Title: USE CASE: PERSONALISED SERVICES

Use Case: Personalised Services

In personalised services, the service provided to the customer is based on pre-acquired personal information around the customer himself. In many personalised services the service provider obtains customer information from other data providers. Therefore, customer information following this information flow model is subject to disclosure at several points.  

The problem originating from disclosure of private customer information could be considered a main drawback in personalised services. The personal data provided by the customer can be intercepted or misused in several ways. In fact, the confidentiality of the personal data can be breached not only through man-in-the-middle attacks, but also through leakage of information from within the service provider himself. Accountability of the service provider is in question here, in addition to its technical and managerial ability to abide by the privacy policy. In the case where a customer profile is delegated to the service provider, the privacy policy might be agreed upon only with the first data consumer to which the personal information has been provided. For these reasons, we consider in the following a use case of personalised services to shed the light on the flow of personal data in corresponding business processes. 

We consider the case of a company “A” providing to its client bank “B” fully integrated back office processing and personalised services for B’s customers. A is able to track customer information across multiple channels in a way to enhance B’s customer care, acquisition and support. The personalised services provided by A on behalf of B include customized internet-banking applications, online account management applications, telephone banking services, etc. 

The collection of the customer’s personal information is done by B as part of the customer registration process. Encryption schemes and access control systems could be used on B’s information systems to ensure the confidentiality of the customer private information. Moreover, a privacy policy is usually agreed upon between B and the customer regarding the use of private data. 

However, the customer’s profile information has to be delegated to A in order for the latter to provide the personalised services. At this stage, the specific customer information passed to A can include account information, transactions history, withdrawal limits, credit card information, telephone numbers, etc. The profile information delegated to A should be restricted to the necessary information fields needed to provide the corresponding personalised service. Otherwise, the purpose-binding of the profile would be lost. This resulting information can be further abused by A, e.g. for advertisement purposes in the favour of A, and that have no relation to the banking service delegated by B. For example, A could use the telephone number to perform some survey on the corresponding customer which is necessary for other services that A can provide. But A would be more inclined to avoid such privacy breach in order to protect its and B’s reputation. 

On the other hand, leakage of the customer information from A’s information system should also be avoided, since A would become accountable for any customer private information disclosure. For example, a leaked credit card billing address can be used for advertisement purposes which address directly the corresponding customer. Encryption systems can also be used by A to control the access to private customer information. 

Although the privacy policy agreed on between the customer and B at the time when the private information was provided should protect the privacy rights of the customer, the enforcement of this policy is not trivial in the case of a multi-stage business process, especially when personalised services are offered by a partner enterprise. Using access control mechanisms to prevent a breach of the privacy policy is not enough, since the partner enterprise personnel will definitely have access to the customer private information in order to provide the banking service. On the other hand, using logging and auditing of security critical actions in order to validate the enforcement of the privacy policy after the privacy breach took place would not thwart the consequences of a credit card number theft, or a telephone banking impersonation, although the partner enterprise would be held accountable. 

A controllable enforcement of privacy policies by a monitor is a preventive approach. This requires a continuous run-time monitoring of the customer private information usage in a way to prevent misuse of information according to the privacy policy as opposed to controlling the access to the information. Enterprise Rights Management (ERM) technique could be a good solution to enforce such a privacy policy. With ERM (Enterprise Strategy Group, 2006), different roles within the partner enterprise have different fine-grained usage rights over the information. In addition to an access control model, an ERM solution can help controlling the customer information usage by making some information fields (credit card numbers, online-banking passwords) accessible to particular persons or roles within the partner enterprise providing the banking service only.