A compliance framework for business processes based on URN

Compliance with institutional policies, government regulations and applicable legislation is a major concern for any organization when defining its business processes. These regulations are usually complex, hard to understand, and they rarely come with a model or taxonomy. As well, both business processes and regulations are susceptible to change with the potential of introducing non-compliance. This thesis presents a framework that intends to help companies track compliance by leveraging requirements engineering models. Compliance is managed by establishing links between User Requirements Notation (URN) models of government legislation and organizational business process and tracking how they are affected in a requirements management system. Special attention is paid to maintaining compliance as either the legislation or business processes evolve over time. The framework is evaluated by way of a case study from the healthcare industry. The case study centres on the approval process implemented to control access to a data warehouse at a major Ontario hospital and whether or not this process complies with relevant legislation and hospital guidelines. The relevant legislation in Ontario is the new provincial Personal Health Information Privacy Act (PHIPA).