Process performance indicators (PPIs) are metrics to quantify the degree with which organizational goals defined based on business processes are fulfilled. They exploit the event logs recorded by information systems during the execution of business processes, thereby providing a basis for process monitoring and subsequent optimization. However, PPIs are often evaluated on processes that involve individuals, which implies an inevitable risk of privacy intrusion. In this paper, we address the demand for privacy protection in the computation of PPIs. We first present a framework that enforces control over the data exploited for process monitoring. We then show how PPIs defined based on the established PPINOT meta-model are instantiated in this framework through a set of data release mechanisms. These mechanisms are designed to provide provable guarantees in terms of differential privacy. We evaluate our framework and the release mechanisms in a series of controlled experiments and a case study with a public event log, in which we compare the framework with approaches based on privatized event logs. The results demonstrate feasibility and shed light on the trade-offs between data utility and privacy guarantees in the computation of PPIs.