You are here: Resources > FIDIS Deliverables > Privacy and legal-social content > D14.2: Study on Privacy in Business Processes by Identity Management > 
Hurdles for the Acceptance of Personalised Services  Title:
 Case Study: Intelligent Software-Agents


Case Study: Loyalty Program

The use of customer data in business processes is shown by an exemplary case study: Loyalty program. Loyalty programs aim to commit customers to specific companies. These companies delegate their customer relationship management to a loyalty program provider. The loyalty program provider manages the profiles about customers of this loyalty program, offers personalised services, sends them advertisements, and gives customers premium points, whenever they buy goods or services at companies which take part in this loyalty program. By these premium points, customers are allowed to get discounts on goods or pay other goods or services with these points. Each customer gets an own loyalty card with a unique card number for authentication. A customer can have one or more loyalty card for different programs. Loyalty cards are issued by merchants or the loyalty program provider. Latter is assumed for this case study. A loyalty card is technically realised by a credential.

Business Process: Collecting Customer’s Data

Each time a customer uses his loyalty card while buying goods or services, the corresponding loyalty program partner forwards the services or goods which have been sold, their price, the discount, and the date of the selling together with the customer’s loyalty card number. Loyalty program partners are data consumers concerning collection of customer’s data and data providers regarding the delegation of customers’ profiles to the loyalty program provider. It is assumed that loyalty program partners store the profiles about their customers. In the following, a loyalty program partner is considered as a merchant. Figure 3.4 shows this scenario. The card number is given by Card ID and customer’s data concerning one loyalty partner are summarised by selling data. An example for a loyalty program is the German PAYBACK loyalty program. This loyalty program consists of 52 companies of different branches, e.g. retail, medicine, and insurances.

Figure 3. Collecting customer’s data.

Business Process: Using Customer’s Data

The extension of the previous scenario is that a customer wants to show some of his properties to a merchant in order to get special benefit for a personalised service, e.g. to show that he does not smoke in order to get discount on a private health insurance. The customer enhances his reputation at the insurance company by showing his buying history at the supermarket in order to prove that he has not bought tobaccos. So, the customer specifies this purpose of using one of his profiles by delegating an access right to the insurance company to access his profile supermarket at the loyalty program provider. It is assumed that the loyalty program provider discloses customers’ profiles only with their authorisation. In Figure 3.5, the insurance company (data consumer 3) gets this access right on customer’s profile with respect to his buying history.

Since the loyalty program provider does not disclose customers’ profiles, the insurance company asks the given customer for allowing access on customer’s buying history of his supermarket profile. The customer delegates the read authorisation concerning this request for a one-show use to the insurance company in step two. This insurance company acts in step three as a proxy for the customer, since the customer does not retrieve this data himself at the loyalty program provider. If this authorisation is valid, the loyalty program provider grants the desired access and denies it otherwise. So, the loyalty program provider has changed his role from a data consumer (data consumer 4) to a data provider (data provider 4).


Figure 3. Delegation of access rights with regard to customer’s supermarket profile.


Hurdles for the Acceptance of Personalised Services  fidis_wp14_d14.2-study_on_privacy_in_business_processes_by_identity_management-v09_02.sxw  Case Study: Intelligent Software-Agents
9 / 38