency and effectiveness with which the organization operates.

Business analysis currently appears in the business and scientific press in all the instances and forms. Such concepts as Big Data or Business Intelligence, carrying a greater or lesser amount of content, are circulating in the columns of journals. Using data from information systems for analysis is not a new issue. Their current popularity stems from an increase by several degrees in the amount of data available for analysis. Data used to be specially fed into information systems for the purpose of analysis. Nowadays, such data are automatically collected in the course of an organization's day-to-day operation. Therefore no special effort is necessary to have data for analysis.

The current “data fever” is contributing to the creation and promoting of several new and valuable methods of analysis. Firstly, these methods are able to cope with the large amounts of data accumulated by an organization. Secondly, they enable detailed and diverse data to be transformed into information of considerable business value. Thirdly, they can be applied quickly, and therefore quickly prove their business value. Process mining is an example of such a method, which began at universities and is currently being employed ever more extensively in business practice.

The Idea of Process Mining

In the context of process mining [1], we refer to a specific source of data in the form of event logs. Event logs register activities performed by an organization's employees. Such logs are typically created, inter alia, in document workflow systems, customer relationship management systems, task management systems. Because information systems support the operation of many areas of an organization, event logs record its real manner of operation. Real, in other words not presumed. When analyzing data on activities performed in an organization, we can discern certain procedural models and use them to improve the organization's operation. Analyzing real data is a better approach than the creation of abstract models and descriptions of procedures, which are so popular particularly in big organizations but which quickly become out of date, because life changes faster than the procedures.

Sea Maps and Organization Maps

To clarify the concept of process mining, the perfect analogy between process mining and sea maps used in the 19th century has been proposed by Anne Rozinat and Will van der Aalst in their article “Process Mining: The Objectification of Gut Instinct” [2]. In the 19th century, the world economy was to a large extent based on transporting goods by sea. All ships sailing under the flag of the United States had the task of recording data concerning location, wind and sea currents in the ship's log. Thousands of ships' logs were stored by the United States Naval Observatory. Unfortunately no one ever looked at them and at a certain moment it was even debated whether they should be burnt. But one day Matthew Fontaine Maury appeared on the scene. In 1842, this erstwhile sailor became superintendent of the United States Naval Observatory and ordered a systematic review and analysis to be made of ships' logs. On this basis, he drew up illustrated maps containing sea winds and ocean currents, which supported captains when planning their routes. In 1848, Captain Jackson of the ship the W.H.D.C. Wright used the maps on a journey from Baltimore to Rio de Janeiro and returned to his home port a whole month earlier than planned. Already seven years after their publication, the maps were bringing in 10 million dollars of savings per annum.

In modern times, the equivalents of those ships are teams of people collaborating with each other to achieve an organization's aims. The role of ships' logs is now being played by information system logs. Process mining methods are doing the work that was done by Matthew Fontaine Maury.

Scope of Analysis

By using process mining, answers can be given to many questions that arise in organizations every day. What activities do employees perform to carry out the tasks they are assigned? How long does it take to perform particular activities? Are employees acting in accordance with standards, procedures and guidelines? Who are the key persons in the organization and how do they cooperate with each other?

Traditionally, three subgroups of methods comprising process mining have been distinguished. The first group of methods is used when, on the basis of event logs from information systems, we automatically and immediately wish to gain a picture of how an organization operates. This picture is based exclusively on data, and not on the opinions of employees, so it is objective and complete. The second group of methods is used when we automatically want to compare an organization's real operation with a certain assumed model of its operation or with the business regulations in it. In this way, information is quickly obtained about departures from the organization's desired operation. Finally, a third group of methods makes it possible to carry out a time analysis of performed sets of activities, an analysis of how encumbered employees are, a comparison of the teams' work, the ways in which employees collaborate and the social relations in existence in the organization [3].

Scope of Data

The scope of the data analyzed depends on the aim one wishes to achieve. In practice, in event logs each activity is described by several dozen attributes such as: the time of commencement and completion, the person performing the activity, the place of performing the activity etc. These data frequently come from many information systems within an organization, because it is rare for an organization to use only one system. They can even come from social networking portals. The diversity of information systems means a diversity of data and the need to put them in order, which is the main difficulty with process mining.

A Clash of Worlds

Business analysis methods, including process mining methods, are mainly useful in medium and large organizations. Many organizations have already made use of process mining, ranging from manufacturing enterprises through services companies to hospitals and public administration. Process mining always leads to a clash between what one imagines an organization's operation to be like and the real picture of that operation. This collision is always interesting and almost always surprising.

Legal Aspects

Process mining has been proven to be useful. It would seem that in the near future companies and organizations will ever more frequently be resorting to analytical instruments of this kind. In doing so, they have keep in mind that an analysis of data accumulated in information systems requires taking appropriate action to ensure that analysis aspect is conducted legally.

Privacy in the Work Place

Personal data and privacy protection are aimed at preventing personal information concerning an individual from being stored, used or processed without the knowledge and consent of the individual. An analysis of data coming from event logs of information systems could lead directly to employees being monitored. Although the original purpose here is to assess the real operation of a company's organization, in the overwhelming number of cases the quality of work of employees will also be indirectly assessed. This means that before proceeding to explore its business processes, a company should make sure that its employees have been duly informed that such monitoring could take place. Without analyzing a number of legal acts on personal data protection, we can state that a general rule is that monitoring of employees without their knowledge and without their consent (which can be necessary in some jurisdictions) seems to be unacceptable and is often illegal. If the company has already informed the employees in advance that they could be monitored, there is obviously no need to inform them again. In the context of process mining, however, it is essential that employees should be aware that an employer can inspect them not only in a traditional manner, e.g. by checking business phone bills, employees' business email accounts, websites visited or with the company's CCTV, but also by analyzing data recorded in event logs by information systems which the employees use in their ongoing activities.

Records from Event Logs as Personal Data

It must also be remembered that since process mining entails monitoring of employees, their personal data will also undoubtedly be processed in a number of cases. As a general rule, personal data are considered to be any information concerning an individual who is identified or identifiable. Considering the broad scope of this definition of personal data, we can talk about personal data to the extent to which records from event logs of an information system concerning a specific employee enable him or her to be identified. Obviously we cannot exclude the possibility that in a specific case it will be possible to analyze data selected in such a way that they will not contain any personal identifiable information, while at the same time retaining valuable information apropos the process being examined. In that case regulations of applicable data protection legislation will not apply.

Data Processing Agreement

When a third party gains access to personal data in the form of records from event logs, i.e. the service provider carrying out the process mining, the company should take care to ensure that an agreement is signed entrusting the processing of personal data to a service provider. This obligation is provided for in a number of legal acts on the protection of personal data and the data controller, i.e. the company, is responsible for fulfilling this obligation. It would be advisable that this agreement at least specifies the scope of the personal data being processed by the service provider and the purpose of processing of these data. In practice, other issues are also regulated in data processing agreements, such as the possibility of sub-processing of personal data, contractual penalties for personal data processing which does not comply with the agreement, and a service provider's obligation to secure the data appropriately. It is also worth regulating in the agreement what happens with personal data after cooperation has ended.

Copyright and Database Protection

Finally, it is worth noting that usually a database is a subject to copyright protection if it has the features of a work. Therefore, assuming the copyright protection of the database, the author would have the exclusive right to authorize the use and reuse of the data contained in this database, and any unauthorized use of these data will infringe upon this right. In order to be “mined”, data must be accessed, copied and analyzed. Even if the company lawfully acquired an information system, making copies thereof for the purpose of data mining can be illegal under copyright law without the authorization of the copyright holder. Of course another issue is that in some cases a process mining might fall under exceptions or limitations (e.g. fair dealing or fair use) provided for in appropriate copyright legislations. On the other hand, it needs to be underlined that these limitations and exceptions to the author's exclusive right usually cover a non-commercial use of a protected work, which means that any direct or indirect commercial use might be considered an infringement.

Moreover, in addition to copyright protection databases are usually covered by the protection provided for in specific legislation. Companies should be aware that in some cases the database right exists regardless of the existence of copyright protection, as the exclusive rights given to the database owner or maker. This fact entails interesting and complicated legal issues, such as specifying the owner/maker of the database, the legal basis for re-using data accumulated by event logs or the question of being authorized to receive the results of the analysis conducted. Also in case of a sui generis database right provisions on fair dealing or fair use could apply. Nevertheless, concerns previously discussed with respect to a non-commercial use of works protected by copyright refer to non-authorized use of database accordingly.

Process mining is a very powerful tool, but only if it is conducted by competent persons and the conclusions drawn from it are used wisely. This is actually true for all the data-driven business analysis. The confrontation between the reality contained in those data and a theoretical imagined view of an organization's operation is always of very great value and provides incontrovertible arguments for decisions to make its operation more efficient. Personal data and privacy, copyright and database protection are the main issues to be kept in mind before proceeding to analyze the real operations of the company's organization.

References

[1] Wil M.P. van der Aalst. Process Mining: Discovery, Conformance and Enhancement of Business Processes. Springer-Verlag, 2011

[2] Anne Rozinat and Wil M.P van der Aalst. Process Mining: The Objectification of Gut Instinct, http://www.bpm.com/process-mining-the-objectification-of-gut-instinct.html, BPM.com, April 11th 2013; last access on-line: March 28th, 2014

[3] IEEE Task Force on Process Mining, Process Mining Manifesto, http://www.win.tue.nl/ieeetfpm/; last access on-line: March 28th, 2014

Łukasz Czynienik & Zbigniew Paszkiewicz

Łukasz Czynienik & Zbigniew Paszkiewicz

Łukasz is a legal advisor at the Warsaw office of the law firm Hogan Lovells, at the Department of Intellectual Property, Media and Technology, http://www.hoganlovells.com/lukasz-czynienik/. Łukasz's professional experience includes advising Polish and foreign clients on all aspects related to intellectual property rights. In particular, he provides legal advice on copyrights, industrial property rights, Internet technology issues, unfair competition, personal data, privacy, trade secrets, domain names, civil and commercial law. The best way to contact Łukasz is via mail lukasz.czynienik@hoganlovells.com. Zbigniew is a permanent researcher at the Department of Information Technology at the Poznan University of Economics, https://www.linkedin.com/in/zpaszkiewicz. He has been involved in scientific work on process mining and computer supported collaboration. He is a member of IEEE Task Force on Process Mining http://www.win.tue.nl/ieeetfpm/, the author of articles and scientific papers on process mining, the author of the pilot process mining implementations in the Polish market and the author of the blog Process mining the Polish way http://www.eksploracjaprocesow.pl/page/process-mining-polish-way. Last year he co-founded the Polish Process Mining Group, www.processmining.pl. The best way to contact Zbigniew is via mail zpasz@kti.ue.poznan.pl. You can subscribe to his tweets at http://twitter.com/zpaszk.
Łukasz Czynienik & Zbigniew Paszkiewicz

Latest posts by Łukasz Czynienik & Zbigniew Paszkiewicz (see all)

FacebookTwitterGoogle+Share

Speak Your Mind

*