Designing Data Protection for GDPR Compliance into IoT Healthcare Systems

In this paper, we investigate the implications of the General Data Privacy Regulation (GDPR) on the design of an IoT healthcare system. On 25th May 2018, the GDPR has become mandatory within the European Union and hence also for all suppliers of IT products. Infringements on the regulation are now fined with penalties of up 20 Million EUR or 4% of the annual turnover of a company whichever is higher. This is a clear motivation for system designers to guarantee compliance to the GDPR. We propose a data labeling model to support access control for privacy-critical patient data together with the Fusion/UML process to design GDPR compliant system. We illustrate this design process on the case study of IoT based monitoring of Alzheimer's patients that we work on in the CHIST-ERA project SUCCESS.



There are no comments yet.


page 1

page 2

page 3

page 4


Analyzing GDPR Compliance Through the Lens of Privacy Policy

With the arrival of the European Union's General Data Protection Regulat...

Evaluating Medical IoT (MIoT) Device Security using NISTIR-8228 Expectations

How do healthcare organizations (from small Practices to large HDOs) eva...

A SwarmESB Based Architecture for an European Healthcare Insurance System in Compliance with GDPR

With the everlasting development of technology and society, data privacy...

GDPR Compliance for Blockchain Applications in Healthcare

The transparent and decentralized characteristics associated with blockc...

GDPR Anti-Patterns: How Design and Operation of Modern Cloud-scale Systems Conflict with GDPR

In recent years, our society is being plagued by unprecedented levels of...

How Design, Architecture, and Operation of Modern Systems Conflict with GDPR

In recent years, our society is being plagued by unprecedented levels of...

A Context Aware Framework for IoT Based Healthcare Monitoring Systems

This paper introduces an investigation of the healthcare monitoring syst...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Infringements on the basic principles of data processing, rights of data subjects, or other non-compliances to Articles of the GDPR are fined with up to 20 million EUR or 4% of the annual turnover of an undertaking whichever is higher (Article 79 (3a) [1]). Therefore, it is a crucial need for any company to find ways to achieve and keep GDPR compliance.

The General Data Privacy Regulation (GDPR) [1] is a 209 page legal document. For small businesses, it might be hard to tackle such a complex requirements specification. For these reasons, we attempt in this paper, to show practically how to overcome the difficulty of such a legal formulation by

  • summarizing the legal text, highlighting the technically relevant parts and

  • providing a fairly generic application example taken from the IoT healthcare context establishing a data protection model for private data and

  • using the Fusion/UML analysis and design process we produce a global architecture supporting the requirements given by the GDPR.

We use established techniques from security and software engineering to show how the GDPR can be systematically mapped onto a formal system architecture specification. Technically, we propose a combination of information flow control models for data protection in distributed systems by labeling data with security labels in the style of the Decentralized Label Model (DLM) [2] and employing the development Fusion/UML for analysis and design of software systems. More precisely, we use an extended process [3] that establishes a consistency relationship between analysis and design and produces a formal specification for the implementation.

The contribution of this paper is to

  • break down the legal document of the GDPR into more digestible technical requirements,

  • show how the Decentralized Labelling Model (DLM) can be integrated with the pragmatic software engineering methods Fusion/UML to produce a formally specified system architecture,

  • illustrate the process on the SUCCESS IoT healthcare application.

We first give a brief overview of the General Data Protection Regulation (GDPR) pointing out which parts are relevant for technical design of information systems (Section II). We then provide an overview of the background: after a short introduction to the extended Fusion/UML-translation process, we give an in depth summary and analysis of related work (Section III). In Section A, we introduce the application case study of our CHIST-ERA project SUCCESS [4] on security and privacy of IoT. We then show how parts of the GDPR data protection specification can be mapped to the Decentralized Data Label model (DLM). Next, we analyse the requirements of the SUCCESS case study providing a system class model and operation schemas. A further design of object interactions finishes the system architecture. The Fusion/UML-ObjectZ translation process [3] allows schematic translation into a formal specification (Section V). We conclude in Section VI.

Ii The European Standard GDPR

The GDPR (General Data Protection Regulation) is in full called “the regulation of the European parliament and the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. For this paper, we use the final proposal [1] as our source to provide a comprehensive summary of the main points relevant for a technical analysis. Despite the relatively large size of the document of 209 pages, the relevant portion for this is only about 30 pages (Pages 81–111, Chapters I to Chapter III, Section 3). Chapter I generally defines the scope of the regulation in terms of main purpose (protection of individuals), material scope (personal data) and territories (in the Union). Chapter II defines the principles for data processing and retention.

While Chapters I and II provide essential definitions, more technical requirements for data processing are provided in Chapter III, Sections 1 to 3.

  • Section 1 describes Transparency and Modalities. Article 12 states that the controller must provide any information and communication (specified in Article 14–20) “relating to the data subject in a concise transparent and intelligible and easily accessible form …”.

  • Section 2 provides details of the access rights and the information that the controller must provide to a data subject on request (Articles 14, 14a, 15), like the retention time and the purpose of data collection.

  • Section 3 defines the right of a data subject to rectification and erasure of personal data (“right to be forgotten”) as well as the right to restrict its processing (Articles 15–18).

In summary, Chapter III specifies that the controller must give the data subject read access (1) to any information, communications, and “meta-data” of the data, e.g., retention time and purpose. In addition, the system must enable deletion of data (2) and restriction of processing.

An invariant condition for data processing resulting from these Articles is that the system functions must preserve any of the access rights of personal data (3).

Iii Background

Iii-a The Extended Fusion/UML Software Development Method

The method Fusion/UML is a software development process comprising analysis and design phases. It defines consistency rules enabling the control of consistency in the various models and in between them throughout the development process. The final result of the Fusion/UML process is an accurate description of the class interfaces suitable for any object oriented programming language. The analysis phase is concerned with the question: what is and does the system. One major result of this first step of Fusion/UML is a so-called operation model describing in schematic form the system operations. The second part, the design, is concerned with the question: how does the system achieve its goals. One major model of the design is the so-called object interaction model. It uses UML collaborations to define the system operations by message flows of method invocations between objects in the system. Analysis and design contain various other models, but the two parts operation model and object interaction model contain most of the information about the operational part of the system design. The paper [3] extends the Fusion/UML by a systematic translation of the operation model and the object interaction model into the formal specification language Object-Z [DR00, S00]. Object-Z is suitable as it constitutes an extension of Z by the concepts of classes and objects and has a well established reference semantics [SKS02].

In the context of Security and Privacy for the IoT for the SUCCESS project, this method is applied to systematically derive a formal specification for the software system managing the secure data handling between the distributed entities. The challenge lies in the security part which poses special requirements as put up by the GDPR but also more generally due to the difficult nature of security as a non-functional requirement. However, for the same reasons security needs to be designed into the system from the beginning. If cannot be “plugged onto” a system at later stages – an additional motivation to use a well-established software engineering method like Fusion/UML.

Iii-B Related Work on Privacy in IoT Healthcare systems

A mobile application solution for healthcare called the Electro Cardiogram Android App (ECG App) [5] allows the end user to view data logging functionalities and ECG waves in the background. The application allows logged data to be uploaded to either a specific medical cloud, or the user’s private centralized cloud, here the healthcare and patient monitored records are kept and can also be retrieved and viewed for analysis by medical personnel. The Design of the entire system of the proposed solution in this paper is based on a layered architectural design pattern that divides the system into 3 different units called layers; the hardware layer which contains the IOIO microcontroller and sensors to collect signal data; the application layer which receives signal data sent from the hardware layer, and also contains 3 sub layers; and the Cloud layer which has the FTP server present in it, and receives the file from the FTP Client. The Server is also responsible for storing file in the File Table Technology. The ECG Mobile app makes use of an IOIO microcontroller board, that obtains signal from a person using ECG electrodes and sends to the mobile device wirelessly using Bluetooth technology. The monitored ECG waves of a patient displayed in the mobile app is stored in Binary format which will be encrypted and uploaded to an SQL server private database in a secure manner making use of the FTPES protocol. This System though tested however is only limited to monitoring ECG waves, but with proposed design improvements to be applied to other medical applications.

In order to better protect and preserve sensitive patient health information, the paper [6] proposes a holistic privacy middleware which they called ECMP middleware, that executes a two-stage concealment process within a distributed data protection protocol that utilizes the hierarchical nature of IOHT devices. This proposed solution complies with the Organization of Economic Cooperation and Development (OECD) privacy principles. The OECD privacy principles are a set of fair information practice that can be considered as the primary components that enables the protection and privacy of personal data for cloud based services. The principles covers; Collection limitation, Data quality, Purpose specification, Use limitation, Security safeguard, Openness, Individual participation, and Accountability. The ECMP is the main architectural element of the framework because it is responsible for the execution of the topological formation protocol for data collection. The ECMP middleware is deployed in 3 usage layers; the data collection layer which consists of the various IOHT devices and the mobile application that is used to capture the vital signs from the user’s body or home , and also collects related data external. This data is used to make recommendations and treatment; the intermediate layer that consists of 2 fog-nodes, where each of the nodes host the holistic privacy middleware that will execute the second stage of the two-stage concealment; the final layer is the service layer that consists of the various healthcare web services that are hosted on the cloud platforms. It also facilitates the collaboration between various service providers.

The paper [7] introduces a smart gateway that safeguards the entire healthcare system using a modified Host Identity Protocol Diet Exchange (HIP-DEX) key exchange protocol and a new key exchange scheme based on Low Energy Adaptive Clustering Hierarchy (LEACH) routing protocol. For the purpose of this research demonstration, the health monitoring of sports personnel was selected. The research security approach is based on a lightweight mutual verification and key exchange protocol which is based on a hash function with no restriction on data storage, operation speed, size of data input etc. Using a lightweight modified HIP-DEX key exchange scheme, a secure link can be created between the cloud and the end-user device. The entire architecture of the proposed system is based on a secure gateway which is implemented using Arduino MKRzero microcontroller board. After the parameters of the sports person has been collected using heartbeat/pulse, muscle and blood pressure sensors, the sensors collect the data and communicate using a pre-shared key that can be specified during the device configuration time. The gateway then analyses the received data for any abnormalities in it using an adaptive rule engine. In the case that abnormalities are discovered, the monitoring device will be notified using a fast and secure channel enabled using a new key exchange scheme based on the LEACH protocol. The channel between the gateway and the cloud is modified using the HIP-DEX protocol. End users such as the doctors, nurses and other authorized personnel can frequently view and monitor the health statistics using an android mobile application.

Iv Application Example from IoT Healthcare

Iv-a System Model

The example of an IoT healthcare systems is from the CHIST-ERA project SUCCESS [4] on monitoring Alzheimer’s patients. Figure 1 illustrates the system architecture where data collected by sensors in the home or via a smart phone helps monitoring bio markers of the patient. The data collection is in a cloud based server to enable hospitals (or scientific institutions) to access the data which is controlled via the smart phone.

Fig. 1: IoT healthcare monitoring system for SUCCESS project

Before embarking on an in depth security analysis and design, we observe a few issues related to the context and main stream technologies which we have to put up with:

  • Sensors and sensor hub hardware run proprietary operating systems and are thus outside of the control we have over such systems. A plethora of attacks can easily be found and more be imagined.

  • The Privacy sensitivity of the sensored data is difficult to measure. For example, the fact that the patient walks into a room, as observed by a motion sensor, is not critical. However, if the behavioural algorithm that accumulates motion data into the data “patient is wandering” – which is an indicator for early Alzheimer’s symptoms, the data becomes privacy critical.

Therefore, we exclude the home from the security perimeter. We stipulate this as a necessary security assumption. This is the best we can do. Consequently, data cannot be held in the server in the home but needs to be uploaded immediately to the cloud server. Similarly, sensor data transmitted via the smartphone is not kept on the phone.

Within the security perimeter, we thus place only the cloud server and the connected hospital (or other client institutions). The smartphone and the home server feature as data upload devices and the smartphone additionally as a control device that is included in some of the use cases.

We cut short the full Fusion/UML process and present just its outcome corresponding to the analysis process based on these observations. This first outcome, the Fusion/UML analysis model, defines the system class model as depicted in Figure 2.

Fig. 2: System class model for IoT healthcare system

Another result of the Fusion/UML analysis along with this system architecture is a set of operations schemas based on the system class model and additional use cases. We present them together with the system design using object collaborations in the following section.

V A Global GDPR compliant IoT Architecture

The Decentralised Label Model (DLM) [2] introduced the idea to label data by owners and readers. We pick up this idea but extend labels with additional information, like purpose and retention time, to cover all requirements of the GDPR data protection requirements.

In this section, we first introduce the necessary details about DLM and concepts for extending this model for our purposes. Then we present the use cases for our IoT healthcare application as a suite of system operations defined by operation schemata and designed into object interactions. Using the system class model from the previous section, we can apply the extended Fusion/UML process [3] and derive a formal system specification.

V-a Security and Privacy by Labeling Data

We firstly need to specify the owner and the set of readers given by the following type dlm.

type dlm = actor \(\times\) actor set
Labelled data is then just given by the type dlm  data where data can be any data type. Additional meta-data, like retention time and purpose, can be encoded as part of this type data. We omit these detail here for conciseness of the exposition. We may use the concept of erasure [8] to implement the latter.

Using labeled data, we can now express the essence of Article 4 Paragraph (1): ’personal data’ means any information relating to an identified or identifiable natural person (’data subject’).

V-B Use Cases

The Fusion/UML analysis actually produces the system class model with the system border only after the use case model has been specified. However, we take the liberty to present them only now since we needed to introduce DLM first and can now better motivate the decision of putting the extended system border as a security perimeter to include the hospital server.

There are four use cases for the IoT healthcare application:

  1. User data is uploaded to cloud from home server or via mobile phone.

  2. User wants to delete or change data using his mobile phone as control device.

  3. Others (hospital, researchers, GPs) access data in the cloud.

  4. System needs to maintain distributed consistency and therefore

    1. ensure that only label preserving operations are allowed;

    2. data is tracked within the system;

    3. time (and erasure) is monitored and enforced on all data in the system.

In the previous section, we already defined the system border as a security perimeter that encompasses not only the access controlled cloud data base but also the hospital server into one system. Consequently, the security labels must be maintained consistently by the hospital and thus within the healthcare system111Remember, we excluded the home server from the system as a necessary security assumption in the previous section.. This design decision is now justified by Use Case 4.

V-C Operation Schemata

Although in their particular incarnation novel to the UML, operation schemata are just a composition of UML tagged values. The values tagged together are: Operation, Description, Inputs, Reads, Changes, Sends, Pre-condition, and Post-condition. That is, an operation schema contains the operation’s name, its informal description, and inputs. Furthermore, such a schema defines the objects and associations from which the operation reads and on which it writes, further specifying concrete conditions on those objects using a with-clause followed by a formal condition. The pre- and postconditions tagged with an operation schema may define formal conditions about the operation.

The operation schema for the upload operation defines the system function that is required by Use Case 1: a data item d and its intended DLM-label (o,r) are input by an actor who further provides an id as its identity. Provided that this id is the same as the inputting actor’s identity o, the database is updated and a message about the successful completion is sent to the initiator. The uploading party could be the smartphone or the home server expressed by the set of classes {home,sphone}.

Operation = upload
Description = The home server or mobile phone uploads patient data to the cloud server.
Input = d: data, (o,r): dlm, id: actor
Reads = as: Auth with o as.patients r as.reg_usrs, Controls
Changes = db: DB with (as,db) Controls
Sends = :{home,sphone}:{upload_ok}
Pre = id = o
Post = db.table’ = db.table {((o,r),d)}

The operation schema for delete is very similar in its structure to upload but it can only be initiated from the smart phone which servers as the control unit for the user. If the data item with the right dlm label as input by the user exists, it is deleted from the database and hospital servers.

Operation = delete
Description = The mobile phone deletes patient data on the cloud server and hospital.
Input = d: data, (o,r): dlm, id: actor
Reads = as: Auth with o as.patients r as.reg_usrs, Controls
Changes = db: DB with (as,db) Controls
h: Hospital with (as,h) Has
Sends = :{sphone}:{delete_ok}
Pre = id = o ((o,r),d) db.table
((o,r),d) h.table
Post = db.table’ = db.table {((o,r),d)}
h.table’ = h.table {((o,r),d)}

The operation schema for download is, contrary to the previous two operations, initiated from the hospital side: on input of an id (of a staff member of the hospital), a data item d is copied over to the hospital’s data table if the DLM label permits this, that is, the hospital h is named in the reader labels r. Besides the message “download_ok” a second message “access” is sent to the user’s smart phone to inform of the data access.

Operation = download
Description = A doctor downloads patient data from the cloud server to the hospital server.
Input = o, id: actor
Reads = as: Auth with o as.patients r as.reg_usrs, db: DB with (as,db) Controls
Changes = h: Hospital with (as,h) Has
Sends = :{sphone}:{access},
:{doctor}: {download_ok}
Pre = ((o,r),d) db.table id h.staff h r
o as.patients h as.reg_usrs
Post = h.table’ = h.table {((o,r),d)}
is_sent{download_ok} is_sent{access}

V-D Design: Object Collaborations

The system design is the phase of the software development process that follows the analysis, and needs to be consistent with it. This implies that for all system operations defined in the analysis, the object interaction model has to define object interaction graphs describing the execution of the system operation on the objects in the system. To that end, the object interaction graphs introduce new operations: the graphs are UML collaborations. They define message flows in a sequential order using numbers. The object interaction starts from an actor executing the system operation as a message to an object called the controller of that system operation. The controller delegates the initial system operation to so-called collaborators, objects of the system that are associated to the controller. The initial task set out by the controller can be delegated in turn by the collaborators to other associated objects. All objects that are corresponding with each other must be connected by associations in the system class model. This is a consistency conditions. Others are given by the selection, pre- and postconditions defined in the system operations. UML annotation with may be employed to define the selection of this particular object or annotating pre- or postcondition for the method calls contained in the messages tagging it to the objects.

The operation for upload leads to the object collaboration illustrated in Figure 3. The preconditions already identified in the system operation must hold, that is, the initiator’s id must match the owner label o, must be a registered patient, and the reader label set r must only contain registered readers. Since we now look at actual objects and not classes (like in the analysis), we can additionally identify an actual object x of either class home or sphone as the initiating object and further require that this object corresponds to the actor o and id, respectively. This specifies authentication and must be implemented by some authentication protocol in an implementation. In the internal step 1, the system operation upload delegates the data upload to the collaborator object db of class DB and tags the postcondition representing the change of the data base as a UML annotation tagged to db.

Fig. 3: Object collaboration diagram for the upload.

The operation for delete leads to the object collaboration illustrated in Figure 4. Provided the conditions similar to the previous case and consistent with the operation schema hold, the system operation delete is simultaneously delegated to corresponding methods in data base objects and hospital objects. In the collaboration diagram, the class set {DB, Hospital} generalises over the two branches one for the data base and one for hospitals. This simplifies the diagram but is just a graphical abbreviation.

Fig. 4: Object collaboration for delete operation.

The operation for download leads to the object collaboration illustrated in Figure 5. The collaboration graph nicely shows the two sides hospital and smart phone involved by having two actors included. Conditions are again directed mainly to ascertain authenticity and label correctness, and then a two-level delegation leads to the cloud database. For conciseness, we only define the two get-method calls. Clearly – and this is specified in the UML-tag condition h.table’ = h.table {((o,r), d)} – the calls to get lead to the retrieved labelled data d to be copied inversely up to hospital. However, following the spirit of Fusion/UML, we omit that level of implementation detail in the specification.



Fig. 5: Object collaboration for the download operation.

The object collaborations nearly finalize the Fusion/UML process. The developed models of analysis and design can then be schematically transformed into a set of interface specifications. In the extended Fusion/UML process, a schematic translation process produces a complete Object-Z specification. We omit this output here for reasons of space but it is attached as an appendix.

Vi Conclusions

In this paper, we have summarised the new General Data Protection Regulation (GDPR) and illustrated on an IoT healthcare patient monitoring system, how to design a system architecture specifying the privacy access control using the decentralized label model (DLM) and employing the extended Fusion/UML method as software development process.

We have in detail discussed related work for IoT healthcare systems in Section III. Although some of these works address data protection, none does specifically address GDPR.

The results of applying the Fusion/UML method to Security and Privacy of IoT are generally interesting. Firstly, a security argument at the early requirements stage shows that security protection in the home is for the application of a home based IoT patient monitoring system futile. Therefore, we restricted our attention to the cloud and hospital server part of the system. For the development of a system design specification, the Fusion/UML method appeared to be working well.

There are two main observations of some importance. In the application, we have realized that we needed to consider the system distributed over the cloud and hospital server as one system to enforce consistent labeling. This security we simply emulated by abusing the system class border as a “security perimeter” pretending it to be one system. This could be more explicitly addressed as a feature in Fusion/UML and also in implementations (for example, using a distributed ledger, a blockchain, to enforce consistent labeling across distributed servers). Secondly, there is the recurring issue of authentication. In the application, we have augmented that by explicitly stating identity of real and communicated actor identities, for example, id = o. This could also be more explicitly addressed by using a dedicated notation like auth(id,o). It would be a valuable continuation of this initial experiment, to extract these two major observations and refine the (extended) Fusion/UML method to accommodate them to provide a Security enhanced Fusion/UML.

Object-Z as a target language could be replaced by other formal modeling frameworks potentially better suited for security analysis. In a dedicated tool for security protocols, like ProVerif, it might be impossible to embed all of the abstract notions of object-oriented systems. Another possibility would be to use a more expressive framework, for example, the Isabelle Insider framework [9].


  • [1] E. Union, “The eu general data protection regulation (gdpr),” Accessed 20.3. 2018,
  • [2] A. C. Myers and B. Liskov, “Complete, safe information flow with decentralized labels,” in Proceedings of the IEEE Symposium on Security and Privacy.   IEEE, 1999.
  • [3] M. Bittner and F. Kammüller. Translating Fusion/UML to Object-Z. First ACM and IEEE International Conference on Formal Methods and Models, MEMOCODE’03, IEEE, 2003.
  • [4] CHIST-ERA, “Success: Secure accessibility for the internet of things,” 2016,
  • [DR00] Roger Duke and Gordon Rose. Formal Object-Oriented Specification Using Object-Z. Macmilan Press Ltd, 2000.
  • [S00] Graeme Smith. The Object-Z Specification Language. Kluwer Academic Publishers, 2000.
  • [SKS02] G. Smith, F. Kammüller, T. Santen. Encoding Object-Z in Isabelle/HOL. The Z and B User’s Conference, LNCS, 2002.
  • [5] M. Junaid, A. Thakral, A. Ocneanu,C.-H. Lung, A. Adler. Internet of Things: Remote Patient Monitoring Using Web Services and Cloud Computing. 2014 IEEE International Conference on Internet of Things, 256–263. IEEE, 2014.
  • [6] A. M. Elmisery, S. Rho, D. Botvich. A Fog Based Middleware for Automated Compliance With OECD Privacy Principles in Internet of Healthcare Things. 8420–8440, 2016.
  • [7] K. P. Binu, K. Thomas, N. P. Varghese. Highly Secure and Efficient Architectural Model for IoT Based Health Care Systems. IEEE, 2017.
  • [8] S. Hunt, D. Sands. Just Forget It – The Semantics of Information Erasure. ETAPS–ESOP’08. LNCS, Springer, 2008.
  • [9] F. Kammüller and C. W. Probst, “Modeling and verification of insider threats using logical analysis,” IEEE Systems Journal vol. 11, no. 2, pp. 534–545, 2017.

Appendix A Translation into Object-Z

This appendix contains the output of the translation process to Object-Z. The translation follows a schematic procedure [3] and thus is created practically automatically. The translation of the system model of the analysis is shown in Figure 6, the design model derived mainly derived from the object interactions is shown for the classes Auth and DB in Figure 7 and for Hospital in Figure 8.

Fig. 6: Translation of the system model for the IoT healthcare system of the analysis phase
Fig. 7: Translation of the design model for the IoT healthcare system parts Auth and DB
Fig. 8: Translation of the design model for the IoT healthcare system for class Hospital